Make sure to download the Sophos UTM installer iso version 9.6 or higher. Configure a proxmox vm with 4GB ram, 2 CPU cores and 30GB SSD. Configure Intel e1000 network adapter (eth0) connected to the external bridge - vmbr0. This is the connection to the outside world. After the hw wizard is complete, add a secondary network adapter (eth1) of the same type, connected to vmbr1. This is the LAN switch.
Note that the installation is roughly the same if you opt to use pFsense instead of Sophos UTM with one external interface and one internal.
The console tab on the proxmox vm will act as a display - it is a VNC based display of the vm.
Select eth1 for WebAdmin interface.
Configure the LAN ip for the firewall:
Address: 10.0.5.1 Netmask: 255.255.255.0 Gateway: [blank]
Select 64 bit kernel and "install all capabilities", and start the partitioning process. When the installer is ready to reboot, unmount the ISO in proxmox and proceed.
After reboot, setup a temporary vm with default settings, and attach the network interface to vmbr1 (our LAN switch) Since the firewall is expecting a machine to connect form the LAN side to complete the configuration we will boot a temporary machine for that. Mount an ubuntu livecd (for example) and boot into the live environment. Configure the LAN to a manual IP in the same range as we set up on the Sophos installation.
Once the network configuration is complete it should be possible to open the WebAdmin interface on the firewall using the Firefox browser on https and port 4444:
Setup the WAN interface of the firewall with your external IP address (NOT the same as the proxmox external IP.
Complete configuration and allow http/https traffic, terminal services, etc Enable the DHCP server with a range of 10.0.5.100 to 10.0.5.200 for example.
Skip license file upload for now - You have 30 days to register an account with Sophos for a free private use (max 50 IPs) license. This is one of those registrations that is actually worth the effort.
After the configuration is completed it can take a few minutes and/or a reboot for the ubuntu vm to be able to access the internet.
After the FreeIPA server has been setup it can be used for authentication on the firewall, including for incoming VPN connections.
Add a low privelege account to use as bind user. Just a an account named "binduser" with no group memberships should suffice. Set the login shell for the user to /usr/sbin/nologin to ensure it isn't used for login.
On the Sophos UTM interface go to Definitions & Users->Authentication Service->Servers->New Authentication Server
Select LDAP backend. Add the FreeIPA server (no ssl) and leave port 389. Set Bind DN to:
Enter the password for the binduser.
Set User attribute to UID and base dn to:
To create a Sophos group based in FreeIPA group membership, go to Definitions & Users->Users & Groups->Groups->New Group
Group name: firewallusers Group type: Backend membership Backend: LDAP Check an LDAP attribute (x) Attribute: memberOf Value: cn=firewallusers,cn=groups,cn=accounts,dc=lan,dc=example,dc=com
Test authentication of a know good user from FreeIPA.
Change port from 443 to 1443
Remote Access->SSL->Profile->New Remote Access Profile
Name: Gaming Users and Groups: firewallusers Local Networks: Internal (network) Automatic Firewall Rules: (x)
Definitions & Users->Users & Groups->Users
New users->Username: [ldap user in relevant group] Authentication: remote [Save]
Check the new remote user and press the "Action" dropdown above it and select "Download SSL VPN Packages". Select the other OS type. Extract the archive and save the .ovpn file.