Site-to-site using PKI, how push dns/wins servers?



  • Current set-up:

    192.168.1.0/24 <–> 10.0.8.0/24 <--> 192.168.2.0/24
    192.168.1.1 = pfSense box,                 192.168.2.1 = pfSense box, DNS forwarder disabled
                      DNS forwarder                192.168.2.2 = DNS/WINS server (samba)

    Site 1:  Pfsense box = 192.168.1.1 (OpenVPN Server)

    Server Tab

    Server Mode: Peer to Peer (SSL/TLS)
    Protocol : UDP
    Device Mode: tun
    Interface: WAN
    Local port: 1194
    Tunnel Network: 10.0.8.0/24
    Local Network: 192.168.1.0/24
    Remote Network: 192.168.2.0/24
    Advanced configuration: push "route 192.168.2.0 255.255.255.0"; push "dhcp-option DNS 192.168.2.2"; push "dhcp-option WINS 192.168.2.2"

    Client specific overwrites tab

    DNS Servers
    Server #1: 192.168.2.2

    NetBIOS Options
    Enable NetBIOS over TCP/IP

    Node Type:
    h-node (query name server, then broadcast).

    WINS Servers
    Server #1: 192.168.2.2

    Advanced: iroute 192.168.2.0 255.255.255.0;

    Firewall rules

    Open Port 1194

    Site 2:  Pfsense box = 192.168.1.1 (OpenVPN client)

    Client Tab

    Server Mode: Peer to Peer (SSL/TLS)
    Protocol : UDP
    Device Mode: tun
    Interface: WAN
    Server host or address: WAN address of Site1
    Server port: 1194
    Tunnel Network: 10.0.0.8/24
    Remote Network: 192.168.1.0/24
    Advanced configuration: empty

    Firewall rules

    none

    Works:
    1. From site1 I can ping/use any computer on site2 via ip.
    2. From site2 I can ping/use any computer on site1 via ip.

    Does not work:
    1. From site1 I cannot ping/use any computer on site2 via name.
    2. From site1 I cannot browse network on site2.  
    3. From site2 I cannot ping/use any computer on site1 via name.

    Any suggestion will be appreciated.



  • Make sure you have different domain names on the two sites.
    (eg. localnet_site1, and localnet_site2)
    Add a domain-name override on the DNS forwarder page for the domain of the other side, pointing to the IP of the pfSense on the other side.



  • Some interesting things:

    Your map shows 192.168.1.0/24 <–> 10.8.0.0/24 <--> 192.168.2.0/24, but you have 10.0.0.8/24 as your Tunnel network... I"m guessing that's just a typo since you say you can ping thru on both sides.

    On the Server side:
    clear your advanced config
    clear your client specific overrides (you're using 2.0 right?)
    add the WINS address 192.168.2.2 to the local dhcp server

    On the client side:
    Tunnel Network: 10.0.0.8/24 - same typo you had on the server-side I'm guessing?
    Add the WINS address 192.168.2.2 to the local dhcp server (I'm guessing you did this, but you never know)

    Firewall rules on both sides should have:
    1194 open on WAN (UDP * * WAN address 1194 )
    any/any (
    * * * * *) on the openvpn tab

    At this point, presuming the tunnel is up, PC's on both sides will dynamically register themselves to the WINS server on 192.168.2.2 allowing both sides to ping by NETBIOS name.



  • Correct, 10.0.0.8 and 10.8.0.0 = typo. Correct tunnel network is 10.0.8.0/24. I fixed it on the first post to remove  the confusion.
    I tried your suggestion to clear everything from the advanced config and the client specific overrides, but could not even ping by ip after that.
    At least two entries must be present:

    1. Advanced config: push "route 192.168.2.0 255.255.255.0";
    2. Client specific overrides:  iroute 192.168.2.0 255.255.255.0;

    According to the pfsense own document OpenVPN_Site-to-Site_PKI in order for the server to reach the client networks behind each connection, you need both a route to the network (entry #1) to tell the system that OpenVPN knows about that network, and also an iroute (entry #2) that tells OpenVPN to which specific connection a subnet belongs.

    At this point, I can:

    • ping by ip
    • ping by computername.domain

    I cannot:

    • ping just by NETBIOS name
    • browse the network on the other side

    Adding WINS address 192.168.2.2 to the local dhcp server 192.168.1.1 (pfsense box/openvpn server) changed nothing.



  • According to the pfsense own document OpenVPN_Site-to-Site_PKI in order for the server to reach the client networks behind each connection, you need both a route to the network (entry #1) to tell the system that OpenVPN knows about that network, and also an iroute (entry #2) that tells OpenVPN to which specific connection a subnet belongs.

    Yes, but that article is for v1.2.3 is that what you're using?  Because if it's 2.0, you don't need iroutes and should be using this -> http://doc.pfsense.org/index.php/OpenVPN_Site-to-Site_(Shared_Key,_2.0)

    Also, just out of curiosity, the server on 192.168.2.2 (DNS/WINS server (samba)) what OS is it running?



  • The how-to "How to setup OpenVPN using Site-to-Site PKI (SSL)" covers both pfSense 1.2.3 and 2.0. Section of server is the same for both versions. But you are right "push route" entry should be made already through GUI, not through advanced. I removed the "push route" entry, but was not able to remove "iroute". "iroute" entry is a must or I could not even ping by ip.

    Server on 192.168.2.2 (DNS/WINS server) is samba 3.5 / Centos 5.x

    Not sure what to try next.
    Maybe "Domain search list" on DHCP tab of the sever 192.168.1.1 (pfSense/OpenVPN server)?



  • Post your smb.conf.


Log in to reply