Skip to content

VPN settings

You can specify the settings for remote access SSL VPN and L2TP connections.

The SSL VPN global settings apply to all remote access SSL VPN policies.

These settings are part of the .ovpn configuration file imported to the SSL VPN client.

To specify the settings, go to VPN > Show VPN settings> SSL VPN.


SSL VPN clients can establish connections using the following protocols:

  • TCP: You can use TCP for applications that need high reliability, such as email, web surfing, and FTP.
  • UDP: You can use UDP for applications that need a fast, efficient transmission, such as streaming media, VoIP, DNS, and TFTP.

SSL server certificate

The SSL VPN server uses this certificate to authenticate the clients.

To select a certificate other than the default certificate, go to Certificates > Certificates and configure a locally-signed certificate or upload an external one.

If you use an intermediate CA generated using an external root CA for signing the SSL server certificate, you must upload the server certificate with its private key and the intermediate and root CAs to the firewall.

Override hostname (optional)

Use this setting if the firewall is behind a router.

  • Enter your network's public IP address or hostname if the firewall is behind a router and doesn't have a public IP address. Alternatively, if the firewall has more than one WAN IP address, you can enter the address you want clients to connect to. SSL VPN clients connect to the IP address or hostname specified here.
  • If you leave this field blank, all the interfaces belonging to the zones from which you allow SSL VPN access (Administration > Device access under Local service ACL) are listed in the .ovpn file. Clients try to establish connections with the interfaces configured on Network > Interfaces.

The permitted networks configured in SSL VPN policies don't appear in the .ovpn file. When clients establish a connection, the permitted networks for the users are automatically added to the client.

Port (optional)

Change the port number to use for the connections if you want. See the following warnings:


We strongly recommend that you don't use the port configured for the user portal (Administration > Admin and user settings). This ensures the user portal isn't exposed to the WAN zone.

For example, if you use port 443 for the user portal and SSL VPN, the user portal will be accessible from the WAN zone even when you turn off WAN access to it.


SSL VPN traffic and WAF rules must have different values for at least one of the following objects: WAN IP address, port, protocol.

SSL VPN traffic to the WAN IP address used by WAF rules is dropped if it shares a common port and protocol with the WAF rules. This applies only to IPv4 traffic.

The default HTTPS ports differ for WAF rules (443) and SSL VPN (8443). WAF traffic always uses the TCP protocol.

Here's an example of the configuration SSL VPN traffic can use when the network has two WAN IP addresses:

WAF Option 1

(Different IP address)


Option 2

(Different port)


Option 3

(Different protocol)


WAN IP address or or
Port 443 443 Don't use 443 Any port
Protocol TCP TCP or UDP TCP or UDP UDP

Assigning IP addresses

You can configure the following:

  • IPv4 lease range: The firewall leases IP addresses to SSL VPN clients from the private address range you specify.
  • Subnet mask: Change the subnet mask of the IPv4 address range if you want.
  • IPv6 lease (IPv6 prefix): The firewall leases IP addresses to SSL VPN clients from the private address range you specify. Change the prefix if you want.
  • Lease mode: You can choose to lease only IPv4 addresses or IPv4 and IPv6 addresses.

Domain name (optional)

You can configure the following:

  • IPv4 DNS: You can enter the IP addresses of the primary and secondary DNS servers for the following:

    • To resolve the hostnames of network resources that remote users will access.
    • To resolve public hostnames if Sophos Firewall acts as the default gateway for remote access SSL VPN users.
  • IPv4 WINS: You can enter the primary and secondary Windows Internet Naming Service (WINS) servers for your network.

  • Domain name (optional): The hostname or FQDN of Sophos Firewall used in notification messages. It helps you identify the firewall when you have more than one.

Disconnecting the peer

You can configure the following:

  • Disconnect dead peer after: Time, in seconds, after which the firewall closes connections with unresponsive clients.
  • Disconnect idle peer after: Time, in minutes, after which the firewall closes an idle connection.

Other settings

You can configure the following:

  • Cryptographic settings:

    • Encryption algorithm: Select the algorithm for encrypting data sent through the VPN tunnel.
    • Authentication algorithm: Select the algorithm for authenticating the messages.
    • Key size: Select the key size (bits). Longer keys are more secure.
    • Key lifetime: Enter the time (seconds) after which keys expire.
  • Advanced settings:

    • Compress SSL VPN traffic: Select to compress data before it's encrypted.
  • Debug settings

    • Enable debug mode: Select to provide extensive information in the SSL VPN log file for debugging.

You can specify the IP addresses to assign to L2TP users and the DNS servers to use for these connections.

L2TP settings

  1. Click Enable L2TP to turn on L2TP configuration.
  2. For Assign IP from, enter a private IP address range that belongs to a /24 or smaller subnet. The range can't contain more than 254 IP addresses. Sophos Firewall will lease IP addresses to L2TP clients from this range.


    IP address ranges for L2TP and PPTP must not overlap with the SSL VPN range.

  3. Optional: Select Allow leasing IP address from RADIUS server for L2TP, PPTP, and Sophos Connect client if you want.
    The firewall then uses the IP addresses provided by the RADIUS server if you use one. If the RADIUS server doesn't provide an address, the firewall assigns the static address configured for the user or leases an address from the specified range.

  4. Optional: Select the Primary DNS server and the Secondary DNS server L2TP users can use to resolve internal hostnames.
  5. Optional: Enter the Primary WINS server and Secondary WINS server.
  6. Click Apply.

Allow users to establish L2TP connections

  • Click Add members and select the users and groups.
  • To see the users allowed to establish L2TP connections, click Show members.