DNS problem with S2S PFSense IPSec, Azure and OpenVPN



  • Dear colleagues, I have a problem with the company related to DNS. Due to the need for quarantine we had to put our almost 150 employees working remotely. Until today we only had our e-mail service (O365) in the cloud all the rest of our infrastructure is local (on premises).

    As we are already a Microsoft customer on some Azure products, build a topology for accessing our services on premises using Azure VPN. Basically I have an S2S IPSec VPN that connects our infrastructure on premises to our tenant at Microsoft. And we also have a P2S VPN gateway for connecting our employees who are at home. The connection between Azure and our on premises infrastructure is made by a PFSense on the local side and an IPSec Gatewey on the Azure side, using the IPSec protocol. On the client side, we have stations with Windows 7 and Windows 10 using the OpenVPN Client connecting to an OpenVPN on Azure Gateway.

    The point is that everything works when we try to reach a server in our infrastructure on premises by IP. But when we try to reach a server by name, there is no DNS resolution. I have already placed our DNS in Azure settings to be published on client connections and I have already placed the IP of our local DNS server (on premises) in the .ovpn file. We have not yet tested the configuration of directing all customer traffic through the VPN tunnel. That I believe will be a solution ... but not elegant, because if the customer wants to surf the internet, when the VPN is active, his traffic will be through Azure, going to the on premises, and then going to the internet.

    A point of attention that we have not been able to investigate further is that some customers have IP addresses (assigned by the equipment of their internet provider) that are within the range of our IP addresses on premises. For example, one of our customers has a local address 192.168.0.0/24, which clearly conflicts with our address on premises 192.168.0.0/22. However, these clients are able to reach our servers by IP, but not by name.

    The figure below illustrates this topology.

    Live long and prosper,
    Marcelo Magalhães
    Rio de Janeiro - Brasil

    1576467.jpeg


Log in to reply