@anongfoksrhb
Customer called in regarding possible causes for a tap adapter collisions between Sofos VPN and eCatcher. I am creating a ticket to track this issues, as the customer is waiting a response for Sofos VPN regarding the tap adapter that they are using.
Kevin,
I am following up on the conflicting operation between the eCatcher software and our Sophos VPN client. Please see the message below for details from Sophos.
This looks like a case where you and your colleagues will need to work directly with Sophos on the fix.
I have also attached the e-mail chain between myself and Sophos. Please reply to that message to speak with Sophos support team.
Thank you.
–Matt
Hi Matt,
My name is Kent from Sophos Escalation team. I’ve reviewed the ticket and I would like to make sure we both understand the situation here.
Sophos SSL VPN and eCatcher are both using the open-source OpenVPN based which will have the same public key infrastructure. That is easy to understand they are both using the same VPN adapter and conflict to each other.
If OpenVPN has the feature that you would like to achieve (having both adapters installed) then we can submit a feature request to get Sophos SSL VPN client updated.
For now, this is normal behavior of Sophos SSL VPN (OpenVPN client based). I believe eCatcher will say the exact same what we’re trying to deliver to you.
Regards,
Kent Do
Sophos Technical Support
https://www.sophos.com/en-us/support/contact-support.aspx
Get Product Notifications via SMS - Sophos Mobile Notification Service:
https://sms.sophos.com
Support Knowledge Base: https://community.sophos.com/kb
Follow us on Twitter @SophosSupport
Sophos Community (discussion forums): https://community.sophos.com
SOPHOS - CyberSecurity made simple
Hello Matt,
I will escalate this issue and have our development team review this request.
I will follow up with any updates that i recieve.
Kevin,
Thank you. Keep me posted.
–Matt
Kevin,
Do you have any updates?
–Matt
Kevin,
Checking in to see if you have any updates from your end
This is still an issue that is affecting our business.
–Matt
Hi Matt,
Can you send me the file:
Program Files x86\Sophos\Sophos SSL VPN Client\config\xxxxxxxxxxxx.ovpn
and a screenshot of your Network Adapters, like this:
Sounds like Sophos isn’t properly identifying the adapter in their config file,so we should be able to fix that for you.
Thanks,
Kyle
Kyle,
Sophos and eCatcher are using a stock configuration for OpenVPN. Unique TAP adapter names are not being assigned and each installer is overwriting the other’s
adapter. OpenVPN’s configuration file even warns of this, yet defaults are still used. Sophos has been made aware of this also and it has been escalated to their development group. The proper fix will be assign a unique adapter name, not a one off fix for
me.
Please let me know how you wish to proceed.
–Matt
This is incorrect. We use a unique TAP adapter name and configuration. I think you’re going to need to work with Sophos on this one. Wish we could help you!
Kyle,
What is the name that eWon uses to ID it’s TAP adapter?
–Matt
“Talk2m-eCatcher”
When in the install process are you renaming the TAP adapter from its default value?
Why aren’t you setting the unique name in the Open VPN config ahead of time?
–Matt
It’s being renamed during install and it’s in the .ovpn file:
Kyle,
Please see the video in the link provided:
This shows a recording where the installation and use of both Sophos and eCatcher cause the VPN to stop working and become useless when both pieces of software
are installed.
This is still an issue. I have also sent this video to Sophos for review.
–Matt
eCatcher does not use the default OpenVPN settings. I’ve never used Sophos VPN, but have been told by customers that if you identify the correct TAP adapter in the Sophos .ovpn config you won’t have this problem, for example, by adding:
dev tun
dev-node “Ethernet 3”
and you can avoid installation problems by disabling your TAP adapter during install.
Kyle,
eCatcher does use the default OpenVPN settings during the install, that’s why the Sophos TAP adapter gets over written. The eCatcher TAP instance is renamed
after is it is first installed with the default settings. I have looked through the installation files, I can see what’s going on.
Why do I need to perform additional steps before or after installation? That should all be handled in the eCatcher setup.
–Matt
I have forwarded this info to the developers to review. I am just trying to give you a solution to the problem so that your employees can use both VPNs. Disable the Sophos adapter before installing eCatcher and append the Sophos .ovpn file to specify the adapter to use.
You’ll need to be more specific by what you mean by “default settings.” You are not talking about the .ovpn file settings?
Kyle,
This is a development issue, the default setting that I am speaking about are pasted at the end of this message. The renaming of the TAP adapter (renametap.vbs)
takes place after these defaults have been applied and the damage to the other TAP adapter done.
A unique TAP id needs to be set during the install, not after. Both the eWon and Sophos are guilty of this development blunder by keeping the OpenVPN TAP default
id. The “Note to Developers” spells this out simply.
–Matt
Note to Developers:
;
; If you are bundling the TAP-Windows driver with your app,
; you should try to rename it in such a way that it will
; not collide with other instances of TAP-Windows defined
; by other apps. Multiple versions of the TAP-Windows
; driver, each installed by different apps, can coexist
; on the same machine if you follow these guidelines.
; NOTE: these instructions assume you are editing the
; generated OemWin2k.inf file, not the source
; OemWin2k.inf.in file which is preprocessed by winconfig
; and uses macro definitions from settings.in.
;
; (1) Rename all tapXXXX instances in this file to
; something different (use at least 5 characters
; for this name!)
; (2) Change the “!define TAP” definition in openvpn.nsi
; to match what you changed tapXXXX to.
; (3) Change TARGETNAME in SOURCES to match what you
; changed tapXXXX to.
; (4) Change TAP_COMPONENT_ID in common.h to match what
; you changed tapXXXX to.
; (5) Change SZDEPENDENCIES in service.h to match what
; you changed tapXXXX to.
; (6) Change DeviceDescription and Provider strings.
; (7) Change PRODUCT_TAP_WIN_DEVICE_DESCRIPTION in constants.h to what you
; set DeviceDescription to.
Thanks! I’ll make sure they receive this.