DNS resolution through VPN isn't working
-
Hi there,
I know it must be the millionth time this has been asked but in my defense I have to tell you I've been trying to solve this problem since 2011 (!) on many different VPN configs and I couldn't get it work, not a single time. No matter how much effort I put in reading, learning, watching tutorials over and over again just to throw everything away after two weeks of trying. So here it goes, I really hope you can help me out.
My setup:
Network (A): 192.168.44.0/24, local domain: domain1.lan
Network (B): 192.168.5.0/24 local domain: domain2.lan
VPN Network: 192.168.70.0/24
Network (A) has an OpenWRT router (A) that works as DHCP, DNS, Internet access, etc. -server for network (A) and has the IP address 192.168.44.1.
My pfsense is serving as an OpenVPN Server with the address 192.168.44.2. I completely disabled the internal firewall in pfsense since I don't need it (I just wanted a fancy Web Interface for the OpenVPN server with a client export function) no DNS or DHCP server has been set up on it.Network (B) has an OpenWRT router (B) as well with the same function as the router from network (A) (DHCP, DNS, Internet, etc) with IP address 192.168.5.1.
I want the router (B) on Network (B) to act as the OpenVPN Client.
To that point my VPN is working great, I can connect router (B) to my VPN server in network (A), I can access shares etc, that's working fine.
The only thing that's missing to work is DNS resolution on a client that is in Network (B), e.g. when I'm working on 192.168.5.120 I can connect to 192.168.44.100 but only via IP address, not via hostname (and that sh*t is freaking me out). Ping says "unknown host", nslookup is asking wrongly 192.168.5.1 - not 192.168.44.1 like I want it to.
The thing is: when I'm connecting a client directly to the VPN (e.g. from 192.168.5.120 via client software Tunnelblick, Viscosity, OpenVPN GUI etc) the DNS resolution works flawless. I can resolve hostnames both of network (A) AND network (B).
So I'm coming to the conclusion that my server and client configs are actually working.My goal is to have a 24/7 VPN connection from network (B) to network (A) and every client on network (B) shall be able to access machines in 192.168.44.0 - but "native" without the use of any client application. I have about 120+ clients on network (B) and I don't want to configure 120 VPN clients.
I read a lot about DNS forwarding, DNS resolvers etc but I have absolutely no clue where I should start (besides trial and error).One thing is really important: While connected to the VPN it must be ensured that clients from network (B) can resolve hostnames on both networks.
Some years ago I already had something like a "half solution" with a working DNS resolution but only for resolving hostnames on network (A). When connected to the VPN machines on network (B) couldn't resolve hostnames on network (B) any more.
Viscosity has a quite nice feature called "Split DNS" that uses 192.168.44.1 only for hostnames located on network (A) and 192.168.5.1 for everything else. I don't know if it's possible to do like that on a router like in my scenario.Sorry for this long text but I hope my problem is comprehensible now.
Any help is really appreciated.client.ovpn
dev tun
persist-tun
persist-key
pull
cipher AES-256-CBC
ncp-ciphers AES-256-GCM:AES-128-GCM
auth SHA1
tls-client
client
resolv-retry infinite
remote dyndns.networka.com 6655 udp
auth-user-pass
remote-cert-tls server<ca>
-----BEGIN CERTIFICATE-----
xxxxxxx
-----END CERTIFICATE-----
</ca>
setenv CLIENT_CERT 0
key-direction 1
<tls-auth>2048 bit OpenVPN static key
-----BEGIN OpenVPN Static key V1-----
xxxxxxxx
-----END OpenVPN Static key V1-----
</tls-auth>server.ovpn
verb 1
dev-type tun
dev-node /dev/tun1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA1
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
local 192.168.44.2
tls-server
server 192.168.70.0 255.255.255.0
client-config-dir /var/etc/openvpn/server1/csc
verify-client-cert none
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user xxxxxxxxxxx= false server1 6655
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'OpenVPN+Server' 1"
lport 6655
management /var/etc/openvpn/server1/sock unix
max-clients 40
push "route 192.168.44.0 255.255.255.0"
push "dhcp-option DOMAIN domain1.lan"
push "dhcp-option DNS 192.168.44.1"
push "register-dns"
client-to-client
duplicate-cn
capath /var/etc/openvpn/server1/ca
cert /var/etc/openvpn/server1/cert
key /var/etc/openvpn/server1/key
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server1/tls-auth 0
ncp-ciphers AES-256-GCM:AES-128-GCM
persist-remote-ip
float
topology subnet
fast-io
-
Add a domain override for network A to your DNS server in network B, so that DNS requests for hosts within that domain are forwarded to the DNS server in A. Allow DNS access from site B.
Then you should be able to resolve the hosts in A by <host-name.domain>.