Use hostname to reach OpenVPN clients

johnpoz

@Unoptanio so you want to access the vpn clients IP when he vpn into your network.. IP or dns makes little difference.. And registration of vpn clients can and does work.. If you want to use some fqdn to access these remote clients when they connect in.

Just wanted you and anyone else to be aware that registration of dhcp and vpn clients on connect is going to restart unbound. This can be problematic if you have that happening a lot.. And if how you have things setup causes longer delays in unbound starting, etc.

Unoptanio

@johnpoz

for each openvpn user I also used this command "ifconfig-push 10.10.94.50 255.255.255.0"

for the other users I continued with the progressive number 10.10.94.51 ..52..53

I have no idea if this is better to do or not.
and if it can amplify the problem you were talking about

zapador

@Unoptanio Pushing a static IP to a client makes sense if it is important for you to either know the clients IP address or if you want to make firewall rules for a specific client where the IP has to remain the same.

Can't really say one is better than the other. If you use DNS name that name will be translated to an IP and then your RDP connects using that IP. If you use the IP then there's no name translation taking place first.

Using hostnames, eg. client01.vpn.example.com, is handy as it is a lot easier to remember.

Unoptanio

@zapador

Have you encountered the problem that @johnpoz was talking about that could occur?

Just wanted you and anyone else to be aware that registration of dhcp and vpn clients on connect is going to restart unbound. This can be problematic if you have that happening a lot.. And if how you have things setup causes longer delays in unbound starting, etc.

zapador

@Unoptanio I haven't encountered any problems related to that but I also wasn't aware that it could be a problem.
I was not aware that the VPN registering clients in DHCP would cause unbound (DNS Resolver) to restart, also not sure if that is really the case or not.

If you want to test you try to enable the register in DHCP feature, connect a client and then check Status -> System Logs -> System -> DNS Resolver and look for "start of service (unbound)" or "service stopped (unbound)" and see if that coincides with the time the VPN client connected. If not, then unbound does not restart when VPN register clients in DHCP.

Unoptanio

@zapador

zapador

@Unoptanio Go to Services -> DNS Resolver and enable this:

Then you can resolve the hostnames of all clients connected via VPN, no matter what interface you're coming from - as long as the device use the pfSense as DNS which is the case by default.

Unoptanio

@zapador

ok found it. I already had the setting active

i have check Status -> System Logs -> System -> DNS Resolver

but i have only this data:

zapador

@Unoptanio I'm not sure if you will see anything in that log (maybe, maybe not). Just try to connect a client to OpenVPN and then from the pfSense try nslookup <hostname> which in this case would be the Common Name of that particular client, or maybe the Username if you use User Auth. It should provide you with the IP of that particular client and if it does, it works. Hope that makes sense, else just ask.

Unoptanio

@zapador

zapador

@Unoptanio Does that happen when a client connects?

Unoptanio

@zapador

I tried to make some openvpn connections now and to connect in rdp using the name.domain format but nothing appears in the log section relating to today's date, September 16th.
in the log the first occurrence of "start of service (unbound)" is on September 14th but I don't know what it referred to

of today 16th September I only have the first line in the log

do you have different data in your firewall?

zapador

@Unoptanio Don't worry about the log at first, just check if things work or not. Start by checking from the pfSense itself using Diagnostics -> DNS Lookup and see if you can get an IP for your connected client.

Unoptanio

@zapador

zapador

@Unoptanio As long as you have manually added Host Overrides then you'll never find out if "Register connected OpenVPN clients in the DNS Resolver" is working because the Host Overrides will take priority. If you list something in Host Overrides it will ALWAYS work in the sense that the DNS Resolver will return an IP for anything listed in the Host Overrides no matter if it exists or not.

But is it otherwise working as it should?

Unoptanio

@zapador

At the moment, with the current configuration, everything works for me.

Before compiling this DNS override table, RDP access using the name.domain format did not work for me.

RDP access only worked using the machine's IP address

---

RDP access using name.domain format should theoretically work even without having filled in the DNS resolver override table? yes o no?

zapador

@Unoptanio That's great!

Unoptanio

@zapador

zapador

@Unoptanio Is what without using Host Overrides?

Unoptanio

@zapador
it was only a question.

Initially I thought that once connected to openvpn, the names of the machines that are on the 192.168.1.x network would automatically be visible without use dns override