How to connect local and remote services with a fixed DNS name?
Posted: Fri Apr 07, 2017 8:20 pm
I have setup a VPN with basically three networks:
Network A
* only servers with the OpenVPN server
Network B
* office network with servers and users (each server and client has an OpenVPN client)
Network Cx
* one user with an OpenVPN client, e.g. somewhere in a public WLAN or home office
Some users use both the company office B and other networks outside Cx. To make the access to servers (here Samba servers and WebDAV file servers) easier, the clients are configured to use fixed DNS names like server1.vpn.company.tld. Typically server1.vpn.company.tld resolves in a VPN ip address like 10.50.5.1. But there is a problem in Network B. Users do not want to access a local server server1 over VPN, because this is very slow compared with the local Gigabit access. I solved with problem with an Bind DNS view, which resolves server1.vpn.company.tld to a local IP address like 192.168.5.1. To make Bind DNS view work, the client ip must be in a special IP range. So for instance 10.50.5.1 to 10.50.5.126 can be configured for VPN users in Network B and 10.50.5.129 to 10.50.5.254 can be configured for VPN users in network Cx.
So make this work, I gave each user two certificates, one username and two OpenVPN profiles. In /etc/openvpn/ccd/. The entry in /etc/openvpn/ccd/ is choosen by the CN of the certificate. I have two entries for each user. Everything works fine, if the users uses the right certificate and profile in OpenVPN client.
My question is, if this could be done more elegant.
(Currently the network setup changes and I have to distribute new OpenVPN profiles and have to add missing certificates on smartcards. And the setup idea probably does not scale were well, if more and more networks should be integrated. The number of certificates per smartcard is also limited. I already tried to give multiple ip addresses for each server in Bind. This works for web services, but for instance Samba clients only try to connect the first (local) ip address.)
Network A
* only servers with the OpenVPN server
Network B
* office network with servers and users (each server and client has an OpenVPN client)
Network Cx
* one user with an OpenVPN client, e.g. somewhere in a public WLAN or home office
Some users use both the company office B and other networks outside Cx. To make the access to servers (here Samba servers and WebDAV file servers) easier, the clients are configured to use fixed DNS names like server1.vpn.company.tld. Typically server1.vpn.company.tld resolves in a VPN ip address like 10.50.5.1. But there is a problem in Network B. Users do not want to access a local server server1 over VPN, because this is very slow compared with the local Gigabit access. I solved with problem with an Bind DNS view, which resolves server1.vpn.company.tld to a local IP address like 192.168.5.1. To make Bind DNS view work, the client ip must be in a special IP range. So for instance 10.50.5.1 to 10.50.5.126 can be configured for VPN users in Network B and 10.50.5.129 to 10.50.5.254 can be configured for VPN users in network Cx.
So make this work, I gave each user two certificates, one username and two OpenVPN profiles. In /etc/openvpn/ccd/. The entry in /etc/openvpn/ccd/ is choosen by the CN of the certificate. I have two entries for each user. Everything works fine, if the users uses the right certificate and profile in OpenVPN client.
My question is, if this could be done more elegant.
(Currently the network setup changes and I have to distribute new OpenVPN profiles and have to add missing certificates on smartcards. And the setup idea probably does not scale were well, if more and more networks should be integrated. The number of certificates per smartcard is also limited. I already tried to give multiple ip addresses for each server in Bind. This works for web services, but for instance Samba clients only try to connect the first (local) ip address.)