The topic of today’s post is setting up an SSL VPN through the Sophos UTM Home Edition. The ease-of-use VPN solution was one of my primary reasons for pursuing this particular UTM in the first place, and so I think it’s a topic definitely worth exploring. There are a variety of VPN options within the UTM. I’ll only be covering the SSL option here. If you are looking to set up a new UTM, start at the beginning and work your way back!
Setup
The setup process is very simple. From the UTM dashboard, select “Remote Access” from the left hand side of the screen.
The Remote Access Overview page is straightforward. It provides a quick snapshot of current remote sessions. Usernames, real names, and IP addresses are provided for users currently logged into the VPN. There are a handful of different options at your disposal when implementing a VPN through the Sophos UTM. I would encourage you to explore each and figure out which best suits your needs. If this is for a home setup, the SSL VPN should suit all of your immediate needs. To start configuring your VPN, select that sub-option from the left hand menu.
On the SSL VPN page, select “+ New Remote Access Profile.” In the new frame that appears, select those users or groups you would like to grant access to the VPN; you can also create new users and groups by clicking on the “+” which is a standard feature in Sophos as we saw in the Definitions and Rules post last week. Next, choose the specific networks to which you would like to grant your users access. If you want the UTM to decide what firewall rules to establish around your new VPN, leave the check box marked. Otherwise, leave it unchecked, but don’t forget to revisit the “Network Protection” area of the Dashboard to set the rules yourself.
User Portal
Once your new profile is set, click on “Management” and then “User Portal” from the Dashboard. The User Portal is a web-accessible page hosted on the UTM that allows users to perform a variety of functions including downloading the files necessary to install the SSL VPN client.
The “Allowed Networks” and “Allowed Users” tables in the “Global” tab allow you to keep access to the User Portal as locked down as you would prefer. Since I am the only person in my household with any need to access the VPN, I tend to keep the User Portal as private as possible. I am the only user allowed, and after I have installed/updated the VPN client, I will usually simply turn off the User Portal by turning the switch in the upper right hard corner of the page to “Off.”
The ‘Advanced” tab features additional options including the ability to disable certain items on the User Portal. If you only plan to use the portal to facilitate use of the SSL VPN, check all boxes except for the Remote Access box.
Scrolling a little farther down will give you the option to change the network settings of the User portal. If you only intend the User Portal for external access, change your address to your WAN interface. I recommend changing your port to something non-standard for a bit of obscurity. Don’t forget to apply any changes you make.
Notes
It’s worth noting that if your UTM is running out of your home, chances are pretty good that your ISP provides you a dynamic IP. In order to get to your User Portal (and VPN) from the Internet, you’ll have to know your public IP. DynDNS provides a relatively inexpensive method for managing this issue. I’m not going to explore setting up DynDNS within the UTM today, but it is a well supported feature. The DynDNS options are available under DNS within the UTM’s options.
