Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Site-to-site using PKI, how push dns/wins servers?

    OpenVPN
    3
    7
    5436
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      lelik67 last edited by

      Current set-up:

      192.168.1.0/24 <–> 10.0.8.0/24 <--> 192.168.2.0/24
      192.168.1.1 = pfSense box,                 192.168.2.1 = pfSense box, DNS forwarder disabled
                        DNS forwarder                192.168.2.2 = DNS/WINS server (samba)

      Site 1:  Pfsense box = 192.168.1.1 (OpenVPN Server)

      Server Tab

      Server Mode: Peer to Peer (SSL/TLS)
      Protocol : UDP
      Device Mode: tun
      Interface: WAN
      Local port: 1194
      Tunnel Network: 10.0.8.0/24
      Local Network: 192.168.1.0/24
      Remote Network: 192.168.2.0/24
      Advanced configuration: push "route 192.168.2.0 255.255.255.0"; push "dhcp-option DNS 192.168.2.2"; push "dhcp-option WINS 192.168.2.2"

      Client specific overwrites tab

      DNS Servers
      Server #1: 192.168.2.2

      NetBIOS Options
      Enable NetBIOS over TCP/IP

      Node Type:
      h-node (query name server, then broadcast).

      WINS Servers
      Server #1: 192.168.2.2

      Advanced: iroute 192.168.2.0 255.255.255.0;

      Firewall rules

      Open Port 1194

      Site 2:  Pfsense box = 192.168.1.1 (OpenVPN client)

      Client Tab

      Server Mode: Peer to Peer (SSL/TLS)
      Protocol : UDP
      Device Mode: tun
      Interface: WAN
      Server host or address: WAN address of Site1
      Server port: 1194
      Tunnel Network: 10.0.0.8/24
      Remote Network: 192.168.1.0/24
      Advanced configuration: empty

      Firewall rules

      none

      Works:
      1. From site1 I can ping/use any computer on site2 via ip.
      2. From site2 I can ping/use any computer on site1 via ip.

      Does not work:
      1. From site1 I cannot ping/use any computer on site2 via name.
      2. From site1 I cannot browse network on site2.  
      3. From site2 I cannot ping/use any computer on site1 via name.

      Any suggestion will be appreciated.

      1 Reply Last reply Reply Quote 0
      • GruensFroeschli
        GruensFroeschli last edited by

        Make sure you have different domain names on the two sites.
        (eg. localnet_site1, and localnet_site2)
        Add a domain-name override on the DNS forwarder page for the domain of the other side, pointing to the IP of the pfSense on the other side.

        We do what we must, because we can.

        Asking questions the smart way: http://www.catb.org/esr/faqs/smart-questions.html

        1 Reply Last reply Reply Quote 0
        • M
          marvosa last edited by

          Some interesting things:

          Your map shows 192.168.1.0/24 <–> 10.8.0.0/24 <--> 192.168.2.0/24, but you have 10.0.0.8/24 as your Tunnel network... I"m guessing that's just a typo since you say you can ping thru on both sides.

          On the Server side:
          clear your advanced config
          clear your client specific overrides (you're using 2.0 right?)
          add the WINS address 192.168.2.2 to the local dhcp server

          On the client side:
          Tunnel Network: 10.0.0.8/24 - same typo you had on the server-side I'm guessing?
          Add the WINS address 192.168.2.2 to the local dhcp server (I'm guessing you did this, but you never know)

          Firewall rules on both sides should have:
          1194 open on WAN (UDP * * WAN address 1194 )
          any/any (
          * * * * *) on the openvpn tab

          At this point, presuming the tunnel is up, PC's on both sides will dynamically register themselves to the WINS server on 192.168.2.2 allowing both sides to ping by NETBIOS name.

          1 Reply Last reply Reply Quote 0
          • L
            lelik67 last edited by

            Correct, 10.0.0.8 and 10.8.0.0 = typo. Correct tunnel network is 10.0.8.0/24. I fixed it on the first post to remove  the confusion.
            I tried your suggestion to clear everything from the advanced config and the client specific overrides, but could not even ping by ip after that.
            At least two entries must be present:

            1. Advanced config: push "route 192.168.2.0 255.255.255.0";
            2. Client specific overrides:  iroute 192.168.2.0 255.255.255.0;

            According to the pfsense own document OpenVPN_Site-to-Site_PKI in order for the server to reach the client networks behind each connection, you need both a route to the network (entry #1) to tell the system that OpenVPN knows about that network, and also an iroute (entry #2) that tells OpenVPN to which specific connection a subnet belongs.

            At this point, I can:

            • ping by ip
            • ping by computername.domain

            I cannot:

            • ping just by NETBIOS name
            • browse the network on the other side

            Adding WINS address 192.168.2.2 to the local dhcp server 192.168.1.1 (pfsense box/openvpn server) changed nothing.

            1 Reply Last reply Reply Quote 0
            • M
              marvosa last edited by

              According to the pfsense own document OpenVPN_Site-to-Site_PKI in order for the server to reach the client networks behind each connection, you need both a route to the network (entry #1) to tell the system that OpenVPN knows about that network, and also an iroute (entry #2) that tells OpenVPN to which specific connection a subnet belongs.

              Yes, but that article is for v1.2.3 is that what you're using?  Because if it's 2.0, you don't need iroutes and should be using this -> http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0)

              Also, just out of curiosity, the server on 192.168.2.2 (DNS/WINS server (samba)) what OS is it running?

              1 Reply Last reply Reply Quote 0
              • L
                lelik67 last edited by

                The how-to "How to setup OpenVPN using Site-to-Site PKI (SSL)" covers both pfSense 1.2.3 and 2.0. Section of server is the same for both versions. But you are right "push route" entry should be made already through GUI, not through advanced. I removed the "push route" entry, but was not able to remove "iroute". "iroute" entry is a must or I could not even ping by ip.

                Server on 192.168.2.2 (DNS/WINS server) is samba 3.5 / Centos 5.x

                Not sure what to try next.
                Maybe "Domain search list" on DHCP tab of the sever 192.168.1.1 (pfSense/OpenVPN server)?

                1 Reply Last reply Reply Quote 0
                • M
                  marvosa last edited by

                  Post your smb.conf.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post