Need persistent server hostname

[bsh]

Hello,
sorry for being noob here, but I've been googling for so long and found so many different solutions and guides about this problem, that it completely does my head in and just confuses me instead of helping
I have an "allrounder" standalone server at the office, running many many services by itself (emails/postfix/imap, webserver, samba (with AD), ftp, ssh, etc.) - and now OpenVPN. OS is Ubuntu 18.04. It is behind an old cheap router, in a subnet with the office computers it serves.
The entire "ecosystem" relies on the server's name (hostname and netbios name are the same): windows clients attach samba shares via "\\servername\sharename" URLs, many files are linked to in excel tables that way, scripts use that, email clients acces the local imap server as "servername:143", and send emails through local postfix which is again referred to by the servername. Etc.
Now, when I connect to the server with a windows client using the OpenVPN GUI, the connection works, but there's no name resolution at all. (I'm using dnsmasq on the server itself). Internet does not work over the VPN either but that is actually right so.
I can access samba and its shares through "\\10.8.0.1\", and send emails through postfix if I use the 10.8.0.1 IP instead of the server name, etc.

My goal is: the server should be referred to or accessed by the same hostname, regardless of wheter the user is in the office and connects to the network locally, or is at home and connects to the server via oVPN, seamlessly, without having to reconfigure anything.
So I guess a simple client side hostfile hack is not possible.

I'm really not sure about the whole routing and ip forwarding and so on. I tied them but probably wrong. I'm also reading something about this being a resolved bug on ubuntu 18.?

Any kind help is appreciated.

View OriginalServer conf

port 2194
proto udp4
dev tun
ca ca.crt
cert servername.crt
key servername.key # This file should be kept secret
dh dh2048.pem
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "dhcp-option DNS 192.168.2.10"
keepalive 10 120
tls-auth ta.key 0 # This file is secret
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1

View OriginalClient conf

client
dev tun
proto udp4
remote dyndns.host.na.me 2194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
auth SHA256
verb 3
<ca>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
</key>
<tls-auth>
-----BEGIN OpenVPN Static key V1-----
...
-----END OpenVPN Static key V1-----
</tls-auth>

[TinCanTech]

https://community.openvpn.net/openvpn/w ... versubnet.

[bsh]

https://community.openvpn.net/openvpn/w ... versubnet.

Do I want to do that? How would that help me? (Already tried with TAP and after I connected to "\\10.8.0.1" from a windows client machine, after some time the Network places in Explorer started to show the individual machines in the office, including the server itself ("servername"). I still could not reference the "servername" though).

[TinCanTech]

Do I want to do that?

Yes you do.

Your issue is Windows Networking/DNS, neither of which are supported here.

[RE:Systems]

What you are lacking is DNS resolution.

What TinCanTech was referring to, I suspect, was this bit:
https://community.openvpn.net/openvpn/w ... to-clients

[bsh]

Unfortunatelly I am at work now, inside the above subnet with the server, and have no means to test it truly externally (like I did yesterday and earlier this morning, from home). Using the TAP, i see this:
nslookup on the client obviously works because it is using the local nameserver as well.
but using "nslookup servername 10.8.0.1" does return the server's ip address - it didn't when i was testing from home!
also, "ping -a 10.8.0.1" does show the server name, but only after many seconds delay.
pinging and nslookup'ing and dig'ing 10.8.0.1, or nslookup anything using 10.8.0.1 on the server itself works.
but not from home, when my only connection to the server was the openvpn connection.
what does this mean? where does it go wrong?

[TinCanTech]

You have not even posted details of your DNS server ..

[bsh]

Sorry for the delay. I figured out (by accident) why it didn't work even in the isolated test environment. It's too embarrassing.
Now it does work on two external laptops!
Name resolution although works somewhat, is weird. I have looked at it on the server and it is weird and it's not quite like how I remember it had been? Maybe some updates foobared things? But it sorta works still.
nslookup "servername" on the client still times out, but strangely i can still use "net use \\servername" fine?
and all the applications referring to "servername" work fine as well.
do I still need the ip forwarding and the iptables nat on the server side?

[TinCanTech]

viewtopic.php?f=30&t=22603

[300000]

it is possible to make name solution working over vpn connection on windows , make sure you need running dns server and wins server so the netbios over vpn making name solution work on windows ,you have dnsmanq and samba so you got everything it need to making it works i can help you if you like

there is some question i like to ask. can you connect openvpn client and can you go to internet at the same time or not?

[bsh]

there is some question i like to ask. can you connect openvpn client and can you go to internet at the same time or not?

Sorry, I swear I answered this but it is somehow gone? Or is it being redacted? (In that case sorry for a possible double post)

So: yes, the clients can use THEIR internet access (and not the one thorugh the ovpn server, but that is actually how I want it to be - the clients shouldn't waste our very low bandwith with their internet surfing!)
Currently I'm not pushing any routes or anything.
I have set up test client (Win10) now, I think it is isolated enough to work exactly like an external client would.
What I see is this: the client gets the DNS address from the server fine. But the windows system does not use that at all. I can try a "nslookup servername" (which then tries the DNS server 8.8.8.8 of the wired connection) and obviously fails. if I try to specify which nameserver it should use to resolve: "nslookup servername 10.8.0.1" then it works and returns the actual server ip address (192.168.2.10).
if i do any nslookups, specifying either 10.8.0.1 or 192.168.2.10 as nameservers to use, both work, and do resolve local and internet addresses.
so it kinda works, except the windows system does not use these nameservers, despite being pushed on it.
When trying to look up the servername "nslookup servername", it uses the default 8.8.8.8 nameserver on the wired interface, and returns nxdomain. but when i try to "ping nameserver", it does work, and it pings 10.8.0.1
Weird.

[TinCanTech]

What I see is this: the client gets the DNS address from the server fine. But the windows system does not use that at all

See --block-outside-dns in the manual (because Windows sucks.. )

[bsh]

I have that now, in the client config, alongside "register-dns"
with these I can nslookup, and also ping "servername" but this latter takes like 5-10 seconds, and then pings over ipv6. when forcing ping ipv4, it still takes a long time to begin.
no change if pushing a route or not.
with --block-outside-dns windows shows no internet access but it does work (i guess it uses some dns queriesto check connectivity) and the internet access is noticably slower.

[300000]

block-outside-dns on client config force windows client use dns server from openvpn push to client in your case is 192.168.2.10 so if it not working check your firewall so make sure everything work as you expect.

from your dns server it will answer everything your clien asking for so now windows shows no internet access check your NAT iptables and iprouting on your server.

[bsh]

block-outside-dns on client config force windows client use dns server from openvpn push to client in your case is 192.168.2.10

now i've set the server to push block-outside-dns and register-dns, as well as pushing a dns server 10.8.0.1 - or should this be 192.168.2.10? (i saw no difference, both worked)
it is pushing a route 192.268.2.10/255.255.255.0 - is this necessary? (saw no difference)

so if it not working check your firewall so make sure everything work as you expect.

and what should i check if it works but not perfectly? what is it with nslookup working but ping does not? ping does check the hostname differently, right? why does ping take 5 seconds or so to start pinging the host, if i force it to use ipv4? why is it, when I connect to a share using "net use...", it takes a long time to connect, but then any further action is fast?

[300000]

If it is not as fast as you like you can reformat and install everything from new so may be it will give you faster respont time.

[bsh]

A little more testing: nslookup works fast if I add the dns suffix to the hostnames manually - which should automatically happen, but for whatever reason it does not. this also solves the ping issues and everything else as far as i can tell.
so I changed the windows TAP device configuration and ticked the "register dns" option, and added the dns suffix manually here as well.
Now everything works fast.

[300000]

you said ticked the "register dns" maybe you use kind software difference from openvpn download from this site so maybe the software is not working as you expect ,now it ok now so the client side making trouble not server side at all.