|
SFOS的SSLVPN組態範本位置在如下路徑。
/content/sslvpn/client-config-template.ovpn
若有參數調整需求,可以修改此範本,其變動套用到修改後再下載的個人組態。
舉例來說,iOS使用的OpenVPN APP,在2023年10月升版到3.4後不再支援 route-delay 4 此參數,
此升版造成原iOS用戶無法撥接成功。
除了手動修改已匯入的SSLVPN個人組態,去掉此參數外,
也可以直接修改XG/S上的SSLVPN組態範本,註解掉此不支援的參數,
再通知用戶重新下載組態檔,重新匯入,以恢復SSLVPN的正常使用。
[<OPENVPN_WIN_OPTIONS>]
client
dev tun
proto [<OPENVPN_PROTOCOL>]
verify-x509-name "[<OPENVPN_SERVER_DN>]"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
ca [<OPENVPN_CA_FILE>]
cert [<OPENVPN_CLIENT_CERT>]
key [<OPENVPN_CLIENT_KEY>]
auth-user-pass
cipher [<OPENVPN_CIPHER>]
auth [<OPENVPN_AUTH>]
comp-lzo [<OPENVPN_COMPRESSION>]
;can_save [<OPENVPN_SEVECREDENTIAL>]
;otp [<OPENVPN_TWOFATOKEN>]
;run_logon_script [<OPENVPN_ADLOGON>]
;auto_connect [<OPENVPN_AUTOCONNECT>]
;route-delay 4
verb 3
reneg-sec 0
https://community.sophos.com/sophos-xg-f...-breaks-ssl-vpn
另外,在有多個WAN的情況下,
原本無法指定SSLVPN撥入時,優先透過哪個WAN IP來進行撥接。
在知道範本位置後,我們也可以修改此範本,
將WAN加到組態範本中,例如WAN IP 123.1.2.3。
[<OPENVPN_WIN_OPTIONS>]
client
dev tun
proto [<OPENVPN_PROTOCOL>]
verify-x509-name "[<OPENVPN_SERVER_DN>]"
route remote_host 255.255.255.255 net_gateway
resolv-retry infinite
nobind
persist-key
persist-tun
ca [<OPENVPN_CA_FILE>]
cert [<OPENVPN_CLIENT_CERT>]
key [<OPENVPN_CLIENT_KEY>]
auth-user-pass
cipher [<OPENVPN_CIPHER>]
auth [<OPENVPN_AUTH>]
comp-lzo [<OPENVPN_COMPRESSION>]
;can_save [<OPENVPN_SEVECREDENTIAL>]
;otp [<OPENVPN_TWOFATOKEN>]
;run_logon_script [<OPENVPN_ADLOGON>]
;auto_connect [<OPENVPN_AUTOCONNECT>]
route-delay 4
verb 3
reneg-sec 0
remote 123.1.2.3 8443
完成後,使用者重新下載組態並匯入後,第一個撥接的IP就是 123.1.2.3 了∼
♥順子老婆的網拍,請多關照∼
If you don't like something, change it.
If you can't change it, change your attitude.
Don't complain!
|
2024-02-29, 11:41
《分享》SSLVPN組態範本
