Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Configure remote access SSL VPN as a full tunnel

When you configure remote access SSL VPN connections in full tunnel mode, all traffic from remote access SSL VPN users flows through the firewall. They can only access the permitted network resources you select in the SSL VPN policy.

Users can establish the connection using the Sophos Connect client.

Restriction

Currently, the Sophos Connect client doesn't support macOS for SSL VPN. It also doesn't support mobile platforms for IPsec and SSL VPN. For these endpoints, you can use the OpenVPN Connect client. See Sophos Connect client: Compatibility with platforms.

Network diagram

Network diagram for remote access SSL VPN full tunnel.

Tip

Using the SSL VPN assistant (Remote access VPN > SSL VPN > Assistant) helps you easily configure the SSL VPN global settings, SSL VPN policy, and VPN portal settings shown in this article. It automatically creates the required firewall rule.

Prerequisites

Make sure you've configured IP hosts for the network resources remote users can access. You must also configure users and groups in the firewall.

Create IP host for local subnet

Here's an example subnet for the network resources remote clients can access.

  1. Go to Hosts and services > IP host and click Add.
  2. Enter a name and network for the local subnet.

    IP host for local subnet.

  3. Click Save.

Create a user group and user

Create a user group for remote SSL VPN and add a user if you haven't already done it.

  1. Go to Authentication > Groups and click Add.
  2. Specify the settings.

    Name Value
    Name Remote SSL VPN group
    Surfing quota Unlimited internet access
    Access time Allowed all the time
  3. Click Save.

  4. Go to Authentication > Users and click Add.
  5. Specify the settings.

    Name Value
    Username john.smith
    Name John Smith
    Group Remote SSL VPN group
  6. Click Save.

Check authentication services

This example sets the VPN portal and SSL VPN authentication methods to local authentication. Sophos Firewall then acts as the authentication server.

  1. Go to Authentication > Services.
  2. Under VPN portal authentication methods, do as follows:

    1. Clear Set authentication methods same as firewall.
    2. Check that the Selected authentication server is set to Local.

    Authentication server set to Local in VPN portal authentication methods.

  3. Scroll to SSL VPN authentication methods.

  4. Check that the authentication server is set to Local.

    Authentication server set to Local in SSL VPN authentication methods.

Note

Alternatively, you can select an authentication server, such as the Active Directory server you've configured under Authentication > Servers.

SSL VPN configurations

Specify the required SSL VPN settings, configure an SSL VPN policy, and, optionally, the provisioning file.

SSL VPN global settings

When SSL VPN clients connect to the firewall, it assigns IP addresses from the subnet you enter here. You must use a private address.

  1. Go to Remote access VPN > SSL VPN and click SSL VPN global settings.

    VPN settings.

  2. Enter the private IP address and subnet mask.

    When connections are established, the firewall leases IP addresses from the subnet to remote users.

    IPv4 lease range.

  3. Enter the following DNS settings:

    1. Enter the primary and secondary IPv4 DNS server addresses.
    2. For Domain name, enter the DNS suffix (example: company.com or test.local) for the hostnames of permitted resources.

      The suffix is added to the remote endpoint's network adapter. It's appended to hostnames forming an FQDN to resolve the endpoint's DNS queries.

    DNS settings.

  4. Click Apply.

Add an SSL VPN policy

Create a policy that allows users in the remote SSL VPN group to establish VPN connections and access resources on the local subnet.

  1. Go to Remote access VPN > SSL VPN and click Add.
  2. Click Configure manually.
  3. Enter a name.
  4. Select the policy members.
  5. Turn on Use as default gateway to establish a full tunnel.

    All the traffic of remote users, including internet traffic, enters the firewall through the established tunnels.

  6. For Permitted network resources that members are allowed to access, this example selects the following:

    • LocalSubnet
    • DNS_Servers

      To allow DNS resolution, you must select the DNS servers.

  7. Click Apply.

    Specify policy members and permitted network resources.

(Optional) Create a provisioning file

The provisioning file automatically fetches the .ovpn configuration through the VPN portal. It also fetches some configuration changes you make later. See Provisioning file templates.

Restriction

The provisioning file only supports Windows devices. You can only use it with the Sophos Connect client.

  1. Open a new file in a text editor, such as Notepad.
  2. Copy and edit the settings to meet your network requirements using the syntax on Provisioning file settings.

    You must specify the hostname or IP address of the gateway. The other fields are optional.

    Example
    [
        {
            "gateway": "203.0.113.1",
            "user_portal_port": 443
        }
    ]
    
  3. Save the file with a .pro extension.

  4. To install it on users' endpoints, use one of the following options:

    • Email the provisioning file to users.

      Users must click Import connection in the Sophos Connect client and select the file. Alternatively, they can double-click the .pro file to import it. See Provisioning IPsec and SSL VPN.

    • Use an Active Directory Group Policy Object (GPO) to automatically import it to the Sophos Connect client on users' endpoints after start-up. See Import VPN provisioning file through GPO.

Allow traffic

You must allow SSL VPN from the WAN zone, configure a SNAT rule to masquerade outbound traffic, and configure a firewall rule to allow SSL VPN traffic.

Check device access settings

You must allow access to some services for remote users from the required zones.

  1. Go to Administration > Device access.
  2. Under SSL VPN, select WAN to allow remote users to establish SSL VPN connections.

  3. Under VPN portal, select LAN, WAN, Wi-Fi, and VPN.

    Users can access the VPN portal and download the VPN client and configuration files from these zones.

  4. (Optional) Under Ping/Ping6, select VPN.

    Users can ping the firewall's IP address through VPN to check connectivity.

  5. Under DNS, select VPN.

    Users can resolve domain names through VPN if you've specified the firewall for DNS resolution in VPN settings.

  6. Click Apply.

    Turn on access from zones for SSL VPN and VPN portal.

Check the SNAT rule

Go to Rules and policies > NAT rules and check if the default IPv4 SNAT rule or an SNAT rule to masquerade outbound traffic exists.

Default SNAT IPv4 rule.

If it doesn't exist, continue to add a firewall rule and follow step 9 to add an SNAT rule.

Add a firewall rule

  1. Go to Rules and policies > Firewall rules.
  2. Select IPv4 or IPv6.
  3. Click Add firewall rule and New firewall rule.
  4. Enter a rule name.
  5. For Source zone, select VPN.
  6. For Source networks and devices, select ##ALL_SSLVPN_RW or ##ALL_SSLVPN_RW6.

    The firewall dynamically adds IP addresses leased to remote users who've established a connection to these hosts.

  7. For Destination zones, select Any, to allow remote users' traffic from VPN to any zone, including LAN, DMZ, and WAN zones.

  8. For Destination networks, select Any.

    The default gateway setting ensures remote users' internet traffic flows through the firewall. So, the firewall rule must allow traffic from the specified source networks to any network.

    Firewall rule's matching criteria.

  9. Optional: If an SNAT rule to masquerade outbound traffic doesn't exist, you can create a linked NAT rule.

    1. Click Create linked NAT rule.
    2. For Translated source (SNAT), select MASQ.
    3. Click Save.

      Linked NAT rule.

  10. Click Save.

User actions

Users can download the Sophos Connect client from the VPN portal and install it. They can import the .pro file you provide or download the SSL VPN configuration and import it to the client. See Provisioning IPsec and SSL VPN and SSL VPN.

More resources