How to configure clients to reach LAN hosts by name?

This forum is for general conversation and user-user networking.

Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech

Post Reply
BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

How to configure clients to reach LAN hosts by name?

Post by BobAGI » Mon Mar 04, 2019 6:56 pm

I have set up an OpenVPN server on the company LAN. It runs on an Ubuntu 16.04.5 LTS Server machine.
OpenVPN is at 2.4.7
All other network computers are varying versions of Windows.
We run two server instances on ports 1194 and 1195, the first is a full server and the second is handling connection for split tunnel use.
When clients connect remotely via OpenVPN they get full network access provided they know the IP of any given named host.
So one could ping 10.0.0.6 but not ping fileserver, where fileserver has IP 10.0.0.6.
If the same computer that fails to ping by name is connected directly to the company LAN then it can ping fileserver.

So the name resolution must be non-working over the OpenVPN tunnel and my question is how I can remedy this?
I *have* configured the dhcp-option DNS but it seems like it is not working anyway...

The company LAN runs on address range 10.0.0.x

Here are the server config files:
split tunnel server
port 1195
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/VPN.crt
key /etc/openvpn/keys/VPN.key # This file should be kept secret
dh /etc/openvpn/keys/dh2048.pem
tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret
topology subnet
server 10.8.1.0 255.255.255.0 'nopool'
ifconfig-pool 10.8.1.2 10.8.1.127 255.255.255.0
client-config-dir /etc/openvpn/ccdl
ifconfig-pool-persist ipp2.txt
push "route 10.0.0.0 255.255.255.0"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 20
persist-key
persist-tun
status /etc/openvpn/log/openvpn-status2.log
log /etc/openvpn/log/openvpn2.log
verb 4
explicit-exit-notify 1


full server
port 1194
proto udp
dev tun
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/VPN.crt
key /etc/openvpn/keys/VPN.key # This file should be kept secret
dh /etc/openvpn/keys/dh2048.pem
tls-auth /etc/openvpn/keys/ta.key 0 # This file is secret
topology subnet
server 10.8.0.0 255.255.255.0 'nopool'
ifconfig-pool 10.8.0.2 10.8.0.127 255.255.255.0
client-config-dir /etc/openvpn/ccdw
ifconfig-pool-persist ipp.txt
push "route 10.0.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.0.0.3"
push "dhcp-option DNS 10.0.0.7"
keepalive 10 120
cipher AES-256-CBC
comp-lzo
max-clients 20
persist-key
persist-tun
status /etc/openvpn/log/openvpn-status.log
log /etc/openvpn/log/openvpn.log
verb 4
explicit-exit-notify 1


Clients are given OVPN files with the following content (plus their certificates):

client-full
client
dev tun
proto udp
remote vpn.xxxxxx.com 1194
resolv-retry infinite
nobind
persist-key
persist-tun
auth-nocache
mute-replay-warnings
remote-cert-tls server
key-direction 1
cipher AES-256-CBC
comp-lzo
verb 1
mute 20


Switching remote to port 1195 makes the client use the split tunnel approach.

EDIT:
I have this problem myself but I have solved it by editing the Windows hosts file and added all of the servers in the office I need to connect to with the proper IP address. Then I can communicate just fine with the computers on the network.
But it is a bit of pain to have to tell the other users to edit their hosts file in a similar manner to get VPN working properly for them.
I live about 5000 km from the office so my only connection is by way of OpenVPN. The other employees only occationally need the VPN but then they fall flat on the connectivity issue with DNS.
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to configure clients to reach LAN hosts by name?

Post by TinCanTech » Tue Mar 05, 2019 2:15 pm

BobAGI wrote:
Mon Mar 04, 2019 6:56 pm
 So the name resolution must be non-working over the OpenVPN tunnel and my question is how I can remedy this?
I *have* configured the dhcp-option DNS but it seems like it is not working anyway...
Try to ping the DNS server from the client ..
Top
BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Re: How to configure clients to reach LAN hosts by name?

Post by BobAGI » Tue Mar 05, 2019 2:30 pm

Pinging both 10.0.0.3 and 10.0.0.7 works fine..
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to configure clients to reach LAN hosts by name?

Post by TinCanTech » Tue Mar 05, 2019 2:52 pm

Then either one of:
  • Your ping was done incorrectly and passed when it should fail
  • DNS server firewall
  • DNS server is incorrectly configured
  • The details in your initial post are incorrect
Top
BobAGI
OpenVPN Power User
Posts: 167
Joined: Mon May 05, 2014 10:17 pm

Re: How to configure clients to reach LAN hosts by name?

Post by BobAGI » Tue Mar 05, 2019 4:53 pm

TinCanTech wrote:
Tue Mar 05, 2019 2:52 pm
 Then either one of:
  • Your ping was done incorrectly and passed when it should fail
  • DNS server firewall
  • DNS server is incorrectly configured
  • The details in your initial post are incorrect
1) ping was done incorrectly
Both pings are made on a command window on a Windows computer connected by VPN. They return good ping results:

Code: Select all

>ping 10.0.0.7

Pinging 10.0.0.7 with 32 bytes of data:
Reply from 10.0.0.7: bytes=32 time=137ms TTL=127
Reply from 10.0.0.7: bytes=32 time=137ms TTL=127
Reply from 10.0.0.7: bytes=32 time=137ms TTL=127
Reply from 10.0.0.7: bytes=32 time=137ms TTL=127
Same response for 10.0.0.3

2) DNS server firewall?
I have no idea why there would be a firewall for DNS. But any computer connected to the office LAN works fine whereas if it is moved away and connects via VPN it does not get local name resolution.

3) DNS server is incorrectly configured
Can't say anything about that because the domain servers are maintained by an IT professional company...

4) details in your initial post are incorrect
Incorrect in what way?

I have looked at the OpenVPN server (an Ubuntu 16.04.5 LTS server machine) via VPN. It sits on the same internal network.
The /etc/resolv.conf file (autogenerated) contains this:

Code: Select all

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
#     DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 10.0.0.3
nameserver 10.0.0.7
nameserver 8.8.8.8
So this server is using the two local DNS servers and I expect the other computers connected to the network do too. All use DHCP.
And these are the ones I pushed in the server.conf file shown above, but it looks like it does not work.
Maybe DNS calls cannot really be tunneled???

Note that we used to run Microsoft RRAS and PPTP VPN before we retired the old server hosting that VPN.
At that time we did not have these problems, they only appeared when we switched to OpenVPN.
PPTP clients got IP addresses for the tunnel within the address range of the local network, but with OpenVPN the tunnel is in a different network range.
Maybe this is the issue?

Is there something specific to do in Ubuntu (i.e with IPTABLES) to make DNS calls pass through the OVPN tunnel?
Top
TinCanTech
OpenVPN Protagonist
Posts: 11139
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to configure clients to reach LAN hosts by name?

Post by TinCanTech » Tue Mar 05, 2019 5:33 pm

BobAGI wrote:
Tue Mar 05, 2019 4:53 pm
 the domain servers are maintained by an IT professional company
This forum does not provide the support you require.
Top
Post Reply

Return to “Off Topic, Related”