Utilizing Sophos SSL VPN / OpenVPN Startup Scripts

I’m travelling and can’t access my network drives! 😡

Have you heard this sentence from angry users? Do you still put the infamous ‘mapping.cmd’ or ‘NetworkDrives.bat’ on your users desktops and they seem to forget about it regularly? Do you want to automate everything that can be automated?

Then you came to the right place. I want to show you how I set up an automatic mapping, which obstacles I had to deal with and get you on the right track. You can adapt the steps from this post to all OpenVPN based VPN clients just as the Sophos SSL client.

So if you did some research on this topic and tried to make this work you probably stumbled upon various posts in the Sophos community among other places. Some say it suffices to create a file using the same name as the VPN configuration file in your config folder, followed by the suffix ‘_up.bat’ and the contents of your script.

This is the corresponding path for Sophos: C:\Program Files (x86)\Sophos\Sophos SSL VPN Client\config


That is not enough, by far. In my tests I had several issues, to be exact I experienced:

  • Scripts get executed too early in the connection process
  • Automatic creation of ‘_up.bat’ files
  • Timeout issues
  • Script freezes until you press any button in the command prompt
  • Issues with PowerShell script execution when users connect via VPN most of the time and establishing VPN connection before Windows logon is not possible

I believe I tackled the above issues – here is how.

Create the startup script

Here, I want to make sure that users see their network drives as soon as possible after they log in to the company’s VPN and not rely on the group policy background processing mechanism of Windows.

So instead of linking all net use commands for the file shares it is easier to just use gpupdate:

@echo off
echo :: :: :: :: :: :: :: :: :: :: ::
echo Waiting until the VPN connection is established successfully
timeout 10
echo :: :: :: :: :: :: :: :: :: :: ::
ipconfig /flushdns
echo :: :: :: :: :: :: :: :: :: :: ::
echo The network drive connection is being established now, please wait
echo :: :: :: :: :: :: :: :: :: :: ::


When I first tested the above script, I noticed that the VPN client pauses the connection attempt until it executes the script, so the gpupdate command will never start in the correct network.
That was not the expected behavior since I found out that ‘_up’-scripts are supposed to run only when the connection is up.

So I renamed the above file to init.bat and just let the _up-script call the first script:


Automating the above using PowerShell

The process should be automatic, independent from the number of existing VPN profiles on the system. The following script will do just that:

$configDir= "$env:ProgramFiles (x86)\Sophos\Sophos SSL VPN Client\config"
$Script = "echo off`r`nstart /MIN init.bat"

Get-ChildItem -Path $configDir -Include *.ovpn -File -Recurse | ForEach-Object {
    $upScript = Join-Path -Path $Folder -ChildPath ($_.BaseName+"_up.bat")
    if (!(Test-Path $upScript)) {
        New-Item -Path $upScript -Value $Script -Force

More issues

While testing I noticed that the mapping was not successful most times and found errors in the log file related to script timeouts. The default timeout is 15 seconds and is changeable. To do that, adjust the value of ‘connectscript_timeout’ here up to a max value of 99: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\OpenVPN-GUI

Almost there…

When you have QuickEdit mode enabled, processing of scripts will freeze if you select anything inside the command prompt. This is what I’m talking about:

QuickEdit Mode

At first, I tried starting the script minimized (start /MIN init.bat) but learned that curious users will click the opened command prompt to see what’s happening. And if they click in the command prompt, execution will pause:

To continue, press any key after selecting inside the command prompt

To quickly disable this feature for all users, create a user GPO and change the value of ‘QuickEdit’ to 0: HKEY_CURRENT_USER\Console

I guess there is another way. If the value ‘show_script_window’ does what it says it does, you can set it to 0 (registry screenshot above) and hide the script. If you want to show users what’s happening, this might not be a choice.

As I mentioned earlier, there was still an issue with PowerShell script execution for users who only ever log on using VPN after the cached Windows logon. In those cases, logon script execution does not work.
This solution will be part of a separate blog post which I will link here. Stay tuned. 🧐

You may also like

3 thoughts on “Utilizing Sophos SSL VPN / OpenVPN Startup Scripts”

  1. Hi Kevin,
    Nice work.
    I tried following but can`t get scripts to run after connection.
    Any chance I could get the scripts from you so I can test?

  2. So, what I have is the _up.bat which has “call init.bat” in it.
    Then init.bat run a powershell script to create a folder and do gpupdate.
    But it runs the powershell script before I get the green light.

    • Hi Kevin,
      Thanks! You can find all the scripts in this post. The only difference is that I use “start /MIN init.bat” (see the PowerShell script which creates the _up.bat). That shouldn’t make a difference though.
      Can you post the relevant log extract from your VPN software where you can see the connection attempt and when the scripts are started? I’ll be happy to hear from you, even if you already found a solution.


Leave a Comment