Skip to content
Avanet

Safely Categorise Sophos SSL VPN Client in Autostart

The old Sophos SSL VPN Client for Windows can automatically start at Windows login and connect to a specific OpenVPN configuration. This is technically possible but should not be confused with a secure standard recommendation. Particularly critical is Auto-Login with a password.txt, as the username and password are stored in plaintext on the client.

For new remote access setups, it should first be checked whether Sophos Connect, current SSL VPN profiles, MFA, or Microsoft Entra ID SSO are more suitable. This guide is mainly intended for legacy environments, special clients, or controlled exceptions where the old SSL VPN Client is still in use.

Distinguishing Autostart, Auto-Connect, and Auto-Login

The three terms are often mixed up but mean different risks:

FunctionMeaningRisk
AutostartThe VPN Client starts at Windows login.low to medium
Auto-ConnectThe client starts directly with a specific .ovpn file.medium
Auto-LoginUsername and password are automatically passed.high

Autostart and Auto-Connect can be useful in certain environments if a device should establish a connection immediately after login. Auto-Login, however, is a special case. Once the password is stored as a file on the client, security heavily depends on the Windows device, user profile, file permissions, VPN permissions, and theft protection.

⚠️ Auto-Login with password.txt stores credentials in plaintext. This should not be used for normal user accounts, administrators, shared devices, or broadly authorised VPN profiles.

When this approach can be sensible

The autostart approach can be a sensible interim solution if a Windows client should automatically open a known SSL VPN connection after login and the environment has not yet switched to Sophos Connect or another remote access model.

Typical cases:

  • a dedicated maintenance client with limited permissions
  • a lab or test system
  • a special device that needs a fixed connection after user login
  • a legacy environment where Sophos Connect has not yet been introduced

This approach is not suitable for devices used by multiple people, for privileged admin access, for unencrypted or poorly managed Windows clients, and for environments where MFA is consistently enforced.

Prerequisites

Before implementation, these points should be clear:

  • The old Sophos SSL VPN Client is installed on Windows.
  • A working .ovpn configuration is available locally.
  • The affected VPN user has only the necessary access.
  • The Windows device is managed, encrypted, and protected against local unauthorised access.
  • It is documented why Auto-Connect or Auto-Login is needed.
  • A rollback plan is available for productive use.

If the client is not yet installed, the guide for Sophos SSL VPN Client on Windows with SFOS can help. For current client versions, Check and Securely Update Sophos Connect Client Version is also suitable.

Disable existing Autostart entry

The old SSL VPN Client often creates an autostart entry during installation. If a custom autostart line with parameters is used, the existing entry should first be disabled to prevent the client from starting twice.

Disable Sophos SSL VPN Client Autostart entry in Windows Task Manager
The existing autostart entry should be disabled before a custom start command with OpenVPN parameters is added.
  1. Open Task Manager.
  2. Switch to the Startup tab.
  3. Select SSL VPN Client for Windows.
  4. Disable the entry.

In older Windows versions, the classic Startup folder may also be relevant. In managed environments, it should also be checked whether a software distribution or GPO process restores the entry later.

Prepare command for Auto-Connect

For Auto-Connect, openvpn-gui.exe is started with the path to the configuration folder and the name of the desired .ovpn file.

Schema:

"C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\bin\openvpn-gui.exe" --config_dir "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\" --connect profile-name.ovpn

Depending on the Windows and client installation, the paths may vary:

ComponentTypical Path
openvpn-gui.exe on 64-bit WindowsC:\Program Files (x86)\Sophos\Sophos SSL VPN Client\bin\openvpn-gui.exe
openvpn-gui.exe on 32-bit WindowsC:\Program Files\Sophos\Sophos SSL VPN Client\bin\openvpn-gui.exe
Configuration folder on 64-bit WindowsC:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\
Configuration folder on 32-bit WindowsC:\Program Files\Sophos\Sophos SSL VPN Client\config\
Sophos SSL VPN Client configuration folder with OpenVPN profile
The start command must point to the correct configuration folder and the correct OVPN file.

Example:

"C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\bin\openvpn-gui.exe" --config_dir "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\" --connect avanet@example-firewall.ovpn

The exact filename of the .ovpn file is important. If spaces or special characters are in the filename, the command should be tested particularly carefully. In many environments, a short profile name without spaces is more maintenance-friendly.

Create Autostart in the Registry

The entry can be stored under the current Windows user in Run. This way, the client starts at this user’s login, not system-wide before every user login.

Create Sophos SSL VPN Client Autostart entry in the Windows Registry
An HKCU-Run entry starts the client at the login of the current Windows user.
  1. Open Registry Editor.
  2. Navigate to this path:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
  1. Create a new String Value in the right column.
  2. Assign a unique name, for example, sophos-ssl-vpn.
  3. Insert the prepared openvpn-gui.exe command as the value.
  4. Log off and log back into Windows.
  5. Check if the client starts and selects the desired connection.

If only Autostart and Auto-Connect are needed, you should stop here. In this state, the user must still enter the VPN password. This is usually the better option from a security perspective.

Use Auto-Login only as an exception

Auto-Login is controlled in the old OpenVPN-based client via the auth-user-pass line in the .ovpn file. If a file is specified there, the client reads the username and password from this file.

Example in the .ovpn file:

auth-user-pass password.txt

The password.txt file is then located in the same folder as the .ovpn file and contains two lines:

supportuser
VerySecretPassword

This method is technically simple but weak in terms of security. Anyone who gains access to the file has the VPN credentials. Therefore, this variant should only be used if the risk is consciously accepted and limited.

Minimum controls for an exception:

  • dedicated VPN user only for this purpose
  • no administrator or shared admin credentials
  • strictly limited VPN policy and firewall rules
  • no access to management networks, domain controllers, or backup systems unless absolutely necessary
  • Windows device with BitLocker or comparable encryption
  • no local standard users with access to the file
  • documented expiration or review date for the exception

Configure Auto-Login

If Auto-Login is needed despite the risk, the change should be thoroughly documented and tested.

  1. Start the editor as an administrator.
  2. Open the used .ovpn file in the Sophos SSL VPN configuration folder.
  3. Search for the auth-user-pass line.
  4. Change the line to auth-user-pass password.txt.
  5. Create a password.txt file in the same folder.
  6. Enter the username in the first line.
  7. Enter the password in the second line.
  8. Save the file.
  9. Check file permissions and remove unnecessary access.
  10. Log back into Windows and test the VPN connection.

After the test, it should be checked whether the VPN user only reaches the intended targets. If the profile allows too broad internal networks, a convenience workaround quickly becomes an unnecessarily large security access.

Validation after setup

After configuration, it is not enough to just look at the green VPN symbol. It is important whether exactly the expected connection was established and whether the rights are correct.

Check:

  • Does the client start only once?
  • Is the correct .ovpn file used?
  • Is the connection established only after Windows login?
  • Do DNS resolution and internal target systems work?
  • Does the expected remote access rule apply on the firewall?
  • Are the expected user and VPN events visible in the Log Viewer?
  • Can the VPN user only reach the required networks?

For connection problems after successful login, Test Firewall Rule with Log Viewer, Policy Test, and Packet Capture and Sophos Firewall Troubleshooting: Services and Logs can help. If only individual applications hang over VPN, MTU and MSS for VPN Issues should also be checked.

Common Errors

SymptomProbable CauseCheck
Client does not startRegistry path or command incorrectCheck Run entry and paths
Client starts twiceold autostart entry still activeCheck Task Manager and Startup folder
Profile not foundincorrect filename or config_dirCompare .ovpn name exactly
Password still requestedauth-user-pass password.txt not in active OVPN fileCheck used profile and file path
Login works, internal targets notVPN policy, firewall rule, DNS, or routing incorrectCheck Log Viewer, firewall rule, and DNS
Auto-Login fails after password changepassword.txt contains old passwordUpdate password file or remove Auto-Login

Rollback

If Auto-Login is no longer needed, it should be completely removed.

  1. Delete or disable the registry entry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.
  2. Change auth-user-pass password.txt back to auth-user-pass in the .ovpn file.
  3. Delete password.txt.
  4. Change the VPN password of the affected user.
  5. Check on the firewall whether the user or rule is still needed.

If credentials were stored in plaintext for a long time, you should not just delete the file. The password should be changed and access checked in the logs.

Checklist

  • Autostart checked without Auto-Login.
  • Evaluated better remote access model like Sophos Connect, MFA, or Entra ID SSO.
  • Dedicated VPN user used if Auto-Login is necessary.
  • VPN and firewall rules limited to the minimum.
  • password.txt not used for admin or shared accounts.
  • Windows device is encrypted and managed.
  • Log Viewer shows expected VPN events.
  • Rollback and review date are documented.

FAQ

Is Auto-Login with the Sophos SSL VPN Client secure?

No, not as a standard. Auto-Login with password.txt stores username and password in plaintext. This can be accepted in narrowly limited special cases but should not be used for normal user or admin access.

Can the Sophos SSL VPN Client start automatically without storing the password?

Yes. The client can start via Autostart and --connect with a specific configuration. The user must still enter the password.

What is the better alternative to Auto-Login?

For new setups, you should consider Sophos Connect, current SSL VPN profiles, MFA, Entra ID SSO, or depending on the architecture, ZTNA. Which variant fits depends on the operating system, authentication, user groups, and security requirements.

Should password.txt be used with a normal user account?

Only if the risk is consciously accepted. It is better to use a dedicated account with minimal rights, clearly limited firewall rules, and a documented expiration date.

Why does the client connect automatically, but internal systems are not reachable?

Then the VPN login is not the actual problem. Often, appropriate firewall rules, DNS settings, routes, or permissions in the remote access policy are missing.