FQDN



  • Hello,

    I have a Remote Access OpenVPN setup and working however when trying to map a network drive it's forcing me to use the FQDN of the server instead of just the computer like like normal.

    Example: DC1.domainname.local - works
    Exmaple: DC1 - does not

    On the tunnel settings I have a DNS server specified and Block outside DNS turned on. Any ideas?


  • LAYER 8 Netgate

    That is the default domain. That is pushed using this in the OpenVPN server:

    e31267b1-038e-49f0-84fa-91e725ec8e51-image.png

    As with most pushed settings it is up to the client to honor it and use it properly.



  • @Derelict so I do specify the domain name as well. When you say honor that you mean force DNS suffixes elsewhere on the device?


  • LAYER 8 Netgate

    When a host wants to resolve a name it appends a default domain to its query.

    If its default domain is domainname.local and it wants to resolve hostname host, it submits its query to its configured DNS resolvers as host.domainname.local

    It is completely up to the client to do this.



  • @Derelict said in FQDN:

    If its default domain is domainname.local and it wants to resolve hostname host, it submits its query to its configured DNS resolvers as host.domainname.local

    Got it working, thanks everyone!

    Is there a command that can be put in the advanced configuration for disconnecting after a time period?


  • LAYER 8 Netgate

    Probably the client sleeping, power saving, etc. You might need to better-describe what you are actually experiencing.

    There is an automatic renegotiation/reauthentication that happens by default every hour but unless you are using multi-factor authentication, that should be hitless if the client and server are both still communicating.



  • @Derelict said in FQDN:

    There is an automatic renegotiation/reauthentication that happens by default every hour but unless you are using multi-factor authentication, that should be hitless if the client and server are both still communicating.

    Hello,

    We do have it authentication with AD through radius. Definitely not getting disconnects ever hour.

    Looking to add a time limit to disconnect. Thinking if there's an employee in the field that is released, would like to know their VPN connection will drop. At that point their AD authentication will no longer work.


  • LAYER 8 Netgate

    As I stated, the connection is re-authenticated every 60 minutes by default. That will hit the RADIUS server again. If the authentication succeeds again the user connection will continue. Logs should be able to be evaluated to determine this is actually occurring to your satisfaction. You can connect a test user then disable it in AD by whatever method you use and see what happens too.

    This time period is controlled on both the server and the client with:

    reneg-sec 3600; 3600 is the default there. reneg-sec 0; disables renegotiation on that side.



  • @Derelict said in FQDN:

    As I stated, the connection is re-authenticated every 60 minutes by default. That will hit the RADIUS server again. If the authentication succeeds again the user connection will continue. Logs should be able to be evaluated to determine this is actually occurring to your satisfaction. You can connect a test user then disable it in AD by whatever method you use and see what happens too.

    I will check that, thanks!

    We are also having an issue where the GUI errors out and we've been able to determine it's because most of our users don't have Administrative privileges on their laptops. I've done some searching and found ways of running the GUI service through scheduled tasks but hopefully someone else has a better option.

    https://forum.netgate.com/topic/115680/openvpn-without-admin-rights-win-7-and-xp-on-pfsense-2-3-3_p1/2


  • LAYER 8 Netgate

    That is almost all taken care of by running current OpenVPN client code on the windows machines.

    If you remove all OpenVPN traces (Add/Remove Programs or whatever it is called these days) and reinstall a configuration export, current code will be installed.

    Or you can manually upgrade OpenVPN on the devices.



  • @Derelict said in FQDN:

    That is almost all taken care of by running current OpenVPN client code on the windows machines.

    so the client version exporting from pfsense is 2.4.8-1602-Win10

    Should this version not have the latest code that fixes the issue?


  • LAYER 8 Netgate

    It does but it does not automatically update the client host unless you REMOVE what is already there before you run the export. I do not know whay that was chosen. Probably considered to be a POLA thing.



  • We are using Revo Uninstaller to remove the client package before re-installing. Should this not be enough? Revo is even finding the registry and remaining files.


Log in to reply