Setting up an SSL VPN through Sophos UTM — the hard way.

And here’s the thing.. I had it working before… doesn’t that just kill? The irony is starting to hurt my feelings… ๐Ÿ™‚

After spending about 7 hours trying to get this to work, I have decided to start over and spin up a fresh install of the latest asg*.iso file in vmware and start there and see how it goes….

Okay… its been 6 hours and I have a fresh install working and configured for baseline internet access using one network client ( manually adjusting TCP stacks away from DHCP to test) and we have pulled our standard test http blob. ( Adell’s ‘hello’ video on youtube.. my version of hello world )

Pain points: Spinning up a twin firewall in ESXi can be problematic so remember these things:

( im going to have to condense these into simple captures of what I learn instead of talking to myself.. )

  • Go for the Other Linux 32 bit guest framework in ESXi for Sophos UTM. There is an option mid-install to go for the 64 bit, but for some reason the WebAdmin always chokes right after install when you use the 64 bit option. Just pass on it.
  • Twinning up a firewall with the same IP address ( even with the other one down ) seems to make the gods angry. I didnt test for an ARP cache conflict, but Im guessing thats what it was.. no workie. Use a new IP.
  • Don’t worry about configuring a gateway in the Firewall. It auto configs.
  • When setting up your WAN interface, choose Standard ethernet as your connection type and opt for DHCP. ( Much better performance than our first exercise in building this… )Now… time to set up the VPN. But steaks first. ( Will return )

Next Day —- The bleeding continues…
9:13AM

I have another client on the network configured to run through the new firewall. Im configuring the SSL VPN now…. wish me luck.

Interesting tidbit: Nmap has a DNS dependency when running from Darwin 15.6 without using a -Pn flag. Weird….

Toggling the Firewall Rules has no effect over the course of 1-2 min of blocking access. I turned them off yet I can pull websites and my DI stream does not fail. — Does it take a few mins? Need to explore further to elaborate on root cause of firewall issues… Fleh.

Some great nmap commands listed here:

http://bencane.com/2013/02/25/10-nmap-commands-every-sysadmin-should-know/

Thank you Ben Cane. ๐Ÿ™‚

3:45PM
Yah know… its been another 6 hours of nibbling along and my only accomplishment today is making my bed.. Redoing the firewall from scratch has forced me to learn every detail of this firewall down to where the developers went to kindergarten and what level their Dungeons and Dragons character is. — totally relevant I know… but not the short answer to the issue at hand.. being able to push code to my home web server… all this firewalling for some python and flask….

rrrrrrrr… :\

Working on getting the DMZ access to the internet… did I enable masquerading?…

4:22
This must be what its like when the zombie is trying to get out of the grave and there are several townspeople all weighing down on top of the dirt and coffin lid that is pushing through the ground…a rigor’d arm with bones and flesh all rotten pushed through the ground… lol

So now I have internet access out of the DMZ and into the interwebs:
~$ wget danielmiessler.com
–2016-10-16 16:20:50–ย  http://danielmiessler.com/
Resolving danielmiessler.com (danielmiessler.com)… 104.25.35.29, 104.25.34.29, 2400:cb00:2048:1::6819:231d, …
Connecting to danielmiessler.com (danielmiessler.com)|104.25.35.29|:80… connected.
HTTP request sent, awaiting response… 301 Moved Permanently
Location: https://danielmiessler.com/ [following]
–2016-10-16 16:20:53–ย  https://danielmiessler.com/
Connecting to danielmiessler.com (danielmiessler.com)|104.25.35.29|:443… connected.
HTTP request sent, awaiting response… 200 OK
Length: unspecified [text/html]
Saving to: โ€˜index.html.1โ€™

Im using my local DNS but still it had to do a double request to get to the site now that Dan has put a cert on his page. Shouldnt the entry default me to the 443? Maybe its an Ubuntu thing..

9:20

Grrrrrrr. Still no workie. Same problem that I had with the other box. Same errors reporting from Viscosity but with no viable description of whats wrong…

Viscosity lacks Verbosity. Im downloading PFSense….

–Update 20 April 2017…

I did it. Finally. The culprit? Comcast’s modem. The new model that they switched in when I moved the office came with a Un-Switch-Off-able firewall that I had to open up a port on in the silliest, non-intuitive way, specifying the route NAT’d from the modem to the External WAN interface in Sophos. — that took me a while… Snarbs!

Its a real victory being able to come back to a problem over and over again determined to crush it and then finally doing so… Especially when you already had the gold in your hands before…