Sophos

Status
Not open for further replies.

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
Hot... damn place never cools down lol

I'm having a slight problem getting traffic routed correctly on Sophos to my second LAN on FreeNAS
  • Sophos main (br0) subnet 192.168.2.0/26 (of which eth0 on FreeNAS is apart of and traffic routes fine)
  • Sophos vlan br0.1 (of br0) subnet 192.168.2.64/26 (of which eth1 on FreeNAS is apart of and assigned .100)
    • I need the second vLAN subnet for the DHCP server I want serving FreeNAS jails
I can ping FreeNAS's eth1 .100 address with no issue, but am unable to access shares or the webadmin via the .100 address (it's bound to 0.0.0.0)

I currently have DNAT setup:
  • 192.168.2.0/26 (network) [traffic from] -> Any -> 192.168.2.64/26 (network) [going to] -> Translate to 192.168.2.65 [change destination to]
  • Firewall rule allowing access to and from .0/26 and .64/26
NVM... seems, from what I can tell, UTM doesn't support native vLAN switching, with all articles I've read thus far using an external vLAN switch to connect their UTM vLAN to. Unfortunately, since Sophos chose a knee jerk reaction to something that could have been resolved with their forum still up, it's impossible to verify this 100% (as anything beyond the first post in a thread is inaccessible, with many threads entirely inaccessible).

Currently, I have unbound one of the 3 LANs in my bridge and used it to create a regular ethernet interface with the subnet 192.168.2.64/26
 

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
NVM... seems, from what I can tell, UTM doesn't support native vLAN switching, with all articles I've read thus far using an external vLAN switch to connect their UTM vLAN to. Unfortunately, since Sophos chose a knee jerk reaction to something that could have been resolved with their forum still up, it's impossible to verify this 100% (as anything beyond the first post in a thread is inaccessible, with many threads entirely inaccessible).

Currently, I have unbound one of the 3 LANs in my bridge and used it to create a regular ethernet interface with the subnet 192.168.2.64/26
?

I use vLANs in my configuration...? Maybe I am missing something here that you are trying to relay?
 

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
?
I use vLANs in my configuration...? Maybe I am missing something here that you are trying to relay?
I'm trying to access FreeNAS on the vlan subnet from devices on the main subnet [FreeNAS is currently the only device on the vlan subnet]

Main Subnet: 192.168.2.0/26
  • FreeNAS eth0: 192.168.2.2/26
vlan subnet: 192.168.2.64/26
  • FreeNAS eth1: 192.168.2.100/26
I can ping 192.168.2.100 from say 192.168.2.9, but I am unable to access the Web GUI (bound to 0.0.0.0) on 192.168.2.100 from 192.168.2.9, and I am unable to access CIFS shares that point to 192.168.2.100.

Web Filtering has been disabled to rule it out as an issue while troubleshooting, and in the firewall log I can see the packet rule being activated, with traffic being allowed to pass to 192.168.2.100; however, FreeNAS refused to respond to any requests made to 192.168.2.100 [excluding icmp ping requests].

Another issue I noticed is even though eth1 had a statically assigned IP on Sophos, every time I tried to configure eth1 as DHCP on FreeNAS, FreeNAS would refuse to pull from the .64/26 DHCP pool, let alone utilize the statically assigned IP assigned to FreeNAS on Sophos; Instead, it would pull a second IP from the .0/26 DHCP pool. I would then re-configure eth1 on FreeNAS as static IP .100, configure the nameserver as .65 (even tried the default gateway as .65), however nothing would allow FreeNAS to recognize traffic on the .100/26 IP [outside of icmp ping requests].
 
Last edited:

ChriZ

Patron
Joined
Mar 9, 2015
Messages
271
Ok, I think that sophos people are watching this thread...
15 minutes ago my utm sent me 2 emails:
Versions 9.316004 and 9.317005 are available for automatic installation...loll
Another 2 emails from my UTM today... Version 9.35.0012 and 9.35.1003 are both downloaded and ready to install.
They are watching us.. I'm telling you....
 

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
They push out updates fairly regularly
 

TheDubiousDubber

Contributor
Joined
Sep 11, 2014
Messages
193
I have mine setup with DynDNS... OpenVPN is easy to troubleshoot, so we should be able to get you up and running fairly quickly =]

More likely than not, it's either web filtering, ATP, IPS or the firewall.
  • If you haven't already, I would open up the firewall log and ssl vpn log on UTM, then try and connect on your phone and see if traffic is being blocked.
    • I would also recommend utilizing OpenVPN for Android if using an Android device (as it provides full control over everything, including dynamically setting the log to verb 10).
  • On UTM, change to protocol TCP for OpenVPN, as this provides the ability to track the packets
  • If you uploaded your own CA (Certificate Authority), it must be a CA and not an Intermediate CA, otherwise OpenVPN authentication will fail every time due to how ConfD manages the OpenVPN authentication
  • OpenVPN must be set up under Remote Access, not Site-to-Site VPN
    • Profile Name: VPN
    • Users and Groups: %UserName%
    • Local Networks: Internal (Network)
    • You can choose to have it auto create a firewall rule, however I prefer to manually create them as it keeps the rules far more organized.
  • You should have the following firewall rule (set it to #1 for troubleshooting)
    • %UserName% (User Network) --> Any --> Internal (Network)
      • For troubleshooting, under Advanced, ensure Log traffic is ticked
    • Ensure your username is added under Network Protection --> Advanced Threat Protection --> Network/Hosts Exceptions
    • Ensure your username is added under Network Protection --> Intrusion Prevention --> Local Networks
    • Ensure Internal (Network) is added to Web Protection --> Web Filtering --> Allowed Networks
    • Create the following rule under Web Protection --> Application Control
      • Action: Allow
      • Control These Applications: IPsec ; OpenVPN
      • For: Any
If you've done the above, you'll need to review the following logs to trace where the problem is occurring: SSL VPN Log, Firewall Log, Web Filtering Log, Advanced Threat Protection Log, and the Intrusion Prevention System Log

So I finally got around to trying to fix my VPN issue. According to the SSL VPN log: "Non-OpenVPN client protocol detected"

Not sure what is happening as I'm using the OpenVPN app on my phone. I'm using the information downloaded from the link under the portal. I don't have my own certificate so I'm using the one that was automatically provided.
 

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
So I finally got around to trying to fix my VPN issue. According to the SSL VPN log: "Non-OpenVPN client protocol detected"

Not sure what is happening as I'm using the OpenVPN app on my phone. I'm using the information downloaded from the link under the portal. I don't have my own certificate so I'm using the one that was automatically provided.
weird. I use OpenVPN on my Android devices and it works great.
https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en
 

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
weird. I use OpenVPN on my Android devices and it works great.
https://play.google.com/store/apps/details?id=net.openvpn.openvpn&hl=en
OpenVPN for Android is a better app than OpenVPN's OpenVPN Connect, as the former provides full functionality versus no functionality with OpenVPN Connect.

So I finally got around to trying to fix my VPN issue. According to the SSL VPN log: "Non-OpenVPN client protocol detected"

Not sure what is happening as I'm using the OpenVPN app on my phone. I'm using the information downloaded from the link under the portal. I don't have my own certificate so I'm using the one that was automatically provided.
Something is misconfigured or not configured correctly. Please post log output from Sophos and OpenVPN for Android.

For Sophos, please disable (turn off) all VPN profiles, open a terminal to Sophos, and make the following change:
  • cd /var/chroot-openvpn/etc/openvpn
    • vi openvpn.conf-default
      • Comment out
        • verb [<DEBUG_LEVEL>]
      • Add
        • verb 7
  • If you receive an error that the file is in use, please delete the VPN profiles, edit, then recreate the profiles. This step is a necessity as default verb is set to 3, which is too low for troubleshooting.
On OpenVPN for Android:
  • Connect to your VPN
    • At the top of the connection log, tap View Options
      • Slide the slider to the 2nd bar and select the Short option
Please post the log output from Sophos SSL VPN log, as well as the output from the OpenVPN for Android app.
  • Email the Android log to yourself via the Send option
  • Please edit both logs to remove the external IP and place x's in place of the VPN port #
 

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
please explain what extra functionality I need other than my ovpn file and a connection. OpenVPN Connect works just fine.
With Sophos, besides the ability to change the verbosity level on demand, nothing.
  • Sophos's implementation of OpenVPN is a joke at best. It's simply horrendous, and it's because of this poor implementation users are left hanging with no ability to maximum throughput and decrease latency. This is why you gain nothing besides verbosity if using OpenVPN for Android with a Sophos OpenVPN config.
With every other OpenVPN server, everything. Try it and you'll immediately recognize the differences between the two and how OpenVPN Connect is lacking in every way.
 

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
With Sophos, besides the ability to change the verbosity level on demand, nothing.

With every other OpenVPN server, everything. Try it and you'll immediately recognize the differences between the two and how OpenVPN Connect is lacking in every way.
I have used OpenVPN Connect with custom built OpenVPN servers and had no issues. I am still waiting to hear the actual differences between the 2. I just tested it out and it appears to do exactly what Connect does. Connect me to an OpenVPN server.... All of my settings are in my ovpn file, so I don't really know what it offers me over Connect. If you want to sell something, you are going to need to actually provide me with some bullet points that make me want to switch.
 

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
I have used OpenVPN Connect with custom built OpenVPN servers and had no issues. I am still waiting to hear the actual differences between the 2. I just tested it out and it appears to do exactly what Connect does. Connect me to an OpenVPN server.... All of my settings are in my ovpn file, so I don't really know what it offers me over Connect. If you want to sell something, you are going to need to actually provide me with some bullet points that make me want to switch.
It offers the ability to change anything on demand and without editing the ovpn config itself. OpenVPN Connect simply allows you to connect to a config and nothing more. To use an analogy, OpenVPN connect is Vi, while OpenVPN for Android is Microsoft Word. Both are text editing programs, but Vi, like OpenVPN Connect, is the absolute bare minimum.

I'm not trying to sell anything, simply stating a fact. If you can't recognize what the differences between the two are and why OpenVPN for Android is a far better OpenVPN client implementation, then me pointing it out isn't going to make a difference. Anyone who's used the two would immediately recognize the differences.
 

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
It offers the ability to change anything on demand and without editing the ovpn config itself. OpenVPN Connect simply allows you to connect to a config and nothing more. To use an analogy, OpenVPN connect is Vi, while OpenVPN for Android is Microsoft Word. Both are text editing programs, but Vi, like OpenVPN Connect, is the absolute bare minimum.
OK. I guess if you see value in that, cool. I don't have a need for that. I just need a VPN client that uses a config and connects to a server. I don't make changes on my clients, ever.
 

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
Try troubleshooting a client connection issue with OpenVPN Connect, and tell me how many times it'll take you having to delete the profile, edit the ovpn config, and re-import before you get frustrated lol

I never said it was for you, simply that it's a fact one offers more functionality than the other. If a vehicle with no power steering is what you prefer, all the more power to you... but most would prefer one with power steering.
 

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
Just curious why you were getting so damned defensive about an OpenVPN client....This discussion was about Sophos and connecting to Sophos. As I stated, I see no difference at all between the 2 in this context which is where I actually use my OpenVPN client. @TheDubiousDubber was trying to troubleshoot his connection to his Sophos box which means that all these other features that apply for other VPN servers, are null. I simply made a remark that Connect works fine for me connecting to my Sophos box (and other VPNs that I have used).

Your opinion is that the other is better. There was zero reason to go on the defensive about what you or I prefer. Your comment about 'no functionality' of Connect made it seem like Connect will not work at all. It provides functionality just fine.
 

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
Just curious why you were getting so damned defensive about an OpenVPN client....This discussion was about Sophos and connecting to Sophos. As I stated, I see no difference at all between the 2 in this context which is where I actually use my OpenVPN client. @TheDubiousDubber was trying to troubleshoot his connection to his Sophos box which means that all these other features that apply for other VPN servers, are null. I simply made a remark that Connect works fine for me connecting to my Sophos box (and other VPNs that I have used).

Your opinion is that the other is better. There was zero reason to go on the defensive about what you or I prefer. Your comment about 'no functionality' of Connect made it seem like Connect will not work at all. It provides functionality just fine.
I'm not defensive at all... you asked me to explain why one was better than the other...

I couldn't care less what you or anyone else uses (why would that matter to me?)... but for troubleshooting, as I've stated previously, and of which is trying to be done, OpenVPN for Android is a better choice as it makes troubleshooting more convenient for the end user. I'm simply trying to offer tips on the most convenient way for @TheDubiousDubber to troubleshoot their issue... no more, no less. If you have a more convenient way for them to accomplish troubleshooting, please contribute.

Perhaps you took my previous comments as implying a user's choice for using one over the other is right and the other wrong, which was not my intent. nor the way I worded my replies. As I stated in my last reply, each to their own.
 

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
I'm not defensive at all... you asked me to explain why one was better than the other...

I couldn't care less what you or anyone else uses (why would that matter to me?)... but for troubleshooting, as I've stated previously, and of which is trying to be done, OpenVPN for Android is a better choice as it makes troubleshooting more convenient for the end user. I'm simply trying to offer tips on the most convenient way for @TheDubiousDubber to troubleshoot their issue... no more, no less. If you have a more convenient way for them to accomplish troubleshooting, please contribute.

Perhaps you took my previous comments as implying a user's choice for using one over the other is right and the other wrong, which was not my intent. nor the way I worded my replies. As I stated in my last reply, each to their own.

It was the way you stated that Connect had no functionality. I didn't understand what that referred to. Connect will connect you and provide logs for troubleshooting, so it was confusing that something that provides 'no functionality' actually functions fine for the intended purpose. It appeared that you had personal issues with the official openvpn client for android. I just wanted to understand what I was missing out on. Apparently nothing in this context.
 

zoomzoom

Guru
Joined
Sep 6, 2015
Messages
677
I meant it had no functionality beyond the act of establishing a connection. It will provide a log, but if you need to increase the verbosity, you must delete your configuration from OpenVPN Connect, manually edit the ovpn file, re-import the ovpn file, connect, and hope you set the verbosity high enough. If not, you must repeat the above. In contrast, for OpenVPN for Android, a verbosity increase is a simple flick of the finger from the log page since it [the app] automatically captures log output at the highest verbosity and only shows the user on the log page the level of verbosity they've selected.

As I stated before, if you can't see the differences, me explaining them to you is going to do nothing. I never said you should use the app, but to fail to acknowledge a simple, benign fact is ignorant. Either way, if you'd like to learn what the differences are, please download the app (it's free) and perhaps a more tactile experience will demonstrate the obvious differences. If you don't, that's perfectly fine as well; however, I begin to lose patience when I have to repeat the same things over and over again, so my contributions to this specific topic are done.
 
Last edited:

pirateghost

Unintelligible Geek
Joined
Feb 29, 2012
Messages
4,219
I meant it had no functionality beyond the act of establishing a connection. It will provide a log, but f you need to increase the verbosity, you must delete your configuration from OpenVPN Connect, manually edit the ovpn file, re-import the ovpn file, connect, and hope you set the verbosity high enough. If not, you must repeat the above. In contrast, for OpenVPN for Android, a verbosity increase is as simple a flick of the finger from the log page since it [the app] automatically captures log output at the highest verbosity and only shows the user on the log page the level of verbosity they've selected.

As I stated before, if you can't see the differences, me explaining them to you is going to do nothing. I never said you should use the app, but to fail to acknowledge a simple, benign fact is ignorant. Either way, if you'd like to learn what the differences are, please download the app (it's free) and perhaps a more tactile experience will demonstrate the obvious differences. If you don't, that's perfectly fine as well.
As I stated already, I did download and try it. I didn't see much more to the app than some logging verbosity. Again, like I said, that doesn't affect me at all.

You say I am ignorant for not acknowledging a simple fact, yet you still don't understand the context and the wording of your original post on the subject. What you MEANT to say and what you actually said are different things. I was trying to get clarity on that, and see if I was, indeed, missing something cool about the other client app. Somehow this turned into a longer conversation than it should. You even stated yourself that in the context of Sophos it didn't actually provide much but logging levels. What thread are we in again?

I think you need to try and look at your post from another perspective and see how it can be confused and misconstrued. I don't know how this has been drawn out this long, or why, because honestly, I asked a simple question based on a statement you made. I read the words you posted in a manner that didn't make sense to me and asked for clarity. I didn't ask for snide remarks or to be called ignorant.
 
Status
Not open for further replies.
Top