Sophos Usg

  



  • The USG is great for home use or in a small shop, but definitely not ready for any serious deployment. You could tho, as already suggested, re-use the Sophos in between USG and USW. Just keep in mind if you switch a Sophos to inline mode, it's a hard reset. Okay I admit I didnt touch Sophos in a while so that could have been changed.
  • Overview This article describes the steps to configure an IPsec connection between the Sophos XG v17 and an AWS Virtual Private Gateway. Note: Sophos XG Firewall supports only policy based VPN currently and there is a limitation of one Security Association (SA) for policy-based VPN devices on the AWS Virtual Network Gateway.

In my homelab setup I am using UniFi network components and I was looking for a secure way to connect to my environment when I am on the road. After doing some research on the technical implementations, I found that OpenVPN – at least in theory – offers the best security, performance and reliability compared to L2TP / IPSec and PPTP.
There are several guides how to configure this for a UniFi Security Gateway, however, I found that many of them are lacking important information or were wrong. I ‘trial ‘n error’d’ through those guides until I found a setup which is working quite well for me.

That’s why firewall rules do not apply and OpenVPN users can access any network on your USG. To mitigate that, I added lines 65 to 75. Of course you also need to add firewall rules, see below. After placing the modified config.gateway.json file in the corresponding location, you may force provision your USG from the Controller to apply the. Free sophos home antivirus download includes a 30 day trial of Sophos Home Premium, with ransomware security, advanced phishing protection and more.

Authentication requirements

As a prerequisite, you will need to enable the built in Radius Server on the USG. To do that, navigate to your UniFi Controller and navigate to Settings – Services. Enable the Radius Server from the menu and enter your secret key:

From the users tab, you can add your OpenVPN users. I recommend specifying a different VLAN for security reasons.
Tunnel type: 3 – Layer Two Tunneling Protocol (L2TP)
Tunnel medium type: 1 – IPv4 (IP version 4)

Since you should have entered two passwords after the first part already, I recommend you start using a password manager now if you do not use one already. Generating strong unique passwords and saving it using a proper password manager is essential – I recommend Bitwarden.

Set up easy-rsa and key generation

You need to connect to your USG using SSH. If you have not enabled SSH yet, you will need to activate advanced mode in your site settings:

The SSH login can also be configured in the site settings:

Now you can connect to your USG using SSH, I’m using Putty:

Download and install easy-rsa

Initialize the PKI and build the CA certificate and key

After you entered the ./build-ca command, you will be prompted for several parameters of which only the ‘Common Name’ needs to be defined.

Generate a certificate and private key for the server

Give it a common name like “OpenVPN CA”.

Confirm both prompts with yes:
‘Sign the certificate? [y/n]’ and ‘1 out of 1 certificate requests certified, commit? [y/n]’

Generate Diffie Hellman parameters

Note that this process will take a long time to complete. In my case it took about 20 minutes.

Sophos Usb Driver

You will end up with several files in the keys directory:

Copy the keys to the /config/auth/keys/ folder

Configure OpenVPN on the USG

Note: In line 3, insert your own subnet and pick one which is not in use anywhere else on your USG. You might want to edit other options like DNS as well.

Configure your firewall so that it accepts OpenVPN connections on the WAN interface

Optionally configure the same rule for IPv6

Configure your USG to allow traffic from OpenVPN users to Internet

Create an .ovpn file

Paste the below into a new file, edit the hostname in line 5. Instead of the hostname you can also enter your WAN IP. I recommend using a hostname with dynamic DNS. With Namecheap for example, you can use an ‘A + Dynamic DNS Record’.
Then paste your certificate info in line 18. Copy it from /config/auth/keys/ca.crt.

Configuring OpenVPN to use Radius for authentication

Sophos

Create a file /etc/pam_radius_auth.conf with your Radius server IP (USG IP) and the shared secret you used when enabled the Radius server. Use vi to edit the file to avoid formatting issues.

Create a file /etc/pam.d/openvpn with the following contents:

Make the changes persistent

Now you can test the connection, but the above changes are not persistent yet and will be lost once you reboot your USG or once you upgrade the firmware. So here is how we can make this configuration survive a reboot. Copy the previously created files into a new folder /config/scripts/ovpn_radius_config:

Copy the following content into a new file /config/scripts/postprovision.sh

Make the script executable:

Copy the following script to /config/scripts/post-config.d/postreboot.sh and make it executable as well:

Now you also need to edit your config.gateway.json file to make the above changes persistent or create this file if you do not use this yet.
Depending on which UniFi Controller you use, the file can be located in different folders. On a UniFi Cloud Key for example you can find the file here if you only have one site: /srv/unifi/data/sites/default/
In my case I had to create the folders /sites and /default because they did not exist yet.
Remember to edit your subnet in line 57 accordingly and also other changes from the above steps.
Also, if you want to merge the below file with your existing file, or you want to include other options and the settings are not applied correctly when booting your USG, there is a chance your json format is wrong. You can check your file here and get infos on how to fix syntax issues: https://jsonformatter.curiousconcept.com/

By default the vtun0 interface is not part of any other existing interface group (WAN, LAN, GUEST). That’s why firewall rules do not apply and OpenVPN users can access any network on your USG. To mitigate that, I added lines 65 to 75. Of course you also need to add firewall rules, see below.

After placing the modified config.gateway.json file in the corresponding location, you may force provision your USG from the Controller to apply the settings:

Firewall rules

I want to allow my OpenVPN clients to access my homelab, but I want to block access to my other networks. First, define the network group in your firewall settings. Also, depending on your setup you can create further network combinations here for the other rules (see my examples below):

Then create the LAN IN rules. As you can see I will allow access to my homelab network, but I will drop any connection attempt to a network group called ‘OpenVPN Block’ with my private network devices. If you want to use Internet, make sure not to block your WAN network.

Allow rule (exceptions):

The drop rule will discard any traffic from the OpenVPN network to your list of defined networks:

Last but not least, you will need to create the following LAN OUT rule, to make sure to receive outgoing packets.
You only need to allow established and related states:

Final connection test

Now it’s time to test the connection:

As you can see, the connection works as intended! 😊
If there any questions or issues you experience, do not hesitate writing a comment or contacting me.


  • After removing all four screws, the top piece of the unit will lift off, revealing the main board of the USG device.

    • Note: I had already removed the internal USB drive at the time I took this picture. Pretend it is there.

    1. Remove the USB drive, containing the potentially corrupted firmware.
    1. Plug the USB drive into a computer and verify it is actually functional. Sometimes USB drives die. If the drive is at least recognized by the computer, proceed to step 5.
    1. Download the factory-shipped image from Ubiquiti here:
      https://dl.ubnt-ut.com/cmb/USG-4_2_0-shipped.img.bz2
    1. Use your favorite image flashing utility to write the downloaded firmware onto the USB drive.

    Sophos Usg Software

    Note: I like to use balenaEtcher on macOS ($ brew cask install balenaetcher), but Rufus is a good alternative on Windows (> choco install rufus).
    Attention: The firmware writing procedure can take 10+ minutes, so do not get frustrated and remove the drive mid-write.

    1. Once the factory image is flashed onto the USB drive and the image is verified, plug the USB drive back into the USG device. Turn on the device.

    Note: The initial boot process can taken several minutes, but the light in the middle of the board will come on once it is running.

    1. Reassemble the USG (and do not forget to reapply the sticky pads).

    Note: Do not reattach it to the network yet.

    1. Login to the Ubiquiti Network Manager Controller and forget the old USG.
    1. Plug the USG back into the network and more than likely the Ubiquiti Network Manager Controller will automatically adopt it and reconfigure it.

    Sophos Usc

    Note: Make sure to apply all applicable updates to the USG, because the factory image is now out-of-date.

    Sophos Sg 135

    Once all of these steps are complete, you should be on your way to full usage of your USG product once more. I am happy they decided to make their boot medium removable and easily re-writable. If you run into any issues, feel free to drop a line in the comments below and I will see if I can assist.