Skip to content
Last update: 2022-03-11

VPN settings

You can specify the settings for remote access SSL VPN and L2TP connections.

You can specify the port and protocol, VPN server certificate, IP addresses assigned to the remote clients, and the cryptographic and advanced settings.

The SSL VPN settings are part of the .ovpn configuration file imported to the SSL VPN client.

SSL VPN settings

Protocol: SSL VPN clients can establish connections using the following protocols:

  • TCP: You can use TCP for applications that need high reliability, such as email, web surfing, and FTP.
  • UDP: You can use UDP for applications that need a fast, efficient transmission, such as streaming media, VoIP, DNS, and TFTP.

SSL server certificate: The SSL VPN server uses this certificate to authenticate the clients.
To select a certificate other than the default certificate, go to Certificates > Certificates, and configure a locally-signed certificate or upload an external certificate.

Override hostname (optional): SSL VPN clients use the IP address or hostname you enter here rather than the WAN IP address of Sophos Firewall to establish the connection.

Enter your network's public IP address or hostname if Sophos Firewall is behind a router and doesn't have a public IP address.

If you leave this field blank, SSL VPN clients establish connections with the WAN IP address of the firewall in the listed order on Network > Interfaces.

Port (optional): Change the port number to use for the connections.

IPv4 lease range: Sophos Firewall leases IP addresses to SSL VPN clients from the private address range you specify.

Subnet mask: Change the subnet mask of the IPv4 address range if you want.

IPv6 lease (IPv6 prefix): Sophos Firewall leases IP addresses to SSL VPN clients from the private address range you specify. Change the prefix if you want.

Lease mode: You can choose to lease only IPv4 addresses or IPv4 and IPv6 addresses.

IPv4 DNS: You can enter the IP addresses of the primary and secondary DNS servers for the following:

  • To resolve the hostnames of network resources that remote users will access.
  • To resolve public hostnames if Sophos Firewall acts as the default gateway for remote access SSL VPN users.

IPv4 WINS (optional): You can enter the primary and secondary Windows Internet Naming Service (WINS) servers for your network.

Domain name (optional): The hostname or FQDN of Sophos Firewall used in notification messages. It helps you identify the firewall when you have more than one.

Disconnect dead peer after: Time, in seconds, after which the firewall closes connections with unresponsive clients.

Disconnect idle peer after: Time, in minutes, after which the firewall closes an idle connection.

Cryptographic settings

Encryption algorithm: Select the algorithm for encrypting data sent through the VPN tunnel.

Authentication algorithm: Select the algorithm for authenticating the messages.

Key size: Select the key size (bits). Longer keys are more secure.

Key lifetime: Enter the time (seconds) after which keys expire.

Advanced settings

Compress SSL VPN traffic: Select to compress data before it's encrypted.

Debug settings

Enable debug mode: Select to provide extensive information in the SSL VPN log file for debugging.

You can specify the IP addresses to assign to L2TP users and the DNS servers to use for these connections.

L2TP settings

  1. Click Enable L2TP to turn on L2TP configuration.
  2. For Assign IP from, enter a private IP address range with at least a 24-bit netmask. Sophos Firewall will lease IP addresses to L2TP clients from this range.


    IP address ranges for L2TP and PPTP must not overlap with the SSL VPN range.

  3. Optional: Select Allow leasing IP address from RADIUS server for L2TP, PPTP, and Sophos Connect client if you want.
    The firewall then uses the IP addresses provided by the RADIUS server if you use one. If the RADIUS server doesn't provide an address, the firewall assigns the static address configured for the user or leases an address from the specified range.

  4. Optional: Select the Primary DNS server and the Secondary DNS server L2TP users can use to resolve internal hostnames.
  5. Optional: Enter the Primary WINS server and Secondary WINS server.
  6. Click Apply.

Allow users to establish L2TP connections

  • Click Add members and select the users and groups.
  • To see the users allowed to establish L2TP connections, click Show members.
Back to top