Openvpn site to site and remote hostname
-
Hi all
I know ti might be simple for you but after a lot of research i still cant find out.
I nee to resolve remote network by hostname. Everything work well with IP but cant resolve hostname. If it was not because i got 50 users both side with multiple share folder access, i whouln't bother and only map by IP.
There's the setup
Server side:
2.1-RELEASE (i386)
built on Wed Sep 11 18:16:22 EDT 2013
FreeBSD 8.3-RELEASE-p11Working as Gateway for network with windows server (2003) as DC, AD, DHCP, DNS, WINS
server2.conf
dev ovpns2 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local ------ tls-server server 10.0.8.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc ifconfig 10.0.8.1 10.0.8.2 tls-verify /var/etc/openvpn/server2.tls-verify.php lport 1194 management /var/etc/openvpn/server2.sock unix push "route 192.168.20.0 255.255.255.0" route 192.168.10.0 255.255.255.0 ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server2.tls-auth 0 comp-lzo push "route 192.168.20.0 255.255.255.0" push "dhcp-option DNS 192.168.20.10" push "dhcp-option WINS 192.168.20.10"Client override
ifconfig-push 10.0.8.2 10.0.8.1 push "dhcp-option DOMAIN Fercon.Dorval.Local" push "dhcp-option DNS 192.168.20.10" push "dhcp-option WINS 192.168.20.10" iroute 192.168.10.0 255.255.255.0Client side:
2.1-RELEASE (i386)
built on Wed Sep 11 18:16:22 EDT 2013
FreeBSD 8.3-RELEASE-p11Working as Gateway for network with windows server (2003) as DC, AD, DHCP, DNS, WINS
client2.conf
dev ovpnc2 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_client2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 24.37.176.226 tls-client client lport 0 management /var/etc/openvpn/client2.sock unix remote ----- 1194 ifconfig 10.0.8.2 10.0.8.1 route 192.168.20.0 255.255.255.0 ca /var/etc/openvpn/client2.ca cert /var/etc/openvpn/client2.cert key /var/etc/openvpn/client2.key tls-auth /var/etc/openvpn/client2.tls-auth 1 comp-lzoBoth firewall rules are set on any on openvpn tab and outbound is on auto.
If someone can give me a hint on this i would appreciate (even if the hint is just a link).
Thanks
-
First, is your WINS server working locally?
Check the Active Registrations on your WINS server, are your machines registering themselves with the server?
Provided it's working, the config looks ok, but you have to remember this is a site-to-site tunnel (not road warrior), so the Firewall on the remote end is getting all the settings, but not the workstations.
If you're using WINS, the remote end can access your shares by name by adding the WINS (044) scope option to the remote DCHP server and entering "192.168.20.10".
This can also be done with DNS, but someone else will have to chime in on how to configure that.
-
Thanks for the reply marvosa
First, is your WINS server working locally?
Yes
Check the Active Registrations on your WINS server, are your machines registering themselves with the server?
Yes
If you're using WINS, the remote end can access your shares by name by adding the WINS (044) scope option to the remote DCHP server and entering "192.168.20.10".
I will try that and comeback with result.
-
Ok
I add the remote WINS server in both DHCP but without any result. :(
Still digging for a solution though.
-
Did you verify that the remote clients received the new WINS setting?
All the clients will need a release/renew otherwise they won't receive the new config until their DHCP lease is up, which can be up to 8 days by default.
-
Thanks
I will check that.
I had to reboot my both firewall cause after some test, i could'nt even ping server side. I found something in my openvpn log on client side.
Mar 17 12:17:13 openvpn[44812]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Mar 17 12:17:13 openvpn[44812]: ERROR: FreeBSD route add command failed: external program exited with error status: 1So i guess it's part of the problem.
i will check for that and comeback with result.
-
Ok update
I found on an other thread the reason of those error. It append when you try to push a route and the route is already there . So i change my config file for the following and got no more error. I still can't reach by hostname but i will work on it after the users are gone.
server2.conf
dev ovpns2 dev-type tun tun-ipv6 dev-node /dev/tun2 writepid /var/run/openvpn_server2.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local ---- tls-server server 10.0.8.0 255.255.255.0 client-config-dir /var/etc/openvpn-csc ifconfig 10.0.8.1 10.0.8.2 tls-verify /var/etc/openvpn/server2.tls-verify.php lport 1194 management /var/etc/openvpn/server2.sock unix push "route 192.168.20.0 255.255.255.0" route 192.168.10.0 255.255.255.0 ca /var/etc/openvpn/server2.ca cert /var/etc/openvpn/server2.cert key /var/etc/openvpn/server2.key dh /etc/dh-parameters.1024 tls-auth /var/etc/openvpn/server2.tls-auth 0 comp-lzo
-
Its a site to site you said, not road warrior..
So you pushing stuff to clients is not going to do much good for the clients connected to the other pfsense.
So you have wins on each side? Is this one AD or different AD setups - I see one site called Fercon.Dorval.Local", does the other site use the same domain?
-
Its a site to site you said, not road warrior..
So you pushing stuff to clients is not going to do much good for the clients connected to the other pfsense.
Ok, i will change that. I put this cause i look in the sticky post " Site-To-Site OpenVPN using PKI (something of a howto)" so i tought it was the way to do it.
So you have wins on each side?
Yes
Is this one AD or different AD setups - I see one site called Fercon.Dorval.Local", does the other site use the same domain?
Different AD setups with different domain (Cadroporte.Blainville.Local).
Thanks for the reply ;)
-
So is this a site to site? Still not clear?
Or are clients from one side actually connecting to the other pfsense as a vpn client?
-
It's a site to site.
users on both side got shared folders with others. I know….. that's the "heritage" from the guy before me. I'm working at bring everyting on a file server but for now on, i got to live with this.
-
Well then just point your AD dns to the other AD dns for that domain via a conditional forwarder. Have each AD dns look to your wins as well.
-
Well, i didn't findout to make it work so i used the hard way. Creating a list of all pc, create a batch to update lmhost and run it over each network. It's far then neat and clean but it works.
Thanks for everyone !
