App Support.

We're here to help.

Setting up an OpenVPN server with Sophos XG and Viscosity

This guide will walk you through the steps involved in setting up an OpenVPN server on a Sophos XG host that allows you to securely access your home/office network from a remote location and optionally send all of your network traffic through it so you can access the internet securely as well.

Before using this guide, we highly recommend you read through our Introduction to Running an OpenVPN Server Article.


For this guide, we assume:

  • You have already installed the latest version of Sophos XG (18.0.5 at time of writing)
  • Sophos XG has been set up with at least a WAN interface and a LAN interface
  • You are connected with your client device to the Sophos XG server via its LAN interface during this guide
  • Sophos XG is using the default LAN subnet
  • This installation of Sophos XG is a fresh install
  • You already have a copy of Viscosity installed on your client device

If you need to download and install a copy of Sophos XG, information can be found at We won't be covering the details of setting up a Sophos XG instance. If you are running a different version of Sophos XG, it's very likely that many or even all of the steps outlined in this guide will still apply. If you are looking to setup an OpenVPN server on a different operating system, please check out our other guides.

Your client device needs to be connected to the Sophos XG server via the LAN interface. This is necessary so that you can access the Web Console portal to set up the Sophos XG configuration. The specifics of how you can achieve this depend on your particular network configuration.

If you don't have a copy of Viscosity already installed on your client machine, then please check out this setup guide for installing Viscosity (Mac | Windows).


Unfortunately we cannot provide any direct support for setting up your own OpenVPN server. We provide this guide as a courtesy to help you get started with, and make the most of, your copy of Viscosity. We've thoroughly tested the steps in this guide to ensure that, if you follow the instructions detailed below, you should be well on your way to enjoying the benefits of running your own OpenVPN server.

Sophos offer technical documentation for XG at

Getting Started

First you need to log in to the Web Console portal from your client device connected to the LAN interface of the Sophos XG server. Open a browser on your client and navigate to the IP address of the LAN interface of your Sophos XG server, by default. You will need to login. The password for the admin user should have been configured when you set up your Sophos XG instance.

Create Group & Users

If you are not using an authentication system, you will need to create a group for SSL VPN access and add users.

Add Group

  1. On the side bar, click Authentication under the CONFIGURE heading.
  2. In the Groups tab, click Add.
  3. Set the Group name to SSL VPN.
  4. Set Surfing Quota to Unlimited Internet Access.
  5. Set Access time to Allowed all the time.
  6. Click Save.

Add User

  1. While still in the Authentication menu, click the Users tab, then click Add.
  2. Fill in a User name, Name, Password and Email.
  3. Set Group to SSL VPN.
  4. When you are done, click Save.

User Services

  1. While still in the Authentication menu, click the Services tab.
  2. Scroll down to SSL VPN authentication methods and ensure Local is set as the Selected authentication server.

Setup Network Access

Next we need to setup our subnets for use through the rest of this guide with the VPN server and firewall. We will use the default IP addresses that Sophos XG assigns.

Local Area Network

If you already have a Local Area Network IP Host set, you can skip to the next heading.

  1. On the side bar, click Hosts and services under the SYSTEM heading.
  2. In the IP host tab, click Add.
  3. Set the Name to Local Area Network.
  4. Set the Type to Network.
  5. Set the IP address to and Subnet to /24 (
  6. When you are done, click Save.

VPN Network

  1. While still in the Hosts and services menu, in the IP host tab, click Add.
  2. Set the Name to SSL VPN Network.
  3. Set the Type to Network.
  4. Set the IP address to and Subnet to /24 (
  5. When you are done, click Save.

Firewall & ACL

Next we need to setup the firewall and ACLs for access. We will only setup access for the VPN to LAN.


  1. On the side bar, click Firewall under the PROTECT heading.
  2. Click + Add firewall rule then User/network rule in the dropdown that appears.
  3. Set Rule name to VPN to LAN
  4. Set Rule group to None
  5. Set Source zones to VPN
  6. Set Source networks and devices to SSL VPN Network
  7. Set Destination zones to LAN
  8. Set Destination networks to Local Area Network
  9. When you are done, click Save.


  1. On the side bar, click Administration under the SYSTEM heading.
  2. Click the Device access tab.
  3. Under Local Service ACL, ensure SSL VPN is ticked in the WAN row, you may also wish to tick this for LAN and WiFi if you want to connect locally.
  4. Ensure DNS is ticked under the VPN row, we also recommend ticking Ping/Ping6.
  5. Ensure User Portal is ticked under the LAN and WiFi rows.
  6. Click Apply.

Setup VPN Server

Finally, we can setup the SSL VPN server which Viscosity can connect to.

VPN Settings

  1. On the side bar, click VPN under the CONFIGURE heading.
  2. Up the top right, click Show VPN settings and then select the SSL VPN tab. We recommend changing the following:
  3. Set Protocol to UDP
  4. Set IPv4 DNS to
  5. Set Encryption algorithm to AES-256-CBC
  6. Untick/Turn off Compress SSL VPN Traffic
  7. When you are done, click Save.


  1. While still in the VPN menu, in the SSL VPN (remote access) tab, click Add.
  2. Set the Name
  3. Set Policy members' to SSL VPN
  4. Set Permitted network resources (IPv4) to Local Area Network
  5. When you are done, click Apply.

At this point we are finished with the server setup. As we have changed so much, we highly recommend restarting your Sophos XG by going to the user drop down up the top right and selected Reboot device.

Setting Up Viscosity

To connect to our OpenVPN server, we need to download the client configuration for our user. On the client machine:

  1. Open a browser and navigate to
  2. Enter the Username and Password for the user and log in.
  3. Click on the SSL VPN tab on the left.
  4. Click on the Download configuration for other OSs link.
  5. It should download a file called "username__ssl_vpn_config.ovpn".

Import this file into Viscosity and you will be able to connect straight away!

(Optional) Allowing Access to the Internet

By default the VPN connection will allow access to the file server and other computers on the home/office (LAN) network. However if you also wish to have all internet traffic sent through the VPN connection it's necessary to make a final edit to the connection:

  1. Double-click on your connection in the Viscosity Preferences window to open the connection editor
  2. Click on the Networking tab.
  3. Click the "All Traffic" drop down and select the "Send all traffic over VPN connection" option. It is not necessary to enter a Default Gateway.
  4. Click the Save button.

You will also need to add a new firewall rule on your Sophos XG. Simply follow the Firewall heading above, except set the Destination Zones to WAN instead of LAN and Destination networks to Any.