bunny-lab/docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Documentation Restructure
All checks were successful
GitOps Automatic Documentation Deployment / Sync Docs to https://kb.bunny-lab.io (push) Successful in 4s
Details
GitOps Automatic Documentation Deployment / Sync Docs to https://docs.bunny-lab.io (push) Successful in 6s
Details

Browse Source
This commit is contained in:
Nicole Rappe
2026-01-27 05:25:22 -07:00
parent 3ea11e04ff
commit e73bb0376f
205 changed files with 469 additions and 146 deletions
Download Patch File Download Diff File Expand all files Collapse all files

159
networking/firewall-and-routing/sophos/vpn/site-to-site-vpns/ipsec/automatic-tunnel-resetting.md Normal file
View File

@@ -0,0 +1,159 @@
**Purpose**: Generally speaking, when you have site-to-site VPN tunnels, you have to ensure that the *health* of the tunnel is operating as-expected. Sometimes VPN tunnels will report that they are online and connected, but in reality, no traffic is flowing to the remote side of the tunnel. In these instances, we can create a script that pings a device on the remote end, and if it does not respond in a timely manner, the script restart the VPN tunnel automatically.
!!! note "Assumptions"
This document assumes that you will be running a powershell script on a Windows environment. The `curl` commands can be used interchangably in Linux, but the example script provided here will be using `curl.exe` within a powershell script, and instead of running on a schedule using crontab, it will be using Windows Task Scheduler.
I will attempt to provide Linux-equivalant commands where-possible.
## Sophos Environment
### Configure Sophos XGS Firewall ACLs
You need to configure a user account that will be specifically used for leveraging the API controls that allow resetting the VPN tunnel(s). At this stage, you need to log into your Sophos XGS Firewall. For this example, we will assume you can reach your firewall at https://172.16.16.16:4444 and log in as the administrator.
### Create API Access Profile
You need to create a profile that the API User will leverage to issue commands to the firewall's VPN settings. Without this profile, the user may have either not enough, or too much access.
- Navigate to **System > Profiles > Device Access > "Add"**
- Profile Name: `VPNTunnelAPI`
- Check the radio box column named "**None**" to Deny all permissions to all areas of the firewall
- Expand the "**VPN**" section of the permission tree, and check the box for "**Read-Write**" next to "**Connect Tunnel**"
- Click the "**Save**" button to save the access profile
### Create API Access User
Now we need to make a user account that we will use inside the script to authenticate against the firewall using the previously-mentioned access profile
- Navigate to **Configure > Authentication > Users > "Add"**
- Username: `TunnelCheckerAPIUser`
- Name: `TunnelCheckerAPIUser`
- User Type: `Administrator`
- Profile: `VPNTunnelAPI`
- Password: `01_placeholder_PASSWORD_here_02`
- Group: `Open Group`
- Click the "**Save**" button to save the API user account
### Create Device Access ACL
Now we need to configure an ACL within the Firewall to allow API access from the specific server we will be using in the next section.
- Navigate to **Administration > Device Access > Local service ACL exception rule > "Add"**
- Rule Name: `API Access (IPSec Tunnel Heartbeat Script)`
- Source Zone: `The Zone of the Server/Device that will be used to run the script, such as a server network.
- Source Network/Host: `<IP_HOST_OF_DEVICE_RUNNING_SCRIPT>`
- Destination Host: `XGS Firewall (Local IP)` (*This is an IP host pointing to the internal IP of the Firewall*)
- Services: `HTTPS`
- Action: `Accept`
### Configure API Access via IP
Lastly, you need to configure the API access to allow communication from the IP of the device. I know this seems redundant to the previous "Device Access ACL" but its required for this to work, otherwise you will get an `Sophos API Operations are not allowed from the requester IP address` error when running the script.
- Navigate to **System > Backup & Firmware > API > API Configuration**
- Add the IP of the Server/Device
- Click the "**Apply** button
## Server Environment
### Choose a Server
It is important to choose a server/device that is able to communicate with the devices on the remote end of the tunnel. If it cannot ping the remote device(s), it will assume that the tunnel is offline and do an infinite loop of restarting the VPN tunnel.
### Prepare the Script Folder
You need a place to put the script (and if on Windows, `curl.exe`). Follow the instructions specific to your platform below:
=== "Windows"
Download `curl.exe` from this location: [Download](https://curl.se/windows/dl-8.10.0_1/curl-8.10.0_1-win64-mingw.zip) and place it somewhere on the operating system, such as `C:\Scripts\VPN_Tunnel_Checker`. Then copy this script into that same folder and call it `Tunnel_Checker.ps1` with the content below:
!!! note "Curl Files Extraction"
You will want to extract all of the files included in the zip file's `bin` folder. Specifically, copy the following files into the `C:\Scripts\VPN_Tunnel_Checker` folder:
- `curl.exe`
- `curl-ca-bundle`
- `libcurl-x64.def`
- `libcurl-x64.dll`
``` powershell
function Reset-VPN-Tunnel {
Write-Host "VPN Tunnel Broken - Bringing VPN Tunnel Down..."
.\curl -k https://172.16.16.16:4444/webconsole/APIController?reqxml=<Request><Login><Username>TunnelCheckerAPIUser</Username><Password>01_placeholder_PASSWORD_here_02</Password></Login><Set><VPNIPSecConnection><DeActive><Name>VPN_TUNNEL_NAME</Name></DeActive></VPNIPSecConnection></Set></Request>
Start-Sleep -Seconds 5
Write-Host "Bringing VPN Tunnel Up..."
.\curl -k https://172.16.16.16:4444/webconsole/APIController?reqxml=<Request><Login><Username>TunnelCheckerAPIUser</Username><Password>01_placeholder_PASSWORD_here_02</Password></Login><Set><VPNIPSecConnection><Active><Name>VPN_TUNNEL_NAME</Name></Active></VPNIPSecConnection></Set></Request>
}
function Check-VPN-Tunnel {
# Server Connectivity Check
Write-Host "Checking Tunnel Connection to PLACEHOLDER..."
if (-not (Test-Connection '10.0.0.29' -Quiet)) {
Reset-VPN-Tunnel
}
# Server Connectivity Check
Write-Host "Checking Tunnel Connection to PLACEHOLDER..."
if (-not (Test-Connection '10.0.0.30' -Quiet)) {
Reset-VPN-Tunnel
}
}
function Trace-VPN-Tunnel {
Write-Host "Tracing Path to PLACEHOLDER:"
pathping -n -w 500 -p 100 10.0.0.29
Write-Host "Tracing Path to PLACEHOLDER:"
pathping -n -w 500 -p 100 10.0.0.30
}
CD "C:\Scripts\VPN_Tunnel_Checker"
Check-VPN-Tunnel
#Write-Host "Checking Tunnel Quality After Running Script..."
#Trace-VPN-Tunnel
```
!!! note "Optional Reporting"
You may find that you want some extra logging enabled so you can track the script doing its job to ensure its working. You can add the following to the script above to add that functionality.
Add the following to the bottom of each server in the `Check-VPN-Tunnel` function, directly below the `Reset-VPN-Tunnel` function.
``` powershell
Add-Content -Path "C:\Scripts\VPN_Tunnel_Checker\Tunnel.log" -Value "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') PLACEHOLDER Connection Down"
```
Lastly, change the very end of the script under where the `Check-IHS-Tunnel` function is being called to look like this if you want to log heartbeats and not just when a VPN tunnel is down. The purpose of this is to show the script is actually running. I recommend only temporarily implementing it during initial deployment.
``` powershell
CD "C:\Scripts\VPN_Tunnel_Checker"
Check-VPN-Tunnel
Add-Content -Path "C:\Scripts\VPN_Tunnel_Checker\Tunnel.log" -Value "$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss') Heartbeat"
```
=== "Linux"
``` sh
PLACEHOLDER
```
### Create Scheduled Task
At this point, you need this script to run automatically on its own every 5 minutes or so, so you need to create a task in the Windows Task Scheduler in order to achieve this.
=== "Windows"
- Open "**Task Scheduler**" on the device
- Expand "**Task Scheduler Library**" in the tree on the left-hand side
- Right-click anywhere in the task list and select "**Create New Task...**"
- **General**:
- Name: `Check VPN Tunnel Every 5 Minutes`
- When running this task, use the following user account: `SYSTEM`
- **Triggers**:
- Click "**New...**"
- Begin the Task: `On a Schedule`
- Settings: `Daily`
- Advanced Settings > Repeat Task Every: `5 Minutes` > for a duration of `1 Day`
- **Actions**:
- Click "**New...**"
- Action: `Start a Program`
- Program/Script: `C:\Windows\System32\WindowsPowershell\v1.0\powershell.exe`
- Add Arguments: `-ExecutionPolicy Bypass -File "C:\Scripts\VPN_Tunnel_Checker\Tunnel_Checker.ps1"`
- Press the "**OK**" button to save the scheduled task, then wait for 5 minutes to ensure it triggers as-expected.
=== "Linux"
- PLACEHOLDER
- PLACEHOLDER

96
networking/firewall-and-routing/sophos/vpn/site-to-site-vpns/ipsec/tunnel-creation.md Normal file
View File

@@ -0,0 +1,96 @@
**Purpose**: You may have two Sophos XGS appliances (or a mixed configuration) and need to set up a site-to-site VPN tunnel between two remote locations. You can achieve this with a simple passphrase-based IPSec VPN tunnel.
!!! info "Assumptions"
This documentation only provides instruction for Sophos XGS based devices. It does not account for third-party vendors or other manufactured hardware. If you need to set up a mixed VPN tunnel with a different brand of networking device, you need to do your best to match the settings on the tunnels manually. (e.g. Encryption Type, Phase Lifetimes, etc).
## Architecture
!!! tip "Best Practices - Initiators / Responders"
If you have a hub-and-spoke network, where one location acts as a central authority (e.g. domain controllers, auth servers, identity providers, headquarters, etc), you will set up the central "hub" as a VPN responder on its side of the VPN tunnel, and all the remote "spoke" locations would behave as VPN initiators.
``` mermaid
graph TB
Responder((Responder<br/>Headquarters))
Initiator1((Initiator<br/>Remote Site 1))
Initiator2((Initiator<br/>Remote Site 2))
Initiator3((Initiator<br/>Remote Site 3))
Initiator4((Initiator<br/>Remote Site 4))
Initiator5((Initiator<br/>Remote Site 5))
Initiator1 --> Responder
Initiator2 --> Responder
Initiator3 --> Responder
Initiator4 --> Responder
Initiator5 --> Responder
```
## Login to the Firewall
You will need to access the firewall either directly on the local network at `https://<IP-of-Firewall>:4444` or remotely in Sophos Central.
## Configure an IPSec VPN Tunnel
Navigate to "**Configure > Site-to-Site VPN > Add**"
### General settings
| **Field** | **Value** |
| :--- | :--- |
| Name | `<ThisLocation> to <RemoteLocation>` |
| IP Version | `Dual` |
| Connection Type | `Tunnel Interface` (*Also known as a "Route-Based VPN"*) |
| Gateway Type | `Initiate the Connection` / `Respond Only` (*See "Best Practices" Section*) |
### Encryption
| **Field** | **Value** |
| :--- | :--- |
| Encryption Profile | `Custom_IKEv2_Initiator` / `Custom_IKEv2_Responder` (*Based on the "Gateway Type"*) |
| Authentication Type | `Preshared Key / Passphrase` |
### Gateway Settings
| **Field** | **Value** |
| :--- | :--- |
| Listening Interface | `<WAN Interface / Generally "Port2">` (*Internal IP Address*) |
| Gateway Address | `<Public IP of Remote Firewall>` |
| Local ID Type | `IP Address` (*Usually Optional*) |
| Remote ID Type | `<If the Remote Firewall has one, enter it, otherwise leave blank>` (*Usually Optional*)|
| Local Subnet | `<Leave Blank>` |
| Remote Subnet | `<Leave Blank>` |
!!! note "Tunnel IDs / Subnets"
If one side of the tunnel indicates a Local ID, you need to input that as the Remote ID on the other end of the tunnel. While Tunnel IDs are generally optional, if one side uses them, both need to.
- "Route-Based" VPNs do not need subnets indicated / configured
- "Policy-based" VPNs require subnets indicated / configured
## Configure IPSec Encryption Profile
Navigate to "**System > Profiles > IPSec Profiles > Custom_IKEv2_`<Initiator>/<Responder>`**"
!!! info "Explanation of Phases and their Relation to Initiators/Responders"
Phase 1 could be described as establishing the initial tunnel's connectivity from the Initiator to the Responder. (Local to Remote). While phase 2 would be considered individual devices establishing connections through the VPN tunnel. (Individual Endpoint Connectivity).
The responder's phase 1 & 2 lifetime values are 300 seconds longer than the initiator's phase 1 & 2 lifetime values.
=== "Initiator Phase Lifetime Values"
| **Field** | **Value** | **Notes** |
| :--- | :--- | :--- |
| Phase 1 Lifetime | *Default Value*: `28800` | `<Longer Lifetime Compared to Phase 2>` |
| Phase 2 Lifetime | *Default Value*: `14400` | `<Shorter Lifetime Compared to Phase 1>` |
=== "Responder Phase Lifetime Values"
| **Field** | **Value** | **Notes** |
| :--- | :--- | :--- |
| Phase 1 Lifetime | *Default Value + 300 Seconds*: `328800` | `<Longer Lifetime Compared to Phase 2>` |
| Phase 2 Lifetime | *Default Value + 300 Seconds*: `314400` | `<Shorter Lifetime Compared to Phase 1>` |
!!! warning "Remote / Local Phase Lifetimes"
Within the context of the remote and local VPN tunnels, the lifetime of the Phase 1 and Phase 2 encryption keys needs to be shorter on the intiator than the responder sides of the VPN tunnel.
## Repeat Steps on Remote Firewall
You will need to repeat the steps on both firewalls, so one firewall is the initiator, and one is configured as the responder. Keep special note of the admonitions regarding initiator / responder / local / remote differences.
## Connect the IPSec Tunnels
Now you need to start the tunnel on the Initiator side first, then start the tunnel on the responder side. If both sides show green status indicators, the tunnel should be active.

35
networking/firewall-and-routing/sophos/vpn/ssl-vpn/configuring-remote-vpn-rdp-access.md Normal file
View File

@@ -0,0 +1,35 @@
## Purpose
This document exists to outline the generalized process to configuring remote access in a Sophos XGS Firewall to allow a VPN user to RDP into a workstation. *Setting up Remote SSL VPN Access is not covered in this document.*
### Create MAC Host for Destination Device
The first step in the process is to create a MAC address host for the device being RDP'd into, that way if it's IP rotates, the firewall rule will continue to work correctly.
- Navigate to **Sophos XGS Firewall > [System] Hosts and Services**
- Click on the **Mac Host** tab > "**Add**"
- Name: `<Device-Hostname>`
- Description: `<Workstation Remote Access for (username)>`
- Type: `Mac Address`
- MAC Address: `<mac address of device>`
Click **Save**
### Configure Firewall Rule
- Navigate to **[Protect] Rules and Policies > Add Firewall Rule (New Firewall Rule)**
- Rule Name: `Remote Workstation Access for (username)`
- Source Zone: `VPN`
- Source Networks and Devices: `Any`
- Destination Zone: `LAN`
- Destination Networks: `<MAC Host We Previously Made>`
- Services > Add New Item > `RDP`
- If `RDP` does not exist, click "Add", `Services`
- Name: `RDP`
- Description: `Remote Desktop Protocol`
- Type: `TCP/UDP`
- Protocol: `TCP`
- Source Port: `1:65535`
- Destination Port: `3389`
Click **Save**
- Check **Match Known Users**
- Under "Users or Groups" click "Add New Item"
- Search for the username of the person using the VPN that needs to access the workstation (e.g. `nicole.rappe@bunny-lab.io`)
- Click the **Save** button and have the user try to connect to the VPN, then RDP into their workstation.