Openvpn site to site and remote hostname

ripus

Hi all

I know ti might be simple for you but after a lot of research i still cant find out.

I nee to resolve remote network by hostname. Everything work well with IP but cant resolve hostname. If it was not because i got 50 users both side with multiple share folder access, i whouln't bother and only map by IP.

There's the setup

Server side:

2.1-RELEASE (i386)
built on Wed Sep 11 18:16:22 EDT 2013
FreeBSD 8.3-RELEASE-p11

Working as Gateway for network with windows server (2003) as DC, AD, DHCP, DNS, WINS

server2.conf

dev ovpns2
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local ------
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
tls-verify /var/etc/openvpn/server2.tls-verify.php
lport 1194
management /var/etc/openvpn/server2.sock unix
push "route 192.168.20.0 255.255.255.0"
route 192.168.10.0 255.255.255.0
ca /var/etc/openvpn/server2.ca 
cert /var/etc/openvpn/server2.cert 
key /var/etc/openvpn/server2.key 
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo
push "route 192.168.20.0 255.255.255.0"

push "dhcp-option DNS 192.168.20.10"

push "dhcp-option WINS 192.168.20.10"

Client override

ifconfig-push 10.0.8.2 10.0.8.1
push "dhcp-option DOMAIN Fercon.Dorval.Local"
push "dhcp-option DNS 192.168.20.10"
push "dhcp-option WINS 192.168.20.10"
iroute 192.168.10.0 255.255.255.0

Client side:

2.1-RELEASE (i386)
built on Wed Sep 11 18:16:22 EDT 2013
FreeBSD 8.3-RELEASE-p11

Working as Gateway for network with windows server (2003) as DC, AD, DHCP, DNS, WINS

client2.conf

dev ovpnc2
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_client2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 24.37.176.226
tls-client
client
lport 0
management /var/etc/openvpn/client2.sock unix
remote ----- 1194
ifconfig 10.0.8.2 10.0.8.1
route 192.168.20.0 255.255.255.0
ca /var/etc/openvpn/client2.ca 
cert /var/etc/openvpn/client2.cert 
key /var/etc/openvpn/client2.key 
tls-auth /var/etc/openvpn/client2.tls-auth 1
comp-lzo

Both firewall rules are set on any on openvpn tab and outbound is on auto.

If someone can give me a hint on this i would appreciate (even if the hint is just a link).

Thanks

marvosa

First, is your WINS server working locally?

Check the Active Registrations on your WINS server, are your machines registering themselves with the server?

Provided it's working, the config looks ok, but you have to remember this is a site-to-site tunnel (not road warrior), so the Firewall on the remote end is getting all the settings, but not the workstations.

If you're using WINS, the remote end can access your shares by name by adding the WINS (044) scope option to the remote DCHP server and entering "192.168.20.10".

This can also be done with DNS, but someone else will have to chime in on how to configure that.

ripus

Thanks for the reply marvosa

@marvosa:

First, is your WINS server working locally?

Yes

Check the Active Registrations on your WINS server, are your machines registering themselves with the server?

Yes

If you're using WINS, the remote end can access your shares by name by adding the WINS (044) scope option to the remote DCHP server and entering "192.168.20.10".

I will try that and comeback with result.

ripus

Ok

I add the remote WINS server in both DHCP but without any result. :(

Still digging for a solution though.

marvosa

Did you verify that the remote clients received the new WINS setting?

All the clients will need a release/renew otherwise they won't receive the new config until their DHCP lease is up, which can be up to 8 days by default.

ripus

Thanks

I will check that.

I had to reboot my both firewall cause after some test, i could'nt even ping server side. I found something in my openvpn log on client side.

Mar 17 12:17:13 openvpn[44812]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
Mar 17 12:17:13 openvpn[44812]: ERROR: FreeBSD route add command failed: external program exited with error status: 1

So i guess it's part of the problem.

i will check for that and comeback with result.

ripus

Ok update

I found on an other thread the reason of those error. It append when you try to push a route and the route is already there . So i change my config file for the following and got no more error. I still can't reach by hostname but i will work on it after the users are gone.

server2.conf

dev ovpns2
dev-type tun
tun-ipv6
dev-node /dev/tun2
writepid /var/run/openvpn_server2.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local ----
tls-server
server 10.0.8.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc
ifconfig 10.0.8.1 10.0.8.2
tls-verify /var/etc/openvpn/server2.tls-verify.php
lport 1194
management /var/etc/openvpn/server2.sock unix
push "route 192.168.20.0 255.255.255.0"
route 192.168.10.0 255.255.255.0
ca /var/etc/openvpn/server2.ca 
cert /var/etc/openvpn/server2.cert 
key /var/etc/openvpn/server2.key 
dh /etc/dh-parameters.1024
tls-auth /var/etc/openvpn/server2.tls-auth 0
comp-lzo

johnpoz

Its a site to site you said, not road warrior..

So you pushing stuff to clients is not going to do much good for the clients connected to the other pfsense.

So you have wins on each side? Is this one AD or different AD setups - I see one site called Fercon.Dorval.Local", does the other site use the same domain?

ripus

@johnpoz:

Its a site to site you said, not road warrior..

So you pushing stuff to clients is not going to do much good for the clients connected to the other pfsense.

Ok, i will change that. I put this cause i look in the sticky post " Site-To-Site OpenVPN using PKI (something of a howto)" so i tought it was the way to do it.

So you have wins on each side?

Yes

Is this one AD or different AD setups - I see one site called Fercon.Dorval.Local", does the other site use the same domain?

Different AD setups with different domain (Cadroporte.Blainville.Local).

Thanks for the reply ;)

johnpoz

So is this a site to site? Still not clear?

Or are clients from one side actually connecting to the other pfsense as a vpn client?

ripus

It's a site to site.

users on both side got shared folders with others. I know….. that's the "heritage" from the guy before me. I'm working at bring everyting on a file server but for now on, i got to live with this.

johnpoz

Well then just point your AD dns to the other AD dns for that domain via a conditional forwarder. Have each AD dns look to your wins as well.

ripus

Well, i didn't findout to make it work so i used the hard way. Creating a list of all pc, create a batch to update lmhost and run it over each network. It's far then neat and clean but it works.

Thanks for everyone !

Openvpn site to site and remote hostname

Products

Services

Support

News

Resources

Company

Our Mission

Subscribe to our Newsletter