Setting up an OpenVPN server with Sophos XG and Viscosity
This guide will walk you through the steps involved in setting up an OpenVPN server on a Sophos XG host that allows you to securely access your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well.
Before using this guide, we highly recommend you read through our Introduction to Running an OpenVPN Server Article.
Preparation
For this guide, we assume:
- You have already installed the latest version of Sophos XG (18.0.5 at time of writing)
- Sophos XG has been set up with at least a WAN interface and a LAN interface
- You are connected with your client device to the Sophos XG server via its LAN interface during this guide
- Sophos XG is using the default LAN subnet 172.16.16.0/24
- This installation of Sophos XG is a fresh install
- You already have a copy of Viscosity installed on your client device
If you need to download and install a copy of Sophos XG, information can be found at https://www.sophos.com/en-us/products.../sophos-xg-firewall-home-edition.aspx. We won't be covering the details of setting up a Sophos XG instance. If you are running a different version of Sophos XG, it's very likely that many or even all of the steps outlined in this guide will still apply. If you are looking to setup an OpenVPN server on a different operating system, please check out our other guides.
Your client device needs to be connected to the Sophos XG server via the LAN interface. This is necessary so that you can access the Web Console portal to set up the Sophos XG configuration. The specifics of how you can achieve this depend on your particular network configuration.
If you don't have a copy of Viscosity already installed on your client machine, then please check out this setup guide for installing Viscosity (Mac | Windows).
Support
Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.
Sophos offer technical documentation for XG at https://docs.sophos.com/nsg/sophos-fi.../index.html
Getting Started
First you need to log in to the Web Console portal from your client device connected to the LAN interface of the Sophos XG server. Open a browser on your client and navigate to the IP address of the LAN interface of your Sophos XG server, https://172.16.16.16:4444
by default. You will need to login. The password for the admin user should have been configured when you set up your Sophos XG instance.
Create Group & Users
If you are not using an authentication system, you will need to create a group for SSL VPN access and add users.
Add Group
- On the side bar, click
Authentication
under the CONFIGURE heading. - In the Groups tab, click
Add
. - Set the Group name to SSL VPN.
- Set Surfing Quota to Unlimited Internet Access.
- Set Access time to Allowed all the time.
- Click
Save
.
Add User
- While still in the Authentication menu, click the Users tab, then click
Add
. - Fill in a User name, Name, Password and Email.
- Set Group to SSL VPN.
- When you are done, click
Save
.
User Services
- While still in the Authentication menu, click the Services tab.
- Scroll down to SSL VPN authentication methods and ensure Local is set as the Selected authentication server.
Setup Network Access
Next we need to setup our subnets for use through the rest of this guide with the VPN server and firewall. We will use the default IP addresses that Sophos XG assigns.
Local Area Network
If you already have a Local Area Network IP Host set, you can skip to the next heading.
- On the side bar, click
Hosts and services
under the SYSTEM heading. - In the IP host tab, click
Add
. - Set the Name to Local Area Network.
- Set the Type to Network.
- Set the IP address to 172.16.16.0 and Subnet to /24 (255.255.255.0).
- When you are done, click
Save
.
VPN Network
- While still in the Hosts and services menu, in the IP host tab, click
Add
. - Set the Name to SSL VPN Network.
- Set the Type to Network.
- Set the IP address to 10.81.234.0 and Subnet to /24 (255.255.255.0).
- When you are done, click
Save
.
Firewall & ACL
Next we need to setup the firewall and ACLs for access. We will only setup access for the VPN to LAN.
Firewall
- On the side bar, click
Firewall
under the PROTECT heading. - Click
+ Add firewall rule
thenUser/network rule
in the dropdown that appears. - Set Rule name to VPN to LAN
- Set Rule group to None
- Set Source zones to VPN
- Set Source networks and devices to SSL VPN Network
- Set Destination zones to LAN
- Set Destination networks to Local Area Network
- When you are done, click
Save
.
ACL
- On the side bar, click
Administration
under the SYSTEM heading. - Click the Device access tab.
- Under Local Service ACL, ensure SSL VPN is ticked in the WAN row, you may also wish to tick this for LAN and WiFi if you want to connect locally.
- Ensure DNS is ticked under the VPN row, we also recommend ticking Ping/Ping6.
- Ensure User Portal is ticked under the LAN and WiFi rows.
- Click
Apply
.
Setup VPN Server
Finally, we can setup the SSL VPN server which Viscosity can connect to.
VPN Settings
- On the side bar, click
VPN
under the CONFIGURE heading. - Up the top right, click
Show VPN settings
and then select the SSL VPN tab. We recommend changing the following: - Set Protocol to UDP
- Set IPv4 DNS to 172.16.16.16
- Set Encryption algorithm to AES-256-CBC
- Untick/Turn off Compress SSL VPN Traffic
- When you are done, click
Save
.
SSL VPN
- While still in the VPN menu, in the SSL VPN (remote access) tab, click
Add
. - Set the Name
- Set Policy members' to SSL VPN
- Set Permitted network resources (IPv4) to Local Area Network
- When you are done, click
Apply
.
At this point we are finished with the server setup. As we have changed so much, we highly recommend restarting your Sophos XG by going to the user drop down up the top right and selected Reboot device.
Setting Up Viscosity
To connect to our OpenVPN server, we need to download the client configuration for our user. On the client machine:
- Open a browser and navigate to
https://172.16.16.16
. - Enter the Username and Password for the user and log in.
- Click on the SSL VPN tab on the left.
- Click on the
Download configuration for other OSs
link. - It should download a file called "username__ssl_vpn_config.ovpn".
Import this file into Viscosity and you will be able to connect straight away!
(Optional) Allowing Access to the Internet
By default the VPN connection will allow access to the file server and other computers on the home/office (LAN) network. However if you also wish to have all internet traffic sent through the VPN connection it's necessary to make a final edit to the connection:
- Double-click on your connection in the Viscosity Preferences window to open the connection editor
- Click on the Networking tab.
- Click the "All Traffic" drop down and select the "Send all traffic over VPN connection" option. It is not necessary to enter a Default Gateway.
- Click the
Save
button.
You will also need to add a new firewall rule on your Sophos XG. Simply follow the Firewall heading above, except set the Destination Zones to WAN instead of LAN and Destination networks to Any.