REQUIRED TO PROCEED:
- A working installation of SOPHOS UTM on ProfitBricks. A sample configuration can be found in our DevOps site: Install and Configure Sophos UTM.
- An active Azure subscription to deploy a new VNET and VPN Gateway.
INSTRUCTIONS:
-
Below is a snapshot of the ProfitBricks environment. It is comprised of a SOPHOS UTM Firewall/VPN virtual machine and a freshly installed Window Server 2012 R2 which will be used for testing connectivity once the tunnel is established.
-
Make a note of your ProfitBricks server IP addresses. My environment is configured as follows:
- FW_SOPHOS Public IP: 162.254.26.249
- FW_SOPHOS Internal IP: 192.168.0.5
- MGMT_SRV Internal IP: 192.168.0.10
.
-
Sign in to the Azure portal and let’s create an Azure Local Network. This term is a reference to the “on-premises” side and will be used to create the routing rules to the ProfitBricks IPv4 address space.
-
In the lower left corner of the Azure management portal, click the “+ NEW” button --> Network Services --> Virtual Network --> Add Local Network
-
The ADD A LOCAL NETWORK wizard will pop-up. Enter a name for your local network in Azure and the Internet facing IP of the SOPHOS server. Click the Next arrow.
-
The next step is to enter the address space for the ProfitBricks internal network. In this example, this is a 192.168.0.1/24 address space as shown below:
-
This will create the “Local Network” in Azure. You can see the newly created network under Networks --> Local Networks
-
The next step is to create a Virtual Network to be used within the Azure infrastructure. This VNET will combine the local network created in the previous steps.
NOTE: A VNET could also include DNS server entries. However; this step will be skipped for the purposes of this tutorial as testing will be done purely via IP addresses.
-
In the lower left corner of the Azure management portal, click the “+ NEW” button --> Network Services --> Virtual Network --> Custom Create
-
The CREATE A VIRTUAL NETWORK wizard will pop-up. Enter a name for your virtual network and select a location according to your Data Center region. Click the Next arrow.
-
Click the “Configure a site-to-site VPN” and select the Local Network created in the previous steps.
-
The next step is to enter the address space for the Azure virtual network. In this example, this is a 10.10.0.0/24 address space. Add a Subnet and a Gateway as shown below:
- Subnet-1 is where VMs created in Azure will live and obtain DHCP addresses (and DNS if configured).
- Gateway subnet will be used later when a gateway is created.
-
This will create the “Virtual Network” in Azure. You can see the newly created network under Networks --> Virtual Networks.
-
Click on the “Azure_To_PB_SOPHOS_VNET” virtual network to display the Dashboard. Once the dashboard is displayed, click the CREATE GATEWAY button and select Static Routing.
-
At this point, Azure will create the gateway (~10-15 minutes) and setup the static routes so it can find the path to the on-premise (ProfitBricks) network as defined in the “Local Network”.
-
Once the Gateway is created, it will show disconnected and display the IP Address of the Gateway device.
-
The next step is to configure the Sophos UTM VPN deployed at ProfitBricks. Go to Site-to-Site VPN --> IPsec --> Remote Gateway --> New Remote Gateway
-
Click the “+” next to Gateway to add a new Network definition.
-
Enter the Azure Gateway IP Address and click Save.
-
Go to the Azure management portal under Networks --> Virtual Networks --> Azure_To_PB_SOPHOS_VNET. Click on the Manage Key button to obtain the Shared Key.
-
Back in the SOPHOS Add Remote Gateway screen, set the Authentication type to “Preshared key” and enter the Pre-Shared Key.
-
The next step is to configure the Remote Network. Click the “+” sign to enter the details for the Azure_To_PB_SOPHOS_VNET Subnet as shown below:
-
Click Save to add the Remote Gateway.
-
The next step is to create a new IPsec Policy. Go to Site-to-site VPN --> IPsec --> Policies --> New IPsec Policy.
-
Configure the IPsec policy as shown below and click Save.
-
The next step is to create a new IPsec connection. Go to Site-to-site VPN --> IPsec --> Connections --> New IPsec Connection. Enter the details as shown below:
-
Go to the Azure management portal under Networks --> Virtual Networks --> Azure_To_PB_SOPHOS_VNET. Click the Connect button initiate the connection.
-
After a short while (may need to refresh the page), the tunnel will show connected as pictured below:
-
At this point, you can deploy a VM in Azure to test connectivity across the tunnel. Make sure to select the “Azure_To_PB_SOPHOS_VNET” under the Region/Affinity Group/Virtual Network.
-
As a final note, make sure the server firewalls are configured properly for whatever tests you decide to run (RDP, File Transfer, etc.).
Would Sophos be able to create a VPN which would let me avoid the "Great Firewall" on my visit to China later this year? I am currently using 3 VPN services, dependent on location where I am (Freelancer, Digital Nomad) and I am happiest with IPVanish VPN at the moment, but as much as I can see, China is not tolerating VPNs any longer, and Tor is not an option for a long time now :S
Any idea what I might do to make it working?
I don't think Sophos was intended to be used as a "vpn proxy service" such as the 3 you mentioned or at least not something I'm familiar with to accomplish what you're looking for.
was worth a try, someone might know what to do... From what Ive read, while being in the big cities I should have no problem using any VPN, since they are tolerating those because of foreign companies. We will see. Thank you for the answer though