Site-to-Site-OpenVPN: Hostname Resolution of the Remote Clients



  • Dear folks,

    Site A and Site B are connected to each other using Open VPN shared key method.

    I would like to give the possibility, that Site A can resolve Hostnames of Site B and Site B can resolve Hostnames of Site A, e.g.:

    Site A (Main Site):
    pfSense Box: 192.168.1.1
    Server: sunflower.garden.tld; 192.168.1.10

    Site B (Remote Site): 192.168.2.0
    -> Connecting to sunflower.garden.tld should lead to 192.168.1.10

    I tried to specify at the Host Site:

    push "dhcp-option DNS 192.168.1.1";

    However, the Hostname-Resolution does not work. I also tried to specify at Client Site additional DNS Servers (192.168.1.1), however, this didn't help either.

    Are there any other options / methods to resolve hostnames I didn't consider?

    Thanks so much for your help!


  • LAYER 8 Netgate

    Your issue is not in OpenVPN, but in DNS.

    The DNS forwarder is generally more flexible here because in each domain override you can specify a source interface. You have to specify a source interface that will be interesting to openVPN.

    Switch both sites to DNS forwarder. Or at least Site B.

    Put host overrides for hosts in the garden.tld domain on Site A.

    On site B configure all the clients to use the local DNS forwarder.

    Place a domain override there:

    Domain: garden.tld
    IP Address: address at site A that will both respond to DNS queries and is a remote network from the perspective of site B's OpenVPN
    Source IP: An address on the pfSense B firewall that is a local network from the perspective of OpenVPN, like the LAN address.



  • Hey Derelict,

    thanks for this hint. I didn't think of it!

    I disabled DNS Resolver at both Sites and switched to DNS Forwarder.

    I configured both sites' DNS Forwarders like following:

    | Enable DNS forwarder | Checkmark |
    | DHCP registration | Checkmark |
    | Static DHCP | Checkmark |
    | Prefer DHCP | blank |
    | DNS Query Forwarding | blank |
    | Listen Port | blank (53) |
    | Interfaces | All |
    | Strict binding | blank |
    | Custom Options | blank |

    At the remote Site B (192.168.2.x), I added a Domain Override:

    | Domain | garden.tld |
    | IP address | 192.168.1.1 (this is IP address of pfSense Box at Main Site A) |
    | Source IP | 192.168.2.1 (this is local IP address of pfSense Box at Remote Site B) |

    At the main Site A (192.168.1.x), I added a Host Override:

    | Host | Hostname-of-Router-for-Testing-Purpose (just the name, nothing else) |
    | Domain | garden.tld |
    | IP address | 192.168.2.1 (this is local IP address of pfSense Box at Remote Site B; this IP address is directly accessible via VPN) |

    Note: Generally, all 192.168.1.x or 192.168.2.x ip addresses are reachable from both sites flawlessly.

    However: Is there anything I forgot or configured incorrectly? Right now Hostname Resolution is still not working yet…

    Thank you!


  • LAYER 8 Netgate

    How are you testing? (from where, to where, what are you trying to look up?)

    What are the configured DNS servers on the host you are testing from?

    What are the search domains configured on the host you are testing from? etc.



  • Dear Derelict,

    I made following test:

    Remote Site B, pfSense Box, Diagnostics -> DNS Lookup:

    | Hostname: | name-of-pfsense-box.garden.tld |

    It takes some time, until I receive the following output:

    | Result | Record Type |
    | 80.x.y.z | ___ A |
    | 62.x.y.z | ___ A |

    The ip address of main site A is, however, a different one!

    Below this table, it shows the timings of the name servers. However, I don't see any name server of the remote OR main site in here, except 127.0.0.1. (and additional the two name servers from my ISP).

    Furthermore, from being at remote Site B, I tried opening my firefox, typing:
    https://hostname-of-pfSense-Box-At-Main-Site-A.garden.tld
    However, this resulted in an error "Page cannot be displayed".

    So, this means, from being at Remote Site B, I tried to lookup the hostname of the pfSense Box of main Site A, for which I configured a host override at main site A.

    What do you mean exactly with "search domains"? Do I have to do some additional configuration? (Note: I added Domain Override at remote Site B).

    Thanks so much for your quick replies! :)


  • LAYER 8 Netgate

    What are the configured name servers in System > General Setup?

    You need to have at least some understanding of DNS troubleshooting and how it all works to have a prayer of making this happen and maintaining it yourself unless you want to hire a flake every time you have a problem.

    Hint: Don't test from the firewall itself. Test from the hosts on LAN who are configured to use the DNS forwarder on pfSense to resolve names.

    Or ssh into the device and drill @localhost host.garden.tld



  • Yeah, I know this… I still have to learn a lot of this whole stuff... I recently bought a book regarding VLANs - it's quite much you need to know about it, so my respects to people like you how are managing pfSense and I really appreciate your guides and tipps! So thanks at this point!

    For testing purpose, at Remote Site B, I entered the IP address (in perspective of VPN) of the pfSense Box of Main Site A.

    So on the index-page of Remote Site B, system information, my list of DNS servers looks as:

    • 127.0.0.1

    • ISP DNS IP #1

    • ISP DNS IP #2

    • 192.168.1.1 (IP of Main Site A)

    The last entry is configured as (System -> General Setup):

    DNS Server 1, 192.168.1.1, WAN_PPPOE - wan - IP address

    Thanks again for any help! I tried to resolve the pfsense Box Hostname of Main Site (from being at Remote Site B) via ping from a client-computer here, however, it doesn't work either. Do I need to configure a special Interface for DNS Server Settings #1 (System -> General Setup) or do I have to explicitly force clients to use this DNS by checking or configuring a certain option? As mentioned, I just enabled DNS Forwader…
    There is no checkmark at "Disable DNS Forwarder" (System ->  General Setup).



  • Guys, it's working now…

    Originally, I inserted the host override on the Main Site.
    I deleted it and inserted the host override on the Remote Site.

    So the Remote Site now has the Domain Override as well as the Host Override. And it's working. :)

    I also had a look at https://forum.pfsense.org/index.php?topic=98198.0

    So thanks once again for your help! It's nice! :)


  • LAYER 8 Netgate

    That doesn't sound like it's working at all. It sounds like it is worked-around.



  • Hey,

    okay, you're right… The more sites are added to VPN, the more complex it becomes because each site has to be configured separately... So I started reconfiguring it from scratch.

    So I started trying it again... First, to answer your questions:

    How are you testing? (from where, to where, what are you trying to look up?)

    I was testing from a windows computer at each site. At each site, the computer is in the same subnet as the pfsense router.

    What are the configured DNS servers on the host you are testing from?

    When looking at System -> General Setup of both pfsense boxes, no additional DNS servers are provided. All DNS server input fields are empty. However, there is a checkmark at "Allow DNS server list to be overridden by DHCP/PPP on WAN".

    When typing "ipconfig /all" at any windows computer, the pfsense ip address is configured as DNS server (e.g. 192.168.1.1).

    What are the search domains configured on the host you are testing from? etc.

    On the windows computers, the option is set to receive the DNS server list automatically (DHCP enabled). There are no additional DNS servers entered in the adapter settings of the ethernet controller.
    This means, the only DNS server a computer from subnet 192.168.2.0/24 is using, is the pfsense box 192.168.2.1.
    Computers in the subnet 192.168.1.0/24 are using pfsense box 192.168.1.1 as DNS server.

    When being at the remote site and trying to access the pfsense box of the main site pfsense.garden.tld, I have the impression that the local pfsense router is asked about "what's the address of remote/main site pfsense.garden.tld", but local pfsense doesn't know about it? Windows command prompt shows:

    C:\Users\Administrator>ping pfsense.garden.tld
    Ping request could not find host pfsense.garden.tld. Please check the name and try again.
    

    For testing purpose, at the remote Site, I don't have any host override configured right now. The only thing I configured at the remote site is a domain override with following parameters:

    Domain: garden.tld
    IP address: 192.168.1.1
    Source IP: 192.168.2.1

    At the main site I have configured Domain Override and Host Override

    Domain Override:
    Domain: domain-of-remote-site.tld
    IP address: 192.168.2.1
    Source IP: 192.168.1.1

    Host Override:
    Host: pfsense
    Domain: garden.tld
    IP address: 192.168.1.1

    According to https://forum.pfsense.org/index.php?topic=98198.0 it should even work without entering host overrides and just using domain overrides… All windows computers on each site are using the pfsense router in the same subnet as dns servers - however, pfsense doesn't know about the remote hostnames - although domain overrides are configured!

    EDIT:

    I changed my config from DNS forwarder to DNS resolver. I only have domain overrides (no host overrides) and it seems it's finally working now! Cool :) Thanks for your help so far! That's extremely nice when I don't have to configure host overrides! :)


Log in to reply