Re: Openvpn Connect
Elpidio Heart
I use the Sophos XG at home and don't have a static IPv4 address, maybe in future I will only have an IPv6 address. So I use an OpenVPN static IPv4 provider to get access from outside. However, I currently need to do that with a seperate box tunneling to the outside as UTM and XG only allow to have a remote access or site-to-site vpn, but I need a "client-to-site" vpn. Any suggestions?
I have looked into this myself and Sophos doesn't support this. According to other posts only people that want to do this are home users, and the product doesn't cater to home users need but acceptable "business" use. So a recommendation was made in another post to purchase a vpn routerlike TP-LINK TL-R600VPN to put in front XG to connect to a VPN service.
Thanks for your honest response. However, I don't only see home users in need. DS Lite is not only for home but also for business users preventing them from any way to access internal systems or built a private network with multiple stations, if they are SOHOs and no corporations with dedicated lines. Also privacy is an upcoming issue for companies tunneling their traffic through a VPN provider instead of direct internet access.
I have worked with Cisco, Juniper, and Palo Alto Networks firewall and none of these offer OpenVPN client options like we both want to have. I think Sophos is doing what is "standard" in the industry. I did find pfSense can do what we want thou.
already looked for pfsense, looks good as an alternative. I just hoped, with new Sophos edition they would look more for customer requests. The firewall market is very full, differenting a bit would be a good idea.
Agreed. I myself have already moved on to better things. As been stated many times before, Sophos does not cater or even really seem interested in the home market and in my humble opinion that's a big miss for them. There are huge potential in the home market that there missing out on. Have you had a look at the new Untangle v12? Looks great and they now have a new home license package that includes the full protection for 5.00 a month or 50.00 a year or 200.00 for 5 years. and in my humble opinion works much better for home use and it won't block streaming services such as Netflix or Microsoft updates from working. I don't know if Untangle will fix your trouble but have a look.
Thanks for your response. I will have a look. However, I'm not only a home user but also a business user. We run some UTMs in our branches, however, I'm unsure if we will keep, they seem to have many bugs in our setup. We also are twice covered by frontal Juniper SSG, however, also their support seems to be over really soon, so we look for something different. The setup of a hardened system in front, which is no linux or bsd with a linux or bsd based more feature-rich system in behind would be the preferred solution. So having a UTM at home is also somehow a test setup for business use in small private environment. So ignoring the home market also has an impact on their corporate market.
I found getting OpenVPN to work very confusing and frustrating. Eventually, I got OpenVPN working with two separate Orbi systems on Android, Linux, and Windows clients. in other words..... I am certainly no 'expert', but it does work.
The important part (to me) is that they are different. If an OpenVPN Client connection designed for tap tries to connect to an OpenVPN host designed for tun, it will fail. (And the reverse.)
Can you be a bit more specific about this? My 'sense' is that the laptop was taken to another place where it could connect to a different network. Is this correct? (My own test practice is to disconnect my smartphone from the Orbi WiFi, which causes it to revert to LTE data. Then open a "Hot Spot" and connect the laptop to that. My point is that this test has the laptop in no way connected to the Orbi network.
As I undertsand it, OpenVPN client versions prior to 3.x support both TUN and TAP connections. Starting with version 3.0, the client only supports TUN. If you want your device to be able to communicate with other devices on your network when connecting, it must use TAP. TUN is just for access to the Internet it seems, for example if you're traveling in another country and you're tryign to watch Netflix in your own country.
My understanding of the tun/tap difference is that tap puts the VPN client in the same IP subnet as the Orbi LAN, and thus all broadcast messages go across the VPN tunnel (in both directions). Here's how Wikipedia describes it:
Though both are for tunneling purposes, TUN and TAP can't be used together because they transmit and receive packets at different layers of the network stack. TUN, namely network TUNnel, simulates a network layer device and operates in layer 3 carrying IP packets. TAP, namely network TAP, simulates a link layer device and operates in layer 2 carrying Ethernet frames. TUN is used with routing. TAP can be used to create a user space network bridge.
The configuration files Orbi produces for Windows and 'non-Windows' (i.e. Linux) both specify tap as the default. The configuration file Orbi produces for 'smartphones' specified tun because iPhones and Android phones are restricted to using tun. Both tap and tun allow access to devices on the LAN. (I just verified this with my Android phone using tun)
For me, this has never been an issue because I typically connect to a Hot Spot on my phone, which hands out 192.168.43.x IP addresses. All subnets from 0 through 254 are valid private IP addresses. Maybe some engineer was thining ahead, "what if someone attempts to open a VPN on this phone's Hot Spot?" Or, maybe just dumb luck.
My issue is how do I use it? I would like to have a device within my LAN be able to use this VPN tunnel. Proxy doesn't seem to work. There is no documented way that I have found to bind it to an interface.
On the forum I have found a few notes from members setting this up, much like I have but no mention of using it. I found a note about VPN Client setup regarding wireless routers that mention a Device List where a network device can be authorized to use a VPN client tunnel but that doesn't work here as there is no Device List.
1. use it like this. nothing else. you only access the remote subnet for the resources. once your IP address matches the remote subnet, you'll be routed to the remote subnet via the vpn tunnel. therefore, you can access the resources on that remote subnet.
2. use it with policy routing. you set up a policy routing rule. in this rule, you specify the subnet you are gonna route. e.g. 192.168.10.100-192.168.10.200, this range will be only using this vpn tunnel for connection. it's not gonna use your WAN as the NAT. everything will be routed to the remote OpenVPN gateway. this is the proxy. of course, your openvpn server allows full tunnel mode. and allow all traffic to be proxied.
I have the following IT structure. In my LAN (behind a LANCOM router), I have an IPFIRE server connected via the RED interface. The Green interface is not physically connected to the LAN. On the LANCOM router, I have a port forwarding set up from 1194 to, for example, 192.168.243.113, which is the RED interface of the IPFIRE.
The VPN connection from the client to the IPFIRE server works wonderfully. Now, however, I have the problem that with the active OpenVPN connection, I cannot access network shares such as 192.168.243.10. These are Samba shares on a Windows server. I believe I need to edit something in the routing or firewall rules. However, after several hours of experimenting, I have not found the solution and therefore turn to you with the request for help.
I have not got as far as playing with OpenVPN yet but in the distro I am coming from, there are a number of issues. The Windows firewall often does not like traffic from outside its own subnet. If IPFire does not masquerade incoming OpenVPN traffic, you may need to open the Windows Server firewall to traffic from the OpenVPN subnet. You will also need a route on your router to direct LAN traffic to the OpenVPN subnet via your red interface IP.
If IPFire does masquerade OpenVPN traffic, none of this will be necessary as the OpenVPN traffic will appear on your LAN to come from the Red IP so it knows its way back and also will not be rejected by the Windows Server firewall.
Your OpenVPN connection should be already presented in the VPN connections list in the Network manager.If your OpenVPN connection is not presented in the NetworkManager, you can create it using the "Import from file..." menu item (Settings-> Network -> VPN -> VPN + -> Import from file...)
Instead of AES-256-CBC please set data-ciphers value supported by your OpenVPN server or OpenVPN service supplier. You should be able to find this value in the ovpn file provided by the VPN service supplier.
This displays errors from NetworkManager and other processes and is what clued me into the hack/fix which I found on a Kubuntu forum. -supported-releases/kubuntu-22-10/network-support-bc/666945-network-manager-fails-to-connect-to-open-vpn-expressvpn-terminal-works-fine
Obviously this is an IPVanish specific configuration file, but the same concept may apply to other VPNs. Once you attempt to import a .ovpn file and connect, a network manager configuration file will be generated in the above directory (/etc/NetworkManager/system-connections/).
Downgrading and holding openvpn as per wolfmanFP's instructions (this has worked in the past and is the only method I had success with, however, this stopped working for me yesterday after a fresh Ubuntu install, Kali too).
We have an issue where many times Global Protect clients are not switching from the Pre Logon user to their logged in user name. Certs are deployed and Pre-logon access works. IT can remote on to troubleshoot a PC that is just at the windo
59fb9ae87f