• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Re: OpenVPN on pfSense - Installation guide for Dummies [DNS-problem] [solved]

Scheduled Pinned Locked Moved OpenVPN
19 Posts 3 Posters 16.6k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A
    alphazo
    last edited by Dec 22, 2009, 1:41 PM

    One last question (in fact three) regarding DNS.

    1. Can I resolve machine names on the client side? For example http://myserver that is remotely located on 192.168.0.10. Or do I have to add entries to my host file.
    2. Can I remotely browse samba shares without knowing their IP address?
    3. Can I force all internet traffic on the client to go through the tunnel?

    Thank you
    alphazo

    1 Reply Last reply Reply Quote 0
    • G
      GruensFroeschli
      last edited by Dec 22, 2009, 5:52 PM Dec 22, 2009, 5:45 PM

      1: You can push a DHCP-option (in your case you need DNS) you control locally to the client. Since the client now resolves its names over this DHCP, you control to what it resolves.
      2: Not without setting up a WINS server.
      3: Yes.

      We do what we must, because we can.

      Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

      1 Reply Last reply Reply Quote 0
      • A
        alphazo
        last edited by Dec 22, 2009, 5:50 PM

        For 1. do you mean DNS?

        I don't know if there is any quick answer but how do you do 1. and especially 3. ?

        Thanks
        Alphazo

        1 Reply Last reply Reply Quote 0
        • G
          GruensFroeschli
          last edited by Dec 22, 2009, 5:52 PM

          Yes ^^"
          Wrote only half of what i thought :D

          We do what we must, because we can.

          Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

          1 Reply Last reply Reply Quote 0
          • A
            alphazo
            last edited by Dec 22, 2009, 10:10 PM

            I found this post that should solve my problem.

            http://forum.pfsense.org/index.php/topic,4355.msg50978.html#msg50978

            For me, changing to "Manual Outbound NAT rule generation" did the trick. I what i did to make it work was NAT-ing my OpenVPN subnet (192.168.113.0/24) to WAN. That is…to begin with i had a working OpenVPN server for Road Warriors and what i had do to tunnel all traffic was:

            1. Add the following lines of configuration to the OpenVPN "Custom Options":
              push "dhcp-option DNS 192.168.110.1";
              push "redirect-gateway local def1";

            2. Change to "Manual Outbound NAT rule generation" and NAT the Road Warrior subnet to WAN (and all other interfaces...).

            My Lan is 192.168.0.0/24 and VPN 192.168.100.0/24. I use the new filtering option found in 1.2.3. I  have OPT1 connected to tun7 (VPN, tun7 is forced is openVPN custom options by "dev tun7") and have automatic VPN rules disabled. Finally I have some rules on OPT1 to allow traffic to the LAN.

            What do I have to use for the DNS line?

            Moreover, the section on outbound nat is obscure to me. I understand that I have to go to manual outbound NAT generation. But do I have a to creat a NAT outboun for each interface (WAN, LAN and OPT(VPN)). Can someone guide me through the step required to set it up?

            
            - Interface: WAN/LAN/OPT1
            - Source: 
               - Type: any/network
               - Address:
               -  Source port:   	
            - Destination 	
               - Type: any/network
               - Address:
               - Destination  port:   	
            - Translation 	
              - Address: Interface address/any
              - Port: 
              - Static port:
            
            

            Thank you
            Alphazo

            1 Reply Last reply Reply Quote 0
            • G
              GruensFroeschli
              last edited by Dec 22, 2009, 11:18 PM

              AoN rules define how traffic is NATed.

              Generally you only want traffic NATed to the WAN.
              I use in my private homesetup a single rule with:
              WAN    any  *  *  *  *  *  NO
              Meaning i NAT everything to the WAN.

              Of course you could create a AoN rule for each subnet you have.
              The rules would look like:
              WAN    subnet_A  *  *  *  *  *  NO
              WAN    subnet_B  *  *  *  *  *  NO
              WAN    subnet_C  *  *  *  *  *  NO
              etc.

              We do what we must, because we can.

              Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

              1 Reply Last reply Reply Quote 0
              • X
                XZed
                last edited by Dec 22, 2009, 11:34 PM

                Hello,

                I'm using with success this howto on some pfsense setup (also : http://doc.pfsense.org/index.php/VPN_Capability_OpenVPN )…

                Meanwhile, i have two problems/requests :

                1. When setting up manually openvpn (on a classic linux box), i could use "./pkitool --initca --pass" to create a protected CA (in order that only someone knowing the passphrase could issue certificates) create clients...

                With the easy-rsa package content ( http://openvpn.net/index.php/open-source/documentation/miscellaneous/77-rsa-key-management.html ), i don't have the "pkitool" command...

                I read that "pkitool --initca" = "build-ca" : does that mean i could use "build-ca --pass" (does it even exist ?) in order to create a protected CA ?

                Or do you use it differently (the main goal : protect CA / avoid unauthorized certificates issuing) ? How do you protect CA ?

                1. When issuing certificates, i have, at the end, the following message :

                "unable to write random state"

                I think it's due to incorrect HOME / RANDFILE variables on openssl.cnf file... Well i didn't it because i don't know if my thoughts are right or if there are another variables to change...

                By the way, i change HOME variable in vars.bat in order to issue certificates...

                Certificates are well issued and work perfectly but this error message remains...

                I wanted to know :

                What does this *.rnd serve to ? Does it serve to generate random ciphering for certificates issuing ? In other words : can we simply ignore it ?

                Thank you very much,

                XZed

                1 Reply Last reply Reply Quote 0
                • A
                  alphazo
                  last edited by Dec 23, 2009, 9:01 AM

                  Coming back to my all traffic via tunnel I've modified my configuration based on the above recommendations but now the tunnel is broken and I can't even connect to remote machines via their IP addresses.

                  I've added the following to my custom options in openVPN server settings

                  
                  push "dhcp-option DNS 192.168.0.254";push "redirect-gateway local def1";dev tun7;
                  
                  

                  192.168.0.254 is the address of my pfSense box on the LAN.

                  Then under NAT, I switched to Manual Outbound NAT rule generation and added two rules:

                  
                  Interface    Source          Source Port      Destination      Destination Port      NAT Address      NAT Port      Static Port         
                  WAN       192.168.0.0/24               *     *     *     *     *      NO
                  WAN       192.168.100.0/24            *     *     *     *     *     NO
                  
                  

                  Under a Windows client, ipconfig returns (note that I now get a default gateway):

                  
                  Configuration IP de Windows
                  Carte Ethernet Connexion au réseau local 3:
                  
                          Suffixe DNS propre à la connexion :
                          Adresse IP. . . . . . . . . . . . : 192.168.100.6
                          Masque de sous-réseau . . . . . . : 255.255.255.252
                          Passerelle par défaut . . . . . . : 192.168.100.5
                  
                  Carte Ethernet Connexion au réseau local:
                  
                          Suffixe DNS propre à la connexion : home.internal
                          Adresse IP. . . . . . . . . . . . : 10.0.2.15
                          Masque de sous-réseau . . . . . . : 255.255.255.0
                          Passerelle par défaut . . . . . . : 10.0.2.2
                  
                  

                  route print

                  
                  ===========================================================================
                  Liste d'Interfaces
                  0x1 ........................... MS TCP Loopback interface
                  0x2 ...00 ff 18 70 d3 86 ...... TAP-Win32 Adapter V9 - Miniport d'ordonnancemen
                   de paquets
                  0x10004 ...08 00 27 95 b4 ef ...... Carte AMD PCNET Family Ethernet PCI
                  ===========================================================================
                  ===========================================================================
                  Itinéraires actifs :
                  Destination réseau    Masque réseau  Adr. passerelle   Adr. interface Métrique
                            0.0.0.0          0.0.0.0         10.0.2.2       10.0.2.15       20
                            0.0.0.0        128.0.0.0    192.168.100.5   192.168.100.6       1
                           10.0.2.0    255.255.255.0        10.0.2.15       10.0.2.15       20
                          10.0.2.15  255.255.255.255        127.0.0.1       127.0.0.1       20
                     10.255.255.255  255.255.255.255        10.0.2.15       10.0.2.15       20
                          127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
                          128.0.0.0        128.0.0.0    192.168.100.5   192.168.100.6       1
                        192.168.0.0    255.255.255.0    192.168.100.5   192.168.100.6       1
                      192.168.100.1  255.255.255.255    192.168.100.5   192.168.100.6       1
                      192.168.100.4  255.255.255.252    192.168.100.6   192.168.100.6       30
                      192.168.100.6  255.255.255.255        127.0.0.1       127.0.0.1       30
                    192.168.100.255  255.255.255.255    192.168.100.6   192.168.100.6       30
                          224.0.0.0        240.0.0.0        10.0.2.15       10.0.2.15       20
                          224.0.0.0        240.0.0.0    192.168.100.6   192.168.100.6       30
                    255.255.255.255  255.255.255.255        10.0.2.15       10.0.2.15       1
                    255.255.255.255  255.255.255.255    192.168.100.6   192.168.100.6       1
                  Passerelle par défaut :     192.168.100.5
                  ===========================================================================
                  Itinéraires persistants :
                    Aucun
                  
                  

                  Can someone help me to solve my problem?
                  Thank you
                  Alphazo

                  1 Reply Last reply Reply Quote 0
                  • G
                    GruensFroeschli
                    last edited by Dec 23, 2009, 9:11 AM

                    Please elaborate what you mean with "the tunnel is broken".
                    (How do you test?)

                    We do what we must, because we can.

                    Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                    1 Reply Last reply Reply Quote 0
                    • A
                      alphazo
                      last edited by Dec 23, 2009, 5:03 PM Dec 23, 2009, 9:16 AM

                      By broken I meant that I can't connect to any remote machine e.g. http://192.168.0.254 (my pfSense web gui).

                      Please forgive my ignorance, in my earlier post I said I put :

                      
                      push "dhcp-option DNS 192.168.0.254";push "redirect-gateway local def1";dev tun7;
                      
                      

                      Don't you think it should be:

                      
                      push "dhcp-option DNS 192.168.100.1";push "redirect-gateway local def1";dev tun7;
                      
                      ```  ?
                      
                      192.168.100.0/24 is the subnet of the VPN and 192.168.100.1 is the address of the virtual interface tun7.
                      
                      I tried on both windows and Linux clients but it stills doesn't allow me to reach remote machines on the LAN. On the windows client I also added the following parameters (from another thread).
                      

                      route-method exe
                      route-delay 2

                      
                      Alphazo
                      
                      [EDIT]
                      
                      Got it working, at least for Windows clients, by swapping the configuration parameters (redirect-gateway before dhcp-option)
                      
                      My config is now:
                      

                      dev tun7;push "redirect-gateway def1";push "dhcp-option DNS 192.168.0.254";

                      
                      Note that I can use either 192.168.0.254 (pfSense LAN address) or 192.168.100.1 (tun7 address) for the dhcp-option and get correct name resolutions.
                      
                      Now my very last issue is with OpenVPN linux clients (Arch). When enabling the above configuration I can connect to remote machine via their IP addresses and even go to tunneled internet only if using IP addresses (e.g. http://208.78.70.70/ which is the IP address for http://checkip.dyndns.org is tunneled correctly) but the name resolution doesn't work.
                      
                      Is there anything to do like flushing the DNS cache or starting a command to indicate the new DNS setting following the successful OpenVPN connection?
                      
                      Thank you for your help
                      Alphazo
                      1 Reply Last reply Reply Quote 0
                      • G
                        GruensFroeschli
                        last edited by Dec 24, 2009, 9:24 AM

                        Generally i would rather use the LAN IP of the pfSense as DNS server than the OpenVPN interface itself.

                        Note that I can use either 192.168.0.254 (pfSense LAN address) or 192.168.100.1 (tun7 address) for the dhcp-option and get correct name resolutions.

                        Now my very last issue is with OpenVPN linux clients (Arch). When enabling the above configuration I can connect to remote machine via their IP addresses and even go to tunneled internet only if using IP addresses (e.g. http://208.78.70.70/ which is the IP address for http://checkip.dyndns.org is tunneled correctly) but the name resolution doesn't work.

                        I'm not sure i understand.
                        Are you able to resolve names, or are you not?

                        We do what we must, because we can.

                        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                        1 Reply Last reply Reply Quote 0
                        • A
                          alphazo
                          last edited by Dec 24, 2009, 9:27 AM

                          I'm not able to resolve names on a Linux client. Works fine on Windows clients.

                          1 Reply Last reply Reply Quote 0
                          • G
                            GruensFroeschli
                            last edited by Dec 24, 2009, 9:31 AM

                            Hmmm.
                            A quick googles showed me this:
                            http://openvpn.net/archive/openvpn-users/2007-08/msg00124.html
                            with the answer:
                            http://openvpn.net/archive/openvpn-users/2007-08/msg00125.html

                            We do what we must, because we can.

                            Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

                            1 Reply Last reply Reply Quote 0
                            • A
                              alphazo
                              last edited by Dec 25, 2009, 6:46 PM

                              Thanks for pointing this out. Manually adding pfSense address to the resolv.conf did the trick. As mentioned in the thread you posted a simple trick should be able to do that automatically.

                              Thanks again.
                              alphazo

                              1 Reply Last reply Reply Quote 0
                              19 out of 19
                              • First post
                                19/19
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                This community forum collects and processes your personal information.
                                consent.not_received