Safely Categorise Sophos SSL VPN Client in Autostart
The old Sophos SSL VPN Client for Windows can automatically start at Windows login and connect to a specific OpenVPN configuration. This is technically possible but should not be confused with a secure standard recommendation. Particularly critical is Auto-Login with a password.txt, as the username and password are stored in plaintext on the client.
For new remote access setups, it should first be checked whether Sophos Connect, current SSL VPN profiles, MFA, or Microsoft Entra ID SSO are more suitable. This guide is mainly intended for legacy environments, special clients, or controlled exceptions where the old SSL VPN Client is still in use.
Distinguishing Autostart, Auto-Connect, and Auto-Login
The three terms are often mixed up but mean different risks:
| Function | Meaning | Risk |
|---|---|---|
| Autostart | The VPN Client starts at Windows login. | low to medium |
| Auto-Connect | The client starts directly with a specific .ovpn file. | medium |
| Auto-Login | Username and password are automatically passed. | high |
Autostart and Auto-Connect can be useful in certain environments if a device should establish a connection immediately after login. Auto-Login, however, is a special case. Once the password is stored as a file on the client, security heavily depends on the Windows device, user profile, file permissions, VPN permissions, and theft protection.
⚠️ Auto-Login with
password.txtstores credentials in plaintext. This should not be used for normal user accounts, administrators, shared devices, or broadly authorised VPN profiles.
When this approach can be sensible
The autostart approach can be a sensible interim solution if a Windows client should automatically open a known SSL VPN connection after login and the environment has not yet switched to Sophos Connect or another remote access model.
Typical cases:
- a dedicated maintenance client with limited permissions
- a lab or test system
- a special device that needs a fixed connection after user login
- a legacy environment where Sophos Connect has not yet been introduced
This approach is not suitable for devices used by multiple people, for privileged admin access, for unencrypted or poorly managed Windows clients, and for environments where MFA is consistently enforced.
Prerequisites
Before implementation, these points should be clear:
- The old Sophos SSL VPN Client is installed on Windows.
- A working
.ovpnconfiguration is available locally. - The affected VPN user has only the necessary access.
- The Windows device is managed, encrypted, and protected against local unauthorised access.
- It is documented why Auto-Connect or Auto-Login is needed.
- A rollback plan is available for productive use.
If the client is not yet installed, the guide for Sophos SSL VPN Client on Windows with SFOS can help. For current client versions, Check and Securely Update Sophos Connect Client Version is also suitable.
Disable existing Autostart entry
The old SSL VPN Client often creates an autostart entry during installation. If a custom autostart line with parameters is used, the existing entry should first be disabled to prevent the client from starting twice.

- Open Task Manager.
- Switch to the Startup tab.
- Select SSL VPN Client for Windows.
- Disable the entry.
In older Windows versions, the classic Startup folder may also be relevant. In managed environments, it should also be checked whether a software distribution or GPO process restores the entry later.
Prepare command for Auto-Connect
For Auto-Connect, openvpn-gui.exe is started with the path to the configuration folder and the name of the desired .ovpn file.
Schema:
"C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\bin\openvpn-gui.exe" --config_dir "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\" --connect profile-name.ovpn
Depending on the Windows and client installation, the paths may vary:
| Component | Typical Path |
|---|---|
openvpn-gui.exe on 64-bit Windows | C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\bin\openvpn-gui.exe |
openvpn-gui.exe on 32-bit Windows | C:\Program Files\Sophos\Sophos SSL VPN Client\bin\openvpn-gui.exe |
| Configuration folder on 64-bit Windows | C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\ |
| Configuration folder on 32-bit Windows | C:\Program Files\Sophos\Sophos SSL VPN Client\config\ |

Example:
"C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\bin\openvpn-gui.exe" --config_dir "C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config\" --connect avanet@example-firewall.ovpn
The exact filename of the .ovpn file is important. If spaces or special characters are in the filename, the command should be tested particularly carefully. In many environments, a short profile name without spaces is more maintenance-friendly.
Create Autostart in the Registry
The entry can be stored under the current Windows user in Run. This way, the client starts at this user’s login, not system-wide before every user login.

- Open Registry Editor.
- Navigate to this path:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Create a new String Value in the right column.
- Assign a unique name, for example,
sophos-ssl-vpn. - Insert the prepared
openvpn-gui.execommand as the value. - Log off and log back into Windows.
- Check if the client starts and selects the desired connection.
If only Autostart and Auto-Connect are needed, you should stop here. In this state, the user must still enter the VPN password. This is usually the better option from a security perspective.
Use Auto-Login only as an exception
Auto-Login is controlled in the old OpenVPN-based client via the auth-user-pass line in the .ovpn file. If a file is specified there, the client reads the username and password from this file.
Example in the .ovpn file:
auth-user-pass password.txt
The password.txt file is then located in the same folder as the .ovpn file and contains two lines:
supportuser
VerySecretPassword
This method is technically simple but weak in terms of security. Anyone who gains access to the file has the VPN credentials. Therefore, this variant should only be used if the risk is consciously accepted and limited.
Minimum controls for an exception:
- dedicated VPN user only for this purpose
- no administrator or shared admin credentials
- strictly limited VPN policy and firewall rules
- no access to management networks, domain controllers, or backup systems unless absolutely necessary
- Windows device with BitLocker or comparable encryption
- no local standard users with access to the file
- documented expiration or review date for the exception
Configure Auto-Login
If Auto-Login is needed despite the risk, the change should be thoroughly documented and tested.
- Start the editor as an administrator.
- Open the used
.ovpnfile in the Sophos SSL VPN configuration folder. - Search for the
auth-user-passline. - Change the line to
auth-user-pass password.txt. - Create a
password.txtfile in the same folder. - Enter the username in the first line.
- Enter the password in the second line.
- Save the file.
- Check file permissions and remove unnecessary access.
- Log back into Windows and test the VPN connection.
After the test, it should be checked whether the VPN user only reaches the intended targets. If the profile allows too broad internal networks, a convenience workaround quickly becomes an unnecessarily large security access.
Validation after setup
After configuration, it is not enough to just look at the green VPN symbol. It is important whether exactly the expected connection was established and whether the rights are correct.
Check:
- Does the client start only once?
- Is the correct
.ovpnfile used? - Is the connection established only after Windows login?
- Do DNS resolution and internal target systems work?
- Does the expected remote access rule apply on the firewall?
- Are the expected user and VPN events visible in the Log Viewer?
- Can the VPN user only reach the required networks?
For connection problems after successful login, Test Firewall Rule with Log Viewer, Policy Test, and Packet Capture and Sophos Firewall Troubleshooting: Services and Logs can help. If only individual applications hang over VPN, MTU and MSS for VPN Issues should also be checked.
Common Errors
| Symptom | Probable Cause | Check |
|---|---|---|
| Client does not start | Registry path or command incorrect | Check Run entry and paths |
| Client starts twice | old autostart entry still active | Check Task Manager and Startup folder |
| Profile not found | incorrect filename or config_dir | Compare .ovpn name exactly |
| Password still requested | auth-user-pass password.txt not in active OVPN file | Check used profile and file path |
| Login works, internal targets not | VPN policy, firewall rule, DNS, or routing incorrect | Check Log Viewer, firewall rule, and DNS |
| Auto-Login fails after password change | password.txt contains old password | Update password file or remove Auto-Login |
Rollback
If Auto-Login is no longer needed, it should be completely removed.
- Delete or disable the registry entry under
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run. - Change
auth-user-pass password.txtback toauth-user-passin the.ovpnfile. - Delete
password.txt. - Change the VPN password of the affected user.
- Check on the firewall whether the user or rule is still needed.
If credentials were stored in plaintext for a long time, you should not just delete the file. The password should be changed and access checked in the logs.
Checklist
- Autostart checked without Auto-Login.
- Evaluated better remote access model like Sophos Connect, MFA, or Entra ID SSO.
- Dedicated VPN user used if Auto-Login is necessary.
- VPN and firewall rules limited to the minimum.
password.txtnot used for admin or shared accounts.- Windows device is encrypted and managed.
- Log Viewer shows expected VPN events.
- Rollback and review date are documented.
FAQ
Is Auto-Login with the Sophos SSL VPN Client secure?
password.txt stores username and password in plaintext. This can be accepted in narrowly limited special cases but should not be used for normal user or admin access.Can the Sophos SSL VPN Client start automatically without storing the password?
--connect with a specific configuration. The user must still enter the password.