How to connect local and remote services with a fixed DNS name?

[bjoernv]

I have setup a VPN with basically three networks:

Network A
* only servers with the OpenVPN server

Network B
* office network with servers and users (each server and client has an OpenVPN client)

Network Cx
* one user with an OpenVPN client, e.g. somewhere in a public WLAN or home office

Some users use both the company office B and other networks outside Cx. To make the access to servers (here Samba servers and WebDAV file servers) easier, the clients are configured to use fixed DNS names like server1.vpn.company.tld. Typically server1.vpn.company.tld resolves in a VPN ip address like 10.50.5.1. But there is a problem in Network B. Users do not want to access a local server server1 over VPN, because this is very slow compared with the local Gigabit access. I solved with problem with an Bind DNS view, which resolves server1.vpn.company.tld to a local IP address like 192.168.5.1. To make Bind DNS view work, the client ip must be in a special IP range. So for instance 10.50.5.1 to 10.50.5.126 can be configured for VPN users in Network B and 10.50.5.129 to 10.50.5.254 can be configured for VPN users in network Cx.

So make this work, I gave each user two certificates, one username and two OpenVPN profiles. In /etc/openvpn/ccd/. The entry in /etc/openvpn/ccd/ is choosen by the CN of the certificate. I have two entries for each user. Everything works fine, if the users uses the right certificate and profile in OpenVPN client.

My question is, if this could be done more elegant.
(Currently the network setup changes and I have to distribute new OpenVPN profiles and have to add missing certificates on smartcards. And the setup idea probably does not scale were well, if more and more networks should be integrated. The number of certificates per smartcard is also limited. I already tried to give multiple ip addresses for each server in Bind. This works for web services, but for instance Samba clients only try to connect the first (local) ip address.)

[TinCanTech]

My question is, if this could be done more elegant.

Probably .. but what does that have to do with openvpn ?

[bjoernv]

Probably .. but what does that have to do with openvpn ?

So for instance, if there would be an alternative way to select the per-user-settings file in /etc/openvpn/ccd, for instance based on a parameter, I would not have to distribute new certificates stored on a smart card for each new network and each new user. Currently I only see two alternatives: 1) selection based on certificate CN (default) and 2) selection based on username (parameter username-as-common-name).

But you are right. I do not necessarily search a direct OpenVPN solution. Firewall, routing or nameserver based solutions are also welcome.

[ronaldinho]

My question is, if this could be done more elegant.

Probably .. but what does that have to do with openvpn ?

Agreed

[bjoernv]

I took a look at the OpenVPN 2.4.1 source code. It seems, that the server only takes certificate CN or username to find the setting file in /etc/openvpn/ccd. This takes me to the existing solution. Other solutions may need source code modifications. For instance a suffix for the username would be interesting. For instance a user mayer could have multiple profiles with the username "mayer+office" (for usage in network "office") or "mayer+outside" (for usage somewhere in the Internet). Based on the username, there can be two settings /etc/openvpn/ccd/mayer+office and /etc/openvpn/ccd/mayer+outside. To make this work, I need the setting "username-as-common-name" and a modification in OpenVPN PAM module. The result is not much better than my current solution. I do not need to create new certificated on smartcards, but everything else.

Btw, I tested several services with sorted IPs in DNS (e.g. 192.168.1.10 (LAN) and 10.99.1.10 (VPN) for the same server server.vpn.company.tld). Only half of the tested clients can connect from outside where only the VPN address works. This is caused by sloppy programmed clients (they only try to connect the first IP), but it is the reality. For instance Firefox works with HTTP servers, but the Windows 10 WebDAV module and SMB client fail. As the result the sorted IPs in DNS are unusable for many clients.

[ronaldinho]

I think the best way is with a modification of the OpenVPN PAM module. On a slightly related note, be really carefull with the security settings. I was doing some reading about DNS here,and if you're not careful hackers can easily bypass your security. Other than that I hope it all works out for you.