Site-to-site using PKI, how push dns/wins servers?

lelik67

Current set-up:

192.168.1.0/24 <–> 10.0.8.0/24 <--> 192.168.2.0/24
192.168.1.1 = pfSense box,                 192.168.2.1 = pfSense box, DNS forwarder disabled
                  DNS forwarder                192.168.2.2 = DNS/WINS server (samba)

Site 1:  Pfsense box = 192.168.1.1 (OpenVPN Server)

Server Tab

Server Mode: Peer to Peer (SSL/TLS)
Protocol : UDP
Device Mode: tun
Interface: WAN
Local port: 1194
Tunnel Network: 10.0.8.0/24
Local Network: 192.168.1.0/24
Remote Network: 192.168.2.0/24
Advanced configuration: push "route 192.168.2.0 255.255.255.0"; push "dhcp-option DNS 192.168.2.2"; push "dhcp-option WINS 192.168.2.2"

Client specific overwrites tab

DNS Servers
Server #1: 192.168.2.2

NetBIOS Options
Enable NetBIOS over TCP/IP

Node Type:
h-node (query name server, then broadcast).

WINS Servers
Server #1: 192.168.2.2

Advanced: iroute 192.168.2.0 255.255.255.0;

Firewall rules

Open Port 1194

Site 2:  Pfsense box = 192.168.1.1 (OpenVPN client)

Client Tab

Server Mode: Peer to Peer (SSL/TLS)
Protocol : UDP
Device Mode: tun
Interface: WAN
Server host or address: WAN address of Site1
Server port: 1194
Tunnel Network: 10.0.0.8/24
Remote Network: 192.168.1.0/24
Advanced configuration: empty

Firewall rules

none

Works:
1. From site1 I can ping/use any computer on site2 via ip.
2. From site2 I can ping/use any computer on site1 via ip.

Does not work:
1. From site1 I cannot ping/use any computer on site2 via name.
2. From site1 I cannot browse network on site2.  
3. From site2 I cannot ping/use any computer on site1 via name.

Any suggestion will be appreciated.

GruensFroeschli

Make sure you have different domain names on the two sites.
(eg. localnet_site1, and localnet_site2)
Add a domain-name override on the DNS forwarder page for the domain of the other side, pointing to the IP of the pfSense on the other side.

marvosa

Some interesting things:

Your map shows 192.168.1.0/24 <–> 10.8.0.0/24 <--> 192.168.2.0/24, but you have 10.0.0.8/24 as your Tunnel network... I"m guessing that's just a typo since you say you can ping thru on both sides.

On the Server side:
clear your advanced config
clear your client specific overrides (you're using 2.0 right?)
add the WINS address 192.168.2.2 to the local dhcp server

On the client side:
Tunnel Network: 10.0.0.8/24 - same typo you had on the server-side I'm guessing?
Add the WINS address 192.168.2.2 to the local dhcp server (I'm guessing you did this, but you never know)

Firewall rules on both sides should have:
1194 open on WAN (UDP * * WAN address 1194 )
any/any ( * * * * *) on the openvpn tab

At this point, presuming the tunnel is up, PC's on both sides will dynamically register themselves to the WINS server on 192.168.2.2 allowing both sides to ping by NETBIOS name.

lelik67

Correct, 10.0.0.8 and 10.8.0.0 = typo. Correct tunnel network is 10.0.8.0/24. I fixed it on the first post to remove  the confusion.
I tried your suggestion to clear everything from the advanced config and the client specific overrides, but could not even ping by ip after that.
At least two entries must be present:

1. Advanced config: push "route 192.168.2.0 255.255.255.0";
2. Client specific overrides:  iroute 192.168.2.0 255.255.255.0;

According to the pfsense own document OpenVPN_Site-to-Site_PKI in order for the server to reach the client networks behind each connection, you need both a route to the network (entry #1) to tell the system that OpenVPN knows about that network, and also an iroute (entry #2) that tells OpenVPN to which specific connection a subnet belongs.

At this point, I can:

• ping by ip
• ping by computername.domain

I cannot:

• ping just by NETBIOS name
• browse the network on the other side

Adding WINS address 192.168.2.2 to the local dhcp server 192.168.1.1 (pfsense box/openvpn server) changed nothing.

marvosa

According to the pfsense own document OpenVPN_Site-to-Site_PKI in order for the server to reach the client networks behind each connection, you need both a route to the network (entry #1) to tell the system that OpenVPN knows about that network, and also an iroute (entry #2) that tells OpenVPN to which specific connection a subnet belongs.

Yes, but that article is for v1.2.3 is that what you're using?  Because if it's 2.0, you don't need iroutes and should be using this -> http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0)

Also, just out of curiosity, the server on 192.168.2.2 (DNS/WINS server (samba)) what OS is it running?

lelik67

The how-to "How to setup OpenVPN using Site-to-Site PKI (SSL)" covers both pfSense 1.2.3 and 2.0. Section of server is the same for both versions. But you are right "push route" entry should be made already through GUI, not through advanced. I removed the "push route" entry, but was not able to remove "iroute". "iroute" entry is a must or I could not even ping by ip.

Server on 192.168.2.2 (DNS/WINS server) is samba 3.5 / Centos 5.x

Not sure what to try next.
Maybe "Domain search list" on DHCP tab of the sever 192.168.1.1 (pfSense/OpenVPN server)?

marvosa

Post your smb.conf.