Skip to content
Avanet

Set up Sophos SSL VPN on Android

Sophos Firewall

Sophos Connect does not directly support Android for IPsec or SSL VPN. Therefore, if an Android smartphone or tablet needs to connect via Sophos Firewall Remote Access, an OpenVPN-compatible client is required. In many environments, OpenVPN Connect is the obvious standard because the Sophos Firewall provides an .ovpn configuration for mobile clients.

This article describes the practical process for Sophos SSL VPN on Android: installing the app, obtaining the .ovpn configuration, importing the profile, testing the connection, and narrowing down common errors. For the fundamental decision between Sophos Connect, SSL VPN, IPsec, mobile clients, and ZTNA, first see Sophos Connect or SSL VPN: Which Remote Access Solution Fits?.

When SSL VPN on Android is Useful

SSL VPN on Android is useful when mobile users need occasional access to internal systems and a classic VPN profile suffices.

Typical examples:

  • Access to internal web applications
  • Admin access to a few systems via a tablet
  • Access to internal tools via defined apps
  • Temporary access without a managed notebook client
  • Transitional solution when ZTNA or app proxy is not yet available

For permanent access to many internal systems, a mobile device is often not the best target platform. In such cases, it should be checked whether a managed Windows or macOS client with Sophos Connect, closer ZTNA access, or another remote access design is more suitable.

Comparison to Other Clients

This guide applies to Sophos Firewall with SFOS and Android devices. Depending on the platform or starting point, a different entry may be appropriate:

SituationSuitable Entry
Set up SSL VPN on AndroidThis article
Set up SSL VPN with Sophos Connect on WindowsSet up Sophos SSL VPN with Sophos Connect on Windows
Set up SSL VPN with Sophos Connect on macOSSet up Sophos SSL VPN with Sophos Connect on macOS
Set up SSL VPN on iPhone and iPadSet up Sophos SSL VPN on iPhone and iPad
Install Sophos Connect on WindowsInstall Sophos Connect Client on Windows
Install Sophos Connect on macOSInstall Sophos Connect Client on macOS

It is important to distinguish: Sophos Connect is not the direct SSL VPN client for Android. If mobile devices are to be supported, it should be clearly defined internally which OpenVPN-compatible client is used, where the profiles come from, and who supports device changes.

Prerequisites

Before setting up, these points should be clarified:

  • Sophos Firewall with configured SSL VPN remote access
  • User with permission for SSL VPN
  • Access to the VPN portal or administratively provided .ovpn file
  • OpenVPN-compatible client on Android
  • MFA/OTP set up if remote access is protected with it
  • Valid certificate for VPN portal and firewall access, if possible
  • Firewall rules for traffic from the VPN zone
  • Clarified split-tunnel or full-tunnel design
  • Support process for device changes, lost devices, and old profiles

Before upgrading to SFOS 22.0 MR1 or newer, it should also be checked whether old remote access IPsec configurations are still present. SSL VPN is not directly affected, but many environments reassess remote access at this point. The process is described in Migrate Legacy Remote Access IPsec before SFOS 22 MR1.

Prepare Firewall and VPN Portal

The Android setup is only the final step. The firewall configuration must be correct beforehand.

On the Sophos Firewall, these points should be checked:

  1. Open Remote access VPN.
  2. Configure SSL VPN for the required users or groups.
  3. Use a VPN IP pool without overlap with LAN, WLAN, VLANs, site-to-site VPNs, or typical home networks.
  4. Set DNS servers and domain suffixes appropriately if internal names are used.
  5. Activate MFA for remote access and test with a test user.
  6. Create a firewall rule from VPN to the required target zone.
  7. Enable logging for the introduction phase.
  8. Only allow VPN portal access via Administration > Device access as broadly as necessary.

The complete firewall-side process is described in Set up Sophos Firewall SSL VPN Remote Access.

The VPN portal is a publicly accessible entry point. If it must be accessible from the internet, certificate, MFA, country/source restriction, and log review should be consciously planned. For hardening, see Device Access and Local Service ACL on Sophos Firewall.

1. Install OpenVPN Connect

Install OpenVPN Connect from Google Play: OpenVPN Connect.

If another OpenVPN-compatible client is standardised in the environment, this decision should be documented. Problems arise when users use different VPN apps, old profiles, and different instructions in parallel.

For support and operation, it should be determined:

  • which client is supported
  • which app version is at least expected
  • whether users are allowed to install the app themselves
  • how profiles are distributed and withdrawn
  • how lost or replaced devices are handled

2. Open VPN Portal

On the Android device, open the VPN portal of the Sophos Firewall in the browser and log in with the VPN user. In most environments, the normal Android browser or Chrome is sufficient. It is important that the downloaded .ovpn file can subsequently be passed to OpenVPN Connect.

If the VPN portal is opened with an invalid or untrusted certificate, the cause should be resolved. A permanent browser exception is not a good operational standard for productive remote access.

With MFA, the process should be tested with a real test user. It is particularly important whether the second factor is queried in a separate field or whether password and OTP code must be entered in the expected form. The basics are described in Activate MFA for Sophos Firewall WebAdmin, VPN Portal, and Remote Access.

3. Download OVPN Configuration

In the VPN portal, switch to the SSL VPN or VPN area and download the configuration for Android/iOS. Depending on the SFOS version and portal view, the link is called Download configuration for Android/iOS.

The downloaded file usually has the extension .ovpn. This file is user-specific and should not be shared with other users.

Important:

  • The file should come from the current firewall configuration.
  • Old files from email archives, chat histories, or download folders should not be reused.
  • After changes to SSL VPN policy, certificate, gateway, DNS, or user group, the profile should be reloaded.
  • If a user leaves the company or a device is lost, user access, group membership, and profile distribution must be checked.

4. Import Profile into OpenVPN Connect

If Android does not automatically offer the import, the .ovpn file can be opened in OpenVPN Connect via the share function or file import. OpenVPN Connect then displays the new profile and asks for permission to create a VPN connection when first set up.

This Android confirmation is necessary for the app to create a VPN connection. If the confirmation is denied, the profile may appear in the app, but the connection cannot be properly established.

With multiple profiles, the name should be clear, for example, with location, environment, or company name. Multiple almost identically named profiles are a common support reason.

5. Establish VPN Connection

Activate the imported profile and log in with the VPN user. If MFA or OTP is active, the second factor must be confirmed according to the firewall configuration.

After successful establishment, not only should the OpenVPN app show as connected. It is crucial whether the planned internal targets are reachable and whether the traffic hits the correct rule on the firewall.

Check After Setup

At least these points should be checked with a test user:

  • OpenVPN Connect shows the connection as connected.
  • Android shows the VPN status in the status bar or network settings.
  • User receives an IP address from the expected SSL VPN pool.
  • Internal DNS names are resolved correctly.
  • Required servers, web applications, or services are reachable.
  • Internet behaviour matches the design: split tunnel or full tunnel.
  • In the Log Viewer, the expected firewall rule for traffic from the VPN zone is visible.
  • MFA is queried as planned.
  • Test connection again after flight mode, WLAN change, or mobile network change.
  • Old profiles have been removed or clearly marked as outdated.

If the connection is established but no access works, the cause is often not with the mobile client but with firewall rules, DNS, routing, or NAT. For analysis, see Test Firewall Rule with Log Viewer, Policy Test, and Packet Capture.

Manual Distribution or MDM?

For a few Android devices, manual import via VPN portal, download folder, and OpenVPN Connect may suffice. As soon as multiple users, managed smartphones, or regular device changes are involved, profile distribution should be consciously planned. Otherwise, old .ovpn files remain in downloads, chats, emails, or private cloud storage and are reused in support cases later.

VariantSuitable WhenWhat to Watch Out For
Manual Importfew devices, pilot group, occasional useclear instructions, current profile, MFA test, and removal of old profiles
Distribution via MDM or Endpoint Managementmanaged Android devices, many users, recurring changesapp deployment, profile version, device loss, withdrawal of old profiles, and support process

The withdrawal is important. When an Android device is replaced, a user leaves, or an SSL VPN policy is changed, it is not enough to provide a new profile. Old profiles, group memberships, stored credentials, and any existing file copies must also be checked.

Operation and Security

Mobile VPN profiles need clear operational rules. Android devices frequently switch between WLAN, mobile networks, hotspots, and captive portals. Additionally, mobile devices are more easily lost or replaced faster than traditional company notebooks.

Good practice:

  • Regularly update OpenVPN Connect.
  • Activate and test MFA for remote access.
  • Regularly check VPN groups.
  • Limit VPN portal access via Device Access and Local Service ACL as much as possible.
  • Keep firewall rules for the VPN zone tight and log them.
  • Remove old .ovpn files and outdated profiles.
  • Consider device changes and lost devices in the support process.
  • Plan for syslog or central evaluation for longer log retention.

For log files and service logs, Sophos Firewall Troubleshooting: Services and Logs is helpful.

Common Errors

OVPN File Cannot Be Opened

First, check if OpenVPN Connect is installed and if the file is indeed an .ovpn. Then download the file again from the VPN portal or pass it to OpenVPN Connect via the share function.

If the file is distributed via MDM, email, or file sharing, it should be checked whether the file was altered, renamed, or blocked along the way.

Import Works, But Connection Does Not

Then often the Android permission for the VPN configuration is not properly granted, or the profile does not match the current firewall configuration. Delete the profile, obtain the current .ovpn file again, and re-import.

Login Fails

Check user, password, MFA, group membership, and authentication server. If AD, RADIUS, or Microsoft Entra ID SSO is involved, authentication should be tested separately from the VPN. A login problem is not automatically an OpenVPN problem.

Connection Established, But Internal Systems Not Reachable

Check DNS, firewall rules, routing, NAT, and return path. In the Log Viewer, traffic from the VPN zone should be visible. If no logs appear, the traffic likely does not reach the expected rule, or logging is disabled.

For individual internal systems, it is often not the VPN itself that is defective, but a missing firewall rule, incorrect DNS name, or a return route in the target network.

If small accesses work, but larger file transfers or certain applications hang, MTU/MSS should also be checked: Check Sophos Firewall MTU and MSS for VPN Issues.

Internal Names Not Resolved

Check DNS servers and search domain in the SSL VPN configuration. Then test whether internal systems are reachable by IP address. If IP works but name does not, the cause is likely with DNS, not the VPN connection itself.

Connection Drops on Network Change

For mobile devices, WLAN changes, mobile network changes, captive portals, and power-saving mechanisms are typical causes. Test with a second network and check if the behaviour is reproducible.

If users frequently switch between networks, it should be checked whether the application can handle short VPN interruptions or whether another access model is more suitable.

Checklist

Before Rollout

  • Supported OpenVPN client defined.
  • SSL VPN user group checked.
  • MFA for remote access tested.
  • VPN portal accessible with a valid certificate.
  • Device Access and internet access consciously limited.
  • Firewall rules for VPN zone created and logged.
  • Split tunnel or full tunnel documented.
  • Profile distribution and device change process clarified.

After Import

  • Profile visible in OpenVPN Connect.
  • Android VPN permission confirmed.
  • Connection established with test user.
  • DNS, internal targets, and firewall rule match checked.
  • WLAN, mobile network, and network change tested.
  • Old profiles removed.

In Operation

  • Keep OpenVPN app and Android up to date.
  • Regularly check user groups.
  • Remove old profiles upon exit or device loss.
  • Check VPN logs early in support cases.
  • For recurring mobile problems, consider ZTNA or app-based access.

FAQ

Does Sophos Connect support SSL VPN on Android?

No. Sophos Connect does not directly support Android for IPsec and SSL VPN. An OpenVPN-compatible client is used on Android.

Is it necessary to use OpenVPN Connect?

Not necessarily. However, OpenVPN Connect is a common standard for OpenVPN profiles on Android. If another client is used, it should be clearly documented and supported internally.

Does MFA work with SSL VPN on Android?

Yes, if MFA is correctly set up on the Sophos Firewall for remote access. Depending on the configuration, the second factor is processed during login or via password entry.

Is SSL VPN on Android better than IPsec?

Not universally. SSL VPN is often practical if OpenVPN profiles are already established. For some environments, another remote access design with IPsec, ZTNA, or app-based access may be more suitable.

Why does the connection work, but no internal application?

Then the tunnel is only part of the check. Often, firewall rules, DNS resolution, routing, or return paths are missing. In the Log Viewer, it should be checked whether traffic from the VPN zone hits the expected rule.