Set Up Sophos Firewall Remote Access on Linux
For Windows and macOS, Sophos Connect provides a dedicated client for IPsec and SSL VPN. For Linux, Sophos does not offer its own Sophos Connect client. Linux users who want to connect to Sophos Firewall Remote Access instead use standard tools: the regular OpenVPN client for SSL VPN or NetworkManager with the strongSwan plugin for IPsec.
This article describes both paths and explains when each one makes sense. For the basic decision between IPsec and SSL VPN, see Sophos Connect or SSL VPN: Which Remote Access Solution Fits? first. For setting up SSL VPN Remote Access on the firewall side, Set Up Sophos Firewall SSL VPN Remote Access is the right foundation.
How this fits with other clients
- Windows or macOS with Sophos Connect: Install the Sophos Connect Client on Windows or Install the Sophos Connect Client on macOS.
- iOS or Android with OpenVPN Connect: Set Up Sophos SSL VPN on iPhone and iPad or Set Up Sophos SSL VPN on Android.
- Linux with OpenVPN or NetworkManager-strongSwan: This article.
Linux isn’t a negative exception here — it follows the same pattern as mobile platforms: instead of a vendor-specific client, established standard tools work with the configuration file the firewall provides.
Prerequisites
- Sophos Firewall with SSL VPN Remote Access or IPsec Remote Access already set up.
- A user account with VPN permission and, if enabled, working MFA.
- For SSL VPN: an OpenVPN client package on the Linux system, for example
openvpnon Debian/Ubuntu or the equivalent package from your distribution. - For IPsec: NetworkManager with the strongSwan plugin, for example
network-manager-strongswanon Debian/Ubuntu. - Access to the VPN Portal or an administratively provided configuration file.
⚠️ There’s no official Sophos Connect client for Linux. Guides or downloads advertising a “Sophos Connect for Linux” aren’t part of Sophos’s official offering and shouldn’t be installed without careful verification.
Setting up SSL VPN with OpenVPN
The path officially documented by Sophos for Linux is SSL VPN Remote Access with the classic OpenVPN client.
1. Install the OpenVPN client
On most distributions, the standard package manager package is enough, for example:
sudo apt install openvpn
If you prefer a graphical interface, you can additionally install the NetworkManager OpenVPN plugin, for example network-manager-openvpn-gnome, and import the connection through it instead of starting it from a terminal.
2. Download the configuration file
- Open the Sophos Firewall VPN Portal in a browser.
- Sign in with the VPN user.
- Under the configuration selection, choose Linux.
- Download the
.ovpnfile and store it securely.
3. Start the connection from the terminal
sudo openvpn --config sophos-vpn.ovpn
Depending on the configuration, OpenVPN then prompts for a username and password, followed by an MFA verification code if applicable. The connection stays active as long as the process is running. Closing the terminal window also disconnects the tunnel.
For longer-term use without an open terminal, OpenVPN can be set up as a systemd service, or the connection can be managed through NetworkManager instead.
4. Import the connection through NetworkManager (optional)
- Open network settings.
- Add a new VPN connection and select Import from file.
- Select the downloaded
.ovpnfile. - Save the username if you want; don’t store the password permanently in plaintext if MFA is active.
- Start the connection from the graphical interface and enter credentials or the MFA code.
This variant is more practical day to day, because it can be toggled like any other network connection without keeping a terminal open.
IPsec with NetworkManager-strongSwan (alternative)
If you want to use IPsec instead of SSL VPN, the NetworkManager-strongSwan plugin is the common path on Linux. This variant is less standardized on Linux than the OpenVPN path and should mainly be planned for IKEv2 remote-access scenarios.
1. Install the plugin
sudo apt install network-manager-strongswan
The exact package name may differ by distribution.
2. Check the connection type on the firewall
The NetworkManager strongSwan plugin supports IKEv2. On the firewall, the Remote Access IPsec profile must be set up accordingly for IKEv2, not the older IKEv1. For authentication, the plugin supports both certificate-based methods and EAP, for example username and password. For pre-shared key authentication, the plugin requires a sufficiently strong secret; short or simple PSKs should generally be avoided.
3. Create the connection
- Open network settings.
- Add a new VPN connection of type IPsec/IKEv2 (strongswan).
- Enter the Sophos Firewall’s gateway address.
- Choose the authentication method matching the firewall configuration: certificate or username/password (EAP).
- For certificate-based authentication, add the server certificate or CA used by the firewall.
- Save and test the connection.
Because this path depends more strongly on the distribution, plugin version, and the exact IPsec configuration on the firewall, it’s more error-prone than the OpenVPN path. For most environments, SSL VPN over OpenVPN is therefore the more robust first approach for Linux clients.
Checking after setup
- The connection status in OpenVPN or NetworkManager shows an active session.
- Internal DNS names resolve through the VPN tunnel.
- An allowed internal target is reachable, a disallowed target stays blocked.
- The firewall’s Log Viewer shows traffic from the
VPNzone hitting the expected firewall rule. - With MFA: the verification code is correctly requested on every new connection.
- After restarting the Linux client, the connection either reconnects cleanly or is deliberately started manually, depending on how it was set up.
If the connection is established but no traffic gets through, Test a Firewall Rule with Log Viewer, Policy Test, and Packet Capture helps.
Common mistakes
- Searched for a third-party “Sophos Connect for Linux” guide: This client doesn’t officially exist. Use OpenVPN or NetworkManager-strongSwan instead.
- Closed the terminal window and lost the connection: With a direct
openvpn --configcall, closing the terminal disconnects the tunnel. For continuous operation, use the NetworkManager import or a systemd service. - Kept using an old
.ovpnfile after a firewall change: After changes to the gateway, certificate, VPN Portal port, or authentication, the configuration file must be downloaded again. - IKEv1 configured on the firewall instead of IKEv2: The NetworkManager strongSwan plugin only supports IKEv2. Check the firewall-side profile and adjust it if needed.
- PSK too short: Newer plugin versions enforce a minimum PSK length. A too-short secret leads to a connection error, not an insecure but working connection.
- Wrong certificate or wrong CA configured: For certificate-based IPsec authentication, the exact CA used by the firewall must be configured. A slightly different or expired certificate leads to a connection failure without a meaningful error message in the client.
- MFA code entered in the wrong place: With OpenVPN and MFA, the verification code must be entered in the right field at the right time. If unsure, compare the sign-in sequence with a working Windows or macOS client.
FAQ
Is there an official Sophos Connect client for Linux?
Which path is easier on Linux: SSL VPN or IPsec?
Why does the VPN connection drop when I close the terminal?
sudo openvpn --config, the connection runs as the terminal’s foreground process. For operation independent of the terminal session, import the connection through NetworkManager or set it up as a service.