RUT240: no openvpn connection to Sophos firewall

Hello,

our current openvpn configuration runs fine over 12 month. Since we updated our remote site firewall (Sophos XCS2100), there are no connections anymore. Other openvpn clients can connect to this sophos w/o issues.
Config as follows, compared with running openvpn config from openwrt router

config openvpn 'Sophos'                                                                                           
        option keepalive '10 120'                                                                                 
        option cipher 'AES-256-CBC'
        list data_ciphers 'AES-256-CBC'                                                                            
        option type 'client'                                                                                      
        option dev 'tun_c_Sophos'                                                                                 
        option nobind '1'                                                                                         
        option verb '5'                                                                                           
        option auth 'sha512'                                                                                      
        option client '1'                                                                                         
        option port '443'                                                                                         
        option tls_client '1'                                                                                     
        option use_pkcs '0'                                                                                       
        option proto 'tcp-client'                                                                                 
        option device_files '0'                                                                                   
        option resolv_retry 'infinite'                                                                            
        option tls_security 'none'                                                                                
        option pull '1'                                                                                           
        option auth_user_pass '/etc/openvpn/auth_Sophos_1709102845'                                               
        list data_ciphers 'AES-256-CBC'                                                                           
        option name 'Sophos'                                                                                      
        list remote 'xxxx.xxxxx.xxxx'                                                                           
        option configuration 'manual'                                                                             
        list extra 'persist-key'                                                                                  
        option ca '/etc/vuci-uploads/cbid.openvpn.Sophos.caca_cert.txt'                                           
        option topology 'net30'                                                                                   
        option key '/etc/vuci-uploads/cbid.openvpn.Sophos.keykey.txt'                                             
        option cert '/etc/vuci-uploads/cbid.openvpn.Sophos.certcert.txt'                                          
        option auth_mode 'tls/pass'                                                                               
        option enable '1'

log using this config shows as following

1527 Mon Apr 28 11:15:23 2025 daemon.warn openvpn(Sophos)[20374]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305). OpenVPN ignores --cipher for cipher negotiations.
1528 Mon Apr 28 11:15:23 2025 daemon.notice openvpn(Sophos)[20374]: OpenVPN 2.6.9 mipsel-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [MH/PKTINFO] [AEAD] [DCO]
1529 Mon Apr 28 11:15:23 2025 daemon.notice openvpn(Sophos)[20374]: library versions: OpenSSL 3.0.14 4 Jun 2024, LZO 2.10
1530 Mon Apr 28 11:15:23 2025 daemon.notice openvpn(Sophos)[20374]: DCO version: N/A
1531 Mon Apr 28 11:15:23 2025 daemon.warn openvpn(Sophos)[20374]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
1532 Mon Apr 28 11:15:23 2025 daemon.warn openvpn(Sophos)[20374]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
1533 Mon Apr 28 11:15:23 2025 daemon.notice openvpn(Sophos)[20374]: Control Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1250 tun_max_mtu:0 headroom:126 payload:1600 tailroom:126 ET:0 ]
1534 Mon Apr 28 11:15:23 2025 daemon.notice openvpn(Sophos)[20374]: Data Channel MTU parms [ mss_fix:0 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
1535 Mon Apr 28 11:15:23 2025 daemon.notice openvpn(Sophos)[20374]: TCP/UDP: Preserving recently used remote address: [AF_INET]redacted:443
1536 Mon Apr 28 11:15:23 2025 daemon.notice openvpn(Sophos)[20374]: Socket Buffers: R=[131072->131072] S=[16384->16384]
1537 Mon Apr 28 11:15:23 2025 daemon.notice openvpn(Sophos)[20374]: Attempting to establish TCP connection with [AF_INET]redacted:443
1538 Mon Apr 28 11:15:23 2025 daemon.notice openvpn(Sophos)[20374]: TCP connection established with [AF_INET]redacted:443
1539 Mon Apr 28 11:15:23 2025 daemon.notice openvpn(Sophos)[20374]: TCPv4_CLIENT link local: (not bound)
1540 Mon Apr 28 11:15:23 2025 daemon.notice openvpn(Sophos)[20374]: TCPv4_CLIENT link remote: [AF_INET]redacted:443
1541 Mon Apr 28 11:15:23 2025 daemon.notice openvpn(Sophos)[20374]: TLS: Initial packet from [AF_INET]redacted:443, sid=6d68b533 dc270199
1542 Mon Apr 28 11:15:23 2025 daemon.notice openvpn(Sophos)[20374]: redacted
1543 Mon Apr 28 11:15:23 2025 daemon.notice openvpn(Sophos)[20374]: redacted
1544 Mon Apr 28 11:15:24 2025 daemon.notice openvpn(Sophos)[20374]: Control Channel: TLSv1.3, cipher TLSv1.3 TLS_CHACHA20_POLY1305_SHA256, peer certificate: 2048 bits RSA, signature: RSA-SHA256, peer temporary key: 253 bits X25519
1545 Mon Apr 28 11:15:24 2025 daemon.notice openvpn(Sophos)[20374]: [Appliance_Certificate_lN5TznQPP4kG4Nr] Peer Connection Initiated with [AF_INET]redacted:443
1546 Mon Apr 28 11:15:24 2025 daemon.notice openvpn(Sophos)[20374]: TLS: move_session: dest=TM_ACTIVE src=TM_INITIAL reinit_src=1
1547 Mon Apr 28 11:15:24 2025 daemon.notice openvpn(Sophos)[20374]: TLS: tls_multi_process: initial untrusted session promoted to trusted
1548 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: SENT CONTROL [Appliance_Certificate_lN5TznQPP4kG4Nr]: 'PUSH_REQUEST' (status=1)
1549 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: PUSH: Received control message: 'PUSH_REPLY,route-gateway redacted,sndbuf 0,rcvbuf 0,ping 300,ping-restart 1200,topology subnet,route-gateway redacted,route redacted,peer-id 21,cipher AES-256-GCM,protocol-flags cc-exit tls-ekm,tun-mtu 1500'
1550 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: OPTIONS IMPORT: --sndbuf/--rcvbuf options modified
1551 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: Socket Buffers: R=[131072->131072] S=[44800->44800]
1552 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: OPTIONS IMPORT: --ifconfig/up options modified
1553 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: OPTIONS IMPORT: route options modified
1554 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: OPTIONS IMPORT: route-related options modified
1555 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: OPTIONS IMPORT: tun-mtu set to 1500
1556 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: net_route_v4_best_gw query: dst 0.0.0.0
1557 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: net_route_v4_best_gw result: via 0.0.0.0 dev qmimux0
1558 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: net_iface_new: add tun_c_Sophos type ovpn-dco
1559 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: DCO device tun_c_Sophos opened
1560 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: do_ifconfig, ipv4=1, ipv6=0
1561 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: net_iface_mtu_set: mtu 1500 for tun_c_Sophos
1562 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: net_iface_up: set tun_c_Sophos up
1563 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: net_addr_v4_add: 10.200.139.148/32 dev tun_c_Sophos
1564 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: /usr/libexec/openvpn-hotplug up Sophos tun_c_Sophos 1500 0 10.200.139.148 255.255.255.255 init
1565 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: net_route_v4_add: 10.200.128.0/19 via 10.200.139.148 dev [NULL] table 0 metric 200
1566 Mon Apr 28 11:15:25 2025 daemon.notice openvpn(Sophos)[20374]: Data Channel MTU parms [ mss_fix:1386 max_frag:0 tun_mtu:1500 tun_max_mtu:1600 headroom:136 payload:1768 tailroom:562 ET:0 ]
1567 Mon Apr 28 11:15:26 2025 daemon.notice openvpn(Sophos)[20374]: Initialization Sequence Completed
1568 Mon Apr 28 11:15:26 2025 daemon.notice openvpn(Sophos)[20374]: Data Channel: cipher 'AES-256-GCM', peer-id: 21
1569 Mon Apr 28 11:15:26 2025 daemon.notice openvpn(Sophos)[20374]: Timers: ping 300, ping-restart 1200
1570 Mon Apr 28 11:15:26 2025 daemon.notice openvpn(Sophos)[20374]: Protocol options: protocol-flags cc-exit tls-ekm

There are issues in protocol regarding to ciphers. How to resolve these?

With thanks in advance
Go

You’ll need to go to SERVICES > VPN > OPENVPN > SOPHOS (select edit) > SECURITY CONFIGURATION and set the required encryption and data ciphers. An example, not necessarily for your ciphers, is shown below.

image934×340 14.6 KB

Thxs for your response and sorry for delay.

I had in my config exact the mentioned entries.
I´m referring to the “deprecated option” log entry, even I have both fields filled in web gui.
However, over the weekend this log entry disappeared.

With regards
Gotthard