Site-to Site OpenVPN - DNS problem



  • We are connecting a remote office network (just a few PCs) to AD Domain in main office

    Main Office pfSense box is configured as OpenVPN server, remote office pfSense box - as OpenVPN client. Tunnel is UP.

    Problem: no name resolution: PCs can ping each other only by IP but not by FQDN like pc-1.ourDomain.local

    What extra configurations do we need to get DNS working ?



  • ::) Provide a DNS server to your PCs.

    I assume, you have a DNS in your main network and the remote PCs will pull an IP from a DHCP, so add the DNS server to the DHCP config.



  • Thanks for reply

    I did provide DNS server address to PCs in remote office but still I'm getting "can't find host" errors

    I can ping the DNS server in main office OK as well as all other IPs there. But DNS is not resolving internal names :-\



  • Are the remote hosts in the same Domain as the DNS in main network?
    Is the DNS configured in the interface settings of the PCs? Check with "ipconfig /all".



  • Yes - we want all PCs to be members of the same domain (company.local) - flat network. Sure our remote office is a separate IP-subnet.

    I tried to set static IPs for DNS servers on each PC in remote office. Still can't get FQDN to resolve

    It is very strange: if I use nslookup FQDN it resolves OK.
    But if I try to ping FQDN - I'm getting "can't find host" error. Sure my remote PCs can not log-in to our local domain…

    I search all over Internet: people suggest usind DNS-Forwarders, Domain-Override, Static-Routes etc... Still can't resolve the problem...




  • @factorylan:

    It is very strange: if I use nslookup FQDN it resolves OK.
    But if I try to ping FQDN - I'm getting "can't find host" error.

    Looks like the main DNS is not used by default. So what's in your interface config?



  • viragomann

    I provide a network diagram with all IP-addresses.

    ipconfig shows DNS-Server 10.0.1.20 - set manually



  • So the remote office has no additional DC? And the host are presumably not connected well to the domain.

    But resolve of the FQDN should work if the PCs used the main DNS. Remember that FQDN means the whole domain name, not just the host name only. With the host + domain name it should work.

    The easiest way to resolve will be to use pfSense as DNS and activate DNS Forwarder. But you will have to put the main DNS to the top of the DNS servers list in general settings.



  • @viragomann:

    So the remote office has no additional DC? And the host are presumably not connected well to the domain.

    But resolve of the FQDN should work if the PCs used the main DNS. Remember that FQDN means the whole domain name, not just the host name only. With the host + domain name it should work.

    The easiest way to resolve will be to use pfSense as DNS and activate DNS Forwarder. But you will have to put the main DNS to the top of the DNS servers list in general settings.

    That is right - no DC on remote site. For simplicity I configured remote site PCs with static IPs and manually set DNS server IP to 10.0.1.20 (AD-DNS-Server in Main Office) but for some reason FQDN does not work !!  my DC has two LAN interfaces… Maybe that is causing my DNS problem ?

    DNS-Forwarder: do I have to configure it on OpenVPN Server, Client or Both ? If pfsense is now a DNS server - the client PCs should send DNS queries to pfsense not main office DNS ?

    Do I have to configure Domain Name in General Setup as well to match our "factory.local" ?
    The note there says not to use "local"



  • my DC has two LAN interfaces… Maybe that is causing my DNS problem ?

    If "pfsense1" IP is not set as default gateway on DC than - 99.99%
    On your DC invoke 'route print', note the index number for interface looking for your "pfsense1",
    invoke 'route add 10.0.1.0 MASK 255.255.255.0 PFSENSE1_IP metric 20 IF INTERFACE_NUMBER'
    If it will fix it - invoke it again with -p switch.



  • Thank a lot viragomann

    To get this to work - I ended up providing domain name (factory.local) to my remote office DHCP clients so those client PCs can resolve short (NetBIOS) names as well as FQDN for our local domain. I typed Main-Office DNS server IP (10.0.1.20) on the top of the list in General->Setup for Remote-Office pfSence machine (as you suggested)

    So now Remote Office client PCs can join the Main Office domain and listed in AD-DNS with 10.0.5.x addresses :)

    I did not use DNS-Forwarder… do I really have to use DNS-Forwarder ? I think AD-Client PCs are better left with their "natural" AD-DNS server for name resolution...

    Question: We have an extra subnet in Main Office (10.0.3.0/24) used for IP-Phones… Is it possible to connect that subnet through our VPN connection ? We need to install a few IP-Phones in the Remote-Office location ?

    I tried adding extra gateways and static routes at pfSence - nothing works... Please advise  :)