How to enable VPN clients name resolution
-
Setup:
Corp net: 10.160.0.0/16- laptop.corp.net - 10.160.0.4
pfsense1:
- OpenVPN Tunnel Network: 10.162.0.0/23
- DNS Default Domain: vpn.corp.net
- Connected client: client-p1.vpn.corp.net / 10.162.0.4
pfsense2:
- OpenVPN Tunnel Network: 10.162.2.0/23
- DNS Default Domain: vpn.corp.net
- Connected client: client-p2.vpn.corp.net / 10.162.2.4
I configured firewall/NAT on both pfsense's so I can ssh to 10.162.0.4 and 10.162.2.4 from laptop.corp.net.
Now I want to be able to resolve client-p1.vpn.corp.net and client-p2.vpn.corp.net on the corp laptop. We have a corp name server. Should there be some sort of forwarding from it to pfsense servers for *.vpn.corp.net?
-
@alexp-lft are you using the same domain name at two sites?
-
@tirsojrp yes, the same domain. The 2 instances are for redundancy
-
@tirsojrp would it make it easier if the domains were different?
-
@alexp-lft It would, simply use Domain Overrides at pf2 to point all dns requests for site1.corp.net to pf1.
Edit: I am confused, this is about 2 sites or 2 pfsense's on the same site?
-
@tirsojrp said in How to enable VPN clients name resolution:
@alexp-lft It would, simply use Domain Overrides at pf2 to point all dns requests for site1.corp.net to pf1.
I may not be reading this right, but I'm not sure this solves my problem... I'd like a device on corp net (laptop.corp.net) to be able to resolve client-p1.vpn.corp.net and client-p2.vpn.corp.net. Not the other way around. Also, I'd prefer to not introduce such dependency, as this is supposed to be a redundant active/active setup allowing for either one of the instances to be taken offline for maintenance at any time.
Edit: I am confused, this is about 2 sites or 2 pfsense's on the same site?
Both pfsenses are on the same site, and clients randomly pick (via DNS round robin) which one to connect to. Hope this clarifies.
-
@alexp-lft Now I get it. Load balancing vpn concentrators.
IMHO that level of consistency cannot be achieved when so many random elements are involved. Using the same domain name for vpn clients connecting randomly (round robin) to different VPN networks getting random ip (openvpn pools), while trying to keep the same name.
High availability and CARP is the answer.
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/ha.html#openvpn-and-carp -
@tirsojrp said in How to enable VPN clients name resolution:
@alexp-lft Now I get it. Load balancing vpn concentrators.
IMHO that level of consistency cannot be achieved when so many random elements are involved. Using the same domain name for vpn clients connecting randomly (round robin) to different VPN networks getting random ip (openvpn pools), while trying to keep the same name.
High availability and CARP is the answer.
https://docs.netgate.com/pfsense/en/latest/vpn/openvpn/ha.html#openvpn-and-carpThanks @tirsojrp. And what if I use 2 different domains (i.e vpn1.corp.net and vpn2.corp.net)? I don't really need these to be the same, as long as I can resolve the host name from the corp net. IOW, it doesn't matter whether vpn_client resolves to vpn_client.vpn1.corp.net or vpn_client.vpn2.corp.net. I can add both to search domains.
-
Corp.net DNS server must be configured to forward all requests for domain vpn1.corp.net to pf1 and vpn2.corp.net to pf2.