Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    FQDN

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 2 Posters 828 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • DerelictD
      Derelict LAYER 8 Netgate
      last edited by

      That is the default domain. That is pushed using this in the OpenVPN server:

      e31267b1-038e-49f0-84fa-91e725ec8e51-image.png

      As with most pushed settings it is up to the client to honor it and use it properly.

      Chattanooga, Tennessee, USA
      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
      Do Not Chat For Help! NO_WAN_EGRESS(TM)

      R 1 Reply Last reply Reply Quote 0
      • R
        rustydusty1717 @Derelict
        last edited by

        @Derelict so I do specify the domain name as well. When you say honor that you mean force DNS suffixes elsewhere on the device?

        1 Reply Last reply Reply Quote 0
        • DerelictD
          Derelict LAYER 8 Netgate
          last edited by Derelict

          When a host wants to resolve a name it appends a default domain to its query.

          If its default domain is domainname.local and it wants to resolve hostname host, it submits its query to its configured DNS resolvers as host.domainname.local

          It is completely up to the client to do this.

          Chattanooga, Tennessee, USA
          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
          Do Not Chat For Help! NO_WAN_EGRESS(TM)

          1 Reply Last reply Reply Quote 0
          • R
            rustydusty1717
            last edited by

            @Derelict said in FQDN:

            If its default domain is domainname.local and it wants to resolve hostname host, it submits its query to its configured DNS resolvers as host.domainname.local

            Got it working, thanks everyone!

            Is there a command that can be put in the advanced configuration for disconnecting after a time period?

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              Probably the client sleeping, power saving, etc. You might need to better-describe what you are actually experiencing.

              There is an automatic renegotiation/reauthentication that happens by default every hour but unless you are using multi-factor authentication, that should be hitless if the client and server are both still communicating.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • R
                rustydusty1717
                last edited by

                @Derelict said in FQDN:

                There is an automatic renegotiation/reauthentication that happens by default every hour but unless you are using multi-factor authentication, that should be hitless if the client and server are both still communicating.

                Hello,

                We do have it authentication with AD through radius. Definitely not getting disconnects ever hour.

                Looking to add a time limit to disconnect. Thinking if there's an employee in the field that is released, would like to know their VPN connection will drop. At that point their AD authentication will no longer work.

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  As I stated, the connection is re-authenticated every 60 minutes by default. That will hit the RADIUS server again. If the authentication succeeds again the user connection will continue. Logs should be able to be evaluated to determine this is actually occurring to your satisfaction. You can connect a test user then disable it in AD by whatever method you use and see what happens too.

                  This time period is controlled on both the server and the client with:

                  reneg-sec 3600; 3600 is the default there. reneg-sec 0; disables renegotiation on that side.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • R
                    rustydusty1717
                    last edited by

                    @Derelict said in FQDN:

                    As I stated, the connection is re-authenticated every 60 minutes by default. That will hit the RADIUS server again. If the authentication succeeds again the user connection will continue. Logs should be able to be evaluated to determine this is actually occurring to your satisfaction. You can connect a test user then disable it in AD by whatever method you use and see what happens too.

                    I will check that, thanks!

                    We are also having an issue where the GUI errors out and we've been able to determine it's because most of our users don't have Administrative privileges on their laptops. I've done some searching and found ways of running the GUI service through scheduled tasks but hopefully someone else has a better option.

                    https://forum.netgate.com/topic/115680/openvpn-without-admin-rights-win-7-and-xp-on-pfsense-2-3-3_p1/2

                    1 Reply Last reply Reply Quote 0
                    • DerelictD
                      Derelict LAYER 8 Netgate
                      last edited by

                      That is almost all taken care of by running current OpenVPN client code on the windows machines.

                      If you remove all OpenVPN traces (Add/Remove Programs or whatever it is called these days) and reinstall a configuration export, current code will be installed.

                      Or you can manually upgrade OpenVPN on the devices.

                      Chattanooga, Tennessee, USA
                      A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                      DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                      Do Not Chat For Help! NO_WAN_EGRESS(TM)

                      1 Reply Last reply Reply Quote 0
                      • R
                        rustydusty1717
                        last edited by

                        @Derelict said in FQDN:

                        That is almost all taken care of by running current OpenVPN client code on the windows machines.

                        so the client version exporting from pfsense is 2.4.8-1602-Win10

                        Should this version not have the latest code that fixes the issue?

                        1 Reply Last reply Reply Quote 0
                        • DerelictD
                          Derelict LAYER 8 Netgate
                          last edited by Derelict

                          It does but it does not automatically update the client host unless you REMOVE what is already there before you run the export. I do not know whay that was chosen. Probably considered to be a POLA thing.

                          Chattanooga, Tennessee, USA
                          A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                          DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                          Do Not Chat For Help! NO_WAN_EGRESS(TM)

                          1 Reply Last reply Reply Quote 0
                          • R
                            rustydusty1717
                            last edited by

                            We are using Revo Uninstaller to remove the client package before re-installing. Should this not be enough? Revo is even finding the registry and remaining files.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.