Set up Sophos SSL VPN on iPhone and iPad
Sophos Connect does not directly support iOS and iPadOS for IPsec or SSL VPN. If iPhone or iPad devices need to connect to Sophos Firewall Remote Access, an OpenVPN-compatible client is therefore used. In many environments, OpenVPN Connect is the obvious standard.
This article describes the practical process for Sophos SSL VPN on iPhone and iPad: install the app, obtain the .ovpn configuration, import the profile, test the connection and narrow down typical errors. For the basic choice between Sophos Connect, SSL VPN, IPsec, mobile clients and ZTNA, start with Sophos Connect or SSL VPN: which remote access solution fits?.
When SSL VPN on iOS makes sense
SSL VPN on iPhone or iPad makes sense when mobile users occasionally need access to internal systems and a classic VPN profile is sufficient for this.
Typical examples:
- access to internal web applications
- admin access to a few systems from an iPad
- access to file services or internal tools through defined apps
- temporary external work without a managed notebook client
- transitional solution when ZTNA or an app proxy is not yet available
For permanent access to many internal systems, a mobile device is often not the best target platform. In that case, check whether a managed Windows or macOS client with Sophos Connect, narrower ZTNA access or another Remote Access design is a better fit.
Context for other clients
These instructions apply to Sophos Firewall with SFOS and mobile Apple devices. Depending on the platform or starting point, another entry point may fit better:
- Set up SSL VPN on iPhone and iPad: This article.
- Set up SSL VPN with Sophos Connect on Windows: Set up Sophos SSL VPN with Sophos Connect on Windows.
- Set up SSL VPN with Sophos Connect on macOS: Set up Sophos SSL VPN with Sophos Connect on macOS.
- Set up SSL VPN on Android: Set up Sophos SSL VPN on Android.
- Install Sophos Connect on Windows: Install Sophos Connect client on Windows.
- Install Sophos Connect on macOS: Install Sophos Connect client on macOS.
The distinction is important: Sophos Connect is not the direct SSL VPN client for iOS and iPadOS. If mobile devices are to be supported, it should be clear internally which OpenVPN-compatible client is used, where profiles come from and who supports device changes.
Requirements
Before setup, clarify these points:
- Sophos Firewall with configured SSL VPN remote access
- user with permission for SSL VPN
- access to the VPN Portal or administratively provided
.ovpnfile - OpenVPN-compatible client on iPhone or iPad
- MFA/OTP configured if Remote Access is protected by it
- valid certificate for VPN Portal and firewall access, where possible
- firewall rules for traffic from the
VPNzone - clarified Split Tunnel or Full Tunnel design
- support process for device changes, lost devices and old profiles
Before upgrading to SFOS 22.0 MR1 or later, also check whether old Remote Access IPsec configurations still exist. SSL VPN is not directly affected by this, but many environments reassess Remote Access at this point. The process is described in Migrate legacy Remote Access IPsec before SFOS 22 MR1.
Prepare the firewall and VPN Portal
The iOS setup is only the final step. The firewall configuration must be correct beforehand.
These points should be checked on Sophos Firewall:
- Open Remote access VPN.
- Configure SSL VPN for the required users or groups.
- Use a VPN IP pool without overlap with LAN, Wi-Fi, VLANs, site-to-site VPNs or typical home networks.
- Set DNS servers and domain suffixes appropriately if internal names are used.
- Enable MFA for Remote Access and test it with a test user.
- Create a firewall rule from
VPNto the required destination zone. - Enable logging for the introduction phase.
- Expose the VPN Portal through Administration > Device access only as broadly as necessary.
The full firewall-side process is described in Set up Sophos Firewall SSL VPN Remote Access.
The VPN Portal is a publicly reachable entry point. If it must be reachable from the internet, certificate, MFA, country/source restrictions and log review should be planned deliberately. Device Access and Local Service ACL on Sophos Firewall is a suitable hardening reference.
1. Install OpenVPN Connect
Install OpenVPN Connect from the App Store: OpenVPN Connect.
If another OpenVPN-compatible client is standardised in the environment, document that decision. It becomes problematic when users run different VPN apps, old profiles and different instructions in parallel.
For support and operations, define:
- which client is supported
- which app version is expected as a minimum
- whether users may install the app themselves
- how profiles are distributed and withdrawn
- how lost or replaced devices are handled
2. Open the VPN Portal
On the iPhone or iPad, open the Sophos Firewall VPN Portal in the browser and log in with the VPN user. Safari is usually the most reliable way to download the .ovpn file and pass it to OpenVPN Connect.
If the VPN Portal is opened with an invalid or untrusted certificate, fix the cause. A permanent browser exception is not a good operating standard for production Remote Access.
For MFA, test the process with a real test user. It is especially important whether the second factor is requested in a separate field or whether password and OTP code must be entered in the expected format. The basics are described in Enable MFA for Sophos Firewall WebAdmin, VPN Portal and Remote Access.
3. Download the OVPN configuration
In the VPN Portal, switch to the SSL VPN or VPN area and download the configuration for Android/iOS. Depending on the SFOS version and portal view, the link is named approximately Download configuration for Android/iOS.
The downloaded file normally has the .ovpn extension. This file is user-specific and should not be passed on to other users.
Important:
- The file should come from the current firewall configuration.
- Old files from email archives or chat histories should not be reused.
- After changes to SSL VPN policy, certificate, gateway, DNS or user group, the profile should be downloaded again.
- When a user leaves the company or a device is lost, user access, group membership and profile distribution must be checked.
4. Import the profile into OpenVPN Connect
If iOS does not offer the import automatically, the .ovpn file can be passed to OpenVPN Connect through the share function. OpenVPN Connect then shows the new profile and asks for permission to create a VPN configuration during the first setup.
This iOS confirmation is necessary so the app is allowed to create a VPN connection. If the confirmation is rejected, the profile may appear in the app, but the connection cannot be established cleanly.
If several profiles exist, the name should be clear, for example with site, environment or company name. Several almost identically named profiles are a frequent support reason.
5. Establish the VPN connection
Activate the imported profile and log in with the VPN user. If MFA or OTP is active, confirm the second factor according to the firewall configuration.
After a successful connection, do not only check whether the OpenVPN app shows connected. The decisive question is whether the planned internal destinations are reachable and whether the traffic matches the right rule on the firewall.
Check after setup
At least these points should be checked with a test user:
- OpenVPN Connect shows the connection as connected.
- iOS shows the VPN symbol or VPN status.
- The user receives an IP address from the expected SSL VPN pool.
- Internal DNS names resolve correctly.
- Required servers, web applications or services are reachable.
- Internet behaviour matches the design: Split Tunnel or Full Tunnel.
- The expected firewall rule for traffic from the
VPNzone is visible in Log Viewer. - MFA is requested as planned.
- Re-test the connection after flight mode, Wi-Fi change or mobile network change.
- Old profiles have been removed or clearly marked as outdated.
If the connection is established but no access works, the cause is often not the mobile client but firewall rules, DNS, routing or NAT. For analysis, use Test a firewall rule with Log Viewer, Policy Test and Packet Capture.
Manual distribution or MDM?
For a few iPhones or iPads, manual import through VPN Portal, Safari and OpenVPN Connect may be enough. As soon as several users, many devices or regular device changes are involved, profile distribution should be planned deliberately. Otherwise, old .ovpn files remain in emails, chats or private download folders and reappear in support cases months later.
- Manual import: few devices, pilot group, occasional use. clear instructions, current profile, MFA test and removal of old profiles.
- Distribution through MDM or endpoint management: managed devices, many users, recurring changes. profile version, app installation, device loss, withdrawal of old profiles and support process.
Withdrawal is important. When a device is replaced, a user leaves or an SSL VPN policy is changed, distributing a new profile is not enough. Old profiles, group memberships and any saved credentials must also be checked.
Operations and security
Mobile VPN profiles need clear operating rules. iPhones and iPads frequently switch between Wi-Fi, mobile networks, hotspots and Captive Portals. In addition, mobile devices are more easily lost or replaced more quickly than classic company notebooks.
Good practice:
- Update OpenVPN Connect regularly.
- Enable and test MFA for Remote Access.
- Review VPN groups regularly.
- Restrict VPN Portal through Device Access and Local Service ACL where possible.
- Keep firewall rules for the
VPNzone narrow and logged. - Remove old
.ovpnfiles and outdated profiles. - Include device changes and lost devices in the support process.
- Plan Syslog or central analysis for longer log retention.
For log files and service logs, Sophos Firewall troubleshooting: services and logs is useful.
Typical errors
OVPN file cannot be opened
First check whether OpenVPN Connect is installed and whether the file really exists as .ovpn. Then download the file again from the VPN Portal or pass it to OpenVPN Connect through the share function.
If the file is distributed through MDM, email or file sharing, check whether the file was changed, renamed or blocked in transit.
Import works, but the connection does not
The iOS permission for the VPN configuration was often not granted cleanly, or the profile does not match the current firewall configuration. Delete the profile, obtain the current .ovpn file again and import it again.
Login fails
Check user, password, MFA, group membership and authentication server. If AD, RADIUS or Microsoft Entra ID SSO is involved, test authentication separately from the VPN. A login problem is not automatically an OpenVPN problem.
Connection is established, but internal systems are not reachable
Check DNS, firewall rules, routing, NAT and the return path. Traffic from the VPN zone should be visible in Log Viewer. If no logs appear, the traffic probably does not reach the expected rule or logging is disabled.
For individual internal systems, the VPN itself is often not broken; instead, a firewall rule is missing, a DNS name is wrong or a return route is missing in the destination network.
If small accesses work but larger file transfers or certain applications hang, also check MTU/MSS: Check Sophos Firewall MTU and MSS for VPN problems.
Internal names are not resolved
Check DNS server and search domain in the SSL VPN configuration. Then test whether internal systems are reachable by IP address. If IP works but name does not, the cause is probably DNS, not the VPN connection itself.
Connection drops during network changes
On mobile devices, Wi-Fi changes, mobile network changes, Captive Portals and power-saving mechanisms are typical causes. Test with a second network and check whether the behaviour is reproducible.
If users frequently move between networks, check whether the application can handle short VPN interruptions or whether another access model fits better.
Checklist
Before rollout
- Supported OpenVPN client defined.
- SSL VPN user group checked.
- MFA for Remote Access tested.
- VPN Portal reachable with a valid certificate.
- Device Access and internet access deliberately restricted.
- Firewall rules for
VPNzone created and logged. - Split Tunnel or Full Tunnel documented.
- Profile distribution and device change process clarified.
After import
- Profile visible in OpenVPN Connect.
- iOS VPN permission confirmed.
- Connection established with test user.
- DNS, internal destinations and firewall rule match checked.
- Wi-Fi, mobile network and network changes tested.
- Old profiles removed.
In operation
- Keep OpenVPN app and iOS current.
- Review user groups regularly.
- Remove old profiles when users leave or devices are lost.
- Check VPN logs early in support cases.
- For recurring mobile problems, review ZTNA or app-based access.
FAQ
Does Sophos Connect support SSL VPN on iOS?
Must OpenVPN Connect be used?
Does MFA work with SSL VPN on iOS?
Is SSL VPN on iOS better than IPsec?
Why does the connection work, but no internal application?
VPN zone matches the expected rule.