This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can't connect to SSL VPN on Linux

I am in the final stages of setting up our new XG 135 and I've hit a problem when testing the SSL VPN on Linux. I have tried several distributions but currently I'm using the following:

Linux Ubuntu1604vm 4.4.0-31-generic #50-Ubuntu SMP Wed Jul 13 00:07:12 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

This is the OpenVPN version information:

OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Jan 9 2019
library versions: OpenSSL 1.0.2g-fips 1 Mar 2016, LZO 2.08
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. <sales@openvpn.net>
Compile time defines: enable_crypto=yes enable_crypto_ofb_cfb=yes enable_debug=yes enable_def_auth=yes enable_dependency_tracking=no enable_dlopen=unknown enable_dlopen_self=unknown enable_dlopen_self_static=unknown enable_fast_install=yes enable_fragment=yes enable_http_proxy=yes enable_iproute2=yes enable_libtool_lock=yes enable_lzo=yes enable_lzo_stub=no enable_maintainer_mode=no enable_management=yes enable_multi=yes enable_multihome=yes enable_pam_dlopen=no enable_password_save=yes enable_pedantic=no enable_pf=yes enable_pkcs11=yes enable_plugin_auth_pam=yes enable_plugin_down_root=yes enable_plugins=yes enable_port_share=yes enable_selinux=no enable_server=yes enable_shared=yes enable_shared_with_static_runtimes=no enable_silent_rules=no enable_small=no enable_socks=yes enable_ssl=yes enable_static=yes enable_strict=no enable_strict_options=no enable_systemd=yes enable_win32_dll=yes enable_x509_alt_username=yes with_crypto_library=openssl with_gnu_ld=yes with_mem_check=no with_plugindir='${prefix}/lib/openvpn' with_sysroot=no

The error that I get is the following (after running the command openvpn --config <auto_generated_ovpn_file>):

Tue Mar 2 14:15:16 2021 us=684560 ROUTE_GATEWAY 192.168.1.254/255.255.255.0 IFACE=enp0s3 HWADDR=08:00:27:f2:56:59
Tue Mar 2 14:15:16 2021 us=684777 TUN/TAP device tun0 opened
Tue Mar 2 14:15:16 2021 us=684788 TUN/TAP TX queue length set to 100
Tue Mar 2 14:15:16 2021 us=684797 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Tue Mar 2 14:15:16 2021 us=684811 /sbin/ip link set dev tun0 up mtu 1500
Tue Mar 2 14:15:16 2021 us=694792 /sbin/ip addr add dev tun0 10.1.0.1/24 broadcast 10.1.0.255
Tue Mar 2 14:15:16 2021 us=699204 UDPv4 WRITE [22] to [AF_INET]86.157.139.153:8443: P_ACK_V1 kid=0 [ 42 ]
Tue Mar 2 14:15:20 2021 us=966074 /sbin/ip route add 86.157.139.153/32 via 192.168.1.254
Tue Mar 2 14:15:20 2021 us=966788 /sbin/ip route add 10.0.1.0/24 via 10.1.0.0
RTNETLINK answers: Invalid argument
Tue Mar 2 14:15:20 2021 us=969677 ERROR: Linux route add command failed: external program exited with error status: 2
Tue Mar 2 14:15:20 2021 us=969738 /sbin/ip route add 10.0.0.0/18 via 10.1.0.0
RTNETLINK answers: Invalid argument
Tue Mar 2 14:15:20 2021 us=970372 ERROR: Linux route add command failed: external program exited with error status: 2
Tue Mar 2 14:15:20 2021 us=970424 /sbin/ip route add 86.157.139.153/32 via 192.168.1.254
RTNETLINK answers: File exists
Tue Mar 2 14:15:20 2021 us=970970 ERROR: Linux route add command failed: external program exited with error status: 2
Tue Mar 2 14:15:20 2021 us=971039 Initialization Sequence Completed

The SSL VPN IP address settings in the XG are the following:

Subnet: /24 (255.255.255.0)

IPv4 lease range: 10.1.0.0-10.1.0.254

The SSL VPN policy is currently setup with "Use as default gateway" disabled as a matter of preference. However, I have tried with it enabled (as described here: https://support.sophos.com/support/s/article/KB-000039342?language=en_US) also and it makes no difference.

The IP address appears to be getting assigned in Linux and I can see it as a live connection in the XG dashboard when connected.

Note that the current configuration works for Windows, so I was surprised to see it failing on Linux.

I would appreciate any suggestions as we were just about to proceed with deployment until we discovered this problem.



This thread was automatically locked due to age.
Parents
  • Hello Alan,

    Thank you for contacting the Sophos Community.

    To clarify, is the SSL VPN connecting to the XG? I believe it is but please confirm.

    This error usually happens when you set as Default Gateway, but you mentioned even as a split tunnel is happening so might be something else.

    if you run this command manually:

    /sbin/ip route add 86.157.139.153/32 via 192.168.1.254 

    Do you get a different output?

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    Yes, the VPN is connecting to the XG. When connected, I can see the user and IP listed as a remote connection in the dashboard.

    I have tried to run the command manually but I get the same output:

    /sbin/ip route add 86.157.139.153/32 via 192.168.1.254

    RTNETLINK answers: Operation not permitted

    Regards,

    Alan

  • Further to this, I think I have found the root problem. The SSL VPN IP range was on subnet /24 (255.255.255.0) and this was conflicting with the tunnel which was on the same subnet. Changing the SSL VPN settings to use /18 (255.255.192.0) has resolved this.

    However, I am still getting the following error:

    Wed Mar 3 12:09:35 2021 /sbin/ip route add 86.157.139.153/32 via 192.168.1.254
    RTNETLINK answers: File exists
    Wed Mar 3 12:09:35 2021 ERROR: Linux route add command failed: external program exited with error status: 2
    Wed Mar 3 12:09:35 2021 Initialization Sequence Completed

    This does not seem to affect the operation of the VPN and I can access internal resources. However, it appears to be related to the following line in the OVPN file:

    route remote_host 255.255.255.255 net_gateway

    I don't really understand what it is doing but if I remove it then the error goes away. Can you explain it and advise if this is a suitable solution (preferably I would have the system outputting OVPN files that are already in a format without errors)?

  • Hello Alan,

    Thank you for the update and provide the solution.

    The error is specific to OpenVPN, it usually means that you have 2 active connections at the same time, so your Internet and the SSL VPN. 

    You will also see this message, If you use the SSL VPN as Default Gateway, when OpenVPN tries to add the route, the original default route is already set.

    You can ignore the error, if the SSL VPN flow is working, it is more of an informational error at this point.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    Ok, we can ignore that error. However, I have some more questions.

    1. I am seeing the following warning about cached passwords on both Windows and Linux.

    Thu Mar  4 14:20:06 2021 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

    From my point of view, this is unacceptable and must be disabled. The suggested auth-nocache option solves this but I would much rather it was in the configuration file by default. Can this be done?

    2. The DNS is not working on Linux by default. I have to add the following lines.

    script-security 2
    up /etc/openvpn/update-resolv-conf
    down /etc/openvpn/update-resolv-conf

    Again, I would like this to be in our default configuration file. Can this be done? Otherwise, I'm going to have to instruct our many users to make these changes, some who are not as technically knowledgeable as others.

    3. Coming from the Cyberoam, we were able to have a common client and configuration file that we could pass to new users after setting up their account. Now we have the <username>__ssl_vpn_client.exe or the Sophos Connect client with the username__ssl_vpn_config.ovpn file. This seems to be a bit more challenging to deploy because these are user specific files. I guess in normal times it might be reasonable to require our users to login to the Sophos portal in the office to download their configuration files. However, these are not normal times and nearly all of us are working remotely. Short of me logging in as each user and downloading their installers and configuration files, do you have any recommendations for deploying the client and configuration to our users?

    Thanks,
    Alan

  • Hello Alan,

    For Point 1 and 2, it would be a Feature request to add this on the Conf File itself, currently, the File has the following entries, I however never seen this showing on Windows computers, only in Linux when using OpenVPN. 

    ip-win32 dynamic
    client
    dev tun
    proto tcp
    verify-x509-name "C=XX, ST=XX, L=XXXXXX, O=XXX, OU=OU, CN=XXX, emailAddress=xxx@xxx.xxx"
    route remote_host 255.255.255.255 net_gateway
    resolv-retry infinite
    nobind
    persist-key
    persist-tun

    auth-user-pass
    cipher AES-128-CBC
    auth SHA256
    comp-lzo yes
    route-delay 4
    verb 3
    reneg-sec 0
    remote x.x.x.x 8443 tcp-client

    For point number 3 Sophos Connect 2.0 should be of help here

     https://community.sophos.com/xg-firewall/sophos-connect-eap/f/recommended-reads/119906/sophos-connect-2-0-early-access.

     /cfs-file/__key/communityserver-discussions-components-files/126/Sophos-Connect-2.0-_2D00_-Provisioning-File-Instruction-Doc-_2800_1_2900_.pdf

    For Sophos Connect (IPsec)  you can download the configuration file from the Firewall and share it with the users

    For Sophos Connect (SSL VPN) you can configure the .pro file then "You need to push out the .pro file to the users. Use GPO. This .pro file is the same file for all users. Simply push it to the Sophos connect folder (Import). C:\Program Files (x86)\Sophos\Connect\import", when a user double-click on the file to import it will get the prompt to login when the user logs in the connect client will download the configuration for that user.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Thanks for the information.

    I would appreciate it if you can file a feature request for the points 1 and 2 raised above. This really would simplify things for us if it can be added in the future (especially if we have the ability to customise the output OVPN file globally ourselves). For now I have worked out a process that should work.

Reply
  • Thanks for the information.

    I would appreciate it if you can file a feature request for the points 1 and 2 raised above. This really would simplify things for us if it can be added in the future (especially if we have the ability to customise the output OVPN file globally ourselves). For now I have worked out a process that should work.

Children
No Data