accessing work VM through a VPN
-
So i just set up pfsense a few days ago and I am slowly setting things up. The biggest problem i encountered so far is with my work vpn. to work i need to access my workplace network with a vpn and then log into a vm with an Horizon client.
I can reach the network with the vpn just fine. I get a local IP for my client in the 10.0.10.0/24 range.
For the VM, i need to access a domain that has a public record with a local IP in the 192.168.48.0/24 range.
With my ISP router I can reach it, but with my pfsense my horizon client tell me it could not resolve the domain.
From this error I would suspect a DNS problem but i am using the same DNS for both dhcp, clouflare and google (1.1.1.1 - 8.8.8.8) and my vpn does not seem to provide a DNS when I look at my interfaces with ipconfig.My second guess is that it is a routing problem, my network use the 192.168.200.0/24 for wireles devices and 192.168.88.0/21 for my ethernet device. I dont think any of those subnet collide with my work's subnet so I am not sure that is the problem...
So i got two guess but I am not sure how to proceed for the troubleshooting part. Is the any tool on pfsense i could use to look what is hsppening on the network's traffic? or maybe a tool on windows itself.
If you have any guess to what might be happening or want to ask me information about how I set up pfsense, I am all hears
I will keep digging on my side, hopefully I will be able to find the solution that will let me use pfsense fulltime
-
@bebewold if your on say a work laptop or something vpn to work - pfsense would have zero to do with you connecting to something through the vpn.
Not sure how your doing dns, but normally once you connect to a work vpn, the dns would be handled through the vpn to work. Ie you would talk to a work dns through the vpn. So pfsense would have nothing to do with that either.
I mean what would be the point of a vpn - if you can not resolve private resources via dns? But if your asking pfsense for dns, and the answer is rfc1918 then yeah that wouldn't be allowed because it would be a rebind.
-
@johnpoz I just found the source of the problem, I'm not sending any DNS queries through the VPN it does it all through my normal connection.
How my DNS were set up is that my DHCP had my pfsense IP as a DNS and through DNS resolver I checked the option to forward queries that had no record to the DNS in general-setup (1.1.1.1 8.8.8.8) which I though would act as a forwarder but seems like I was wrong. From the answer of nslookup I'm getting DNS resolver seem to answer with a bot found instead of forwarding it.
In the meantime I set up a secondary DNS to CloudFlare and I am going to look into how to set up the forwarder
-
@bebewold not sure how some public dns like google would have the rfc1918 resources of your work in them..
Normally when you connect to work vpn, so you can access stuff at work - you would use NS through the vpn that knows the work resources.
-
@johnpoz It is not secure, I agree with you. If I was managing it, I would have a local DNS in my work's network and have the DNS be made through the VPN, but that is not how they set it up.
I think I found why it was not working, I had the forwarded request sent with DoT. In my general-setup I had the DNS's IP but not the hostname. It worked when I unchecked the option to forward with DoT
Also I just added the hostname so I'll test it out tomorrow, but I don't see why it would not work
-
@bebewold said in accessing work VM through a VPN:
but I don't see why it would not work
For starters its a rebind.. Did you set whatever your work domain up as private?
https://docs.netgate.com/pfsense/en/latest/services/dns/rebinding.html#dns-rebinding-protections
Security has little to do with it to be honest.. It has never been best practice to put rfc1918 in public dns..
Do they not even run a local dns at your work?
