Openvpn site to site and remote hostname



  • Hi all

    I know ti might be simple for you but after a lot of research i still cant find out.

    I nee to resolve remote network by hostname. Everything work well with IP but cant resolve hostname. If it was not because i got 50 users both side with multiple share folder access, i whouln't bother and only map by IP.

    There's the setup

    Server side:

    2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:22 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    Working as Gateway for network with windows server (2003) as DC, AD, DHCP, DNS, WINS

    server2.conf

    dev ovpns2
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local ------
    tls-server
    server 10.0.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    ifconfig 10.0.8.1 10.0.8.2
    tls-verify /var/etc/openvpn/server2.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server2.sock unix
    push "route 192.168.20.0 255.255.255.0"
    route 192.168.10.0 255.255.255.0
    ca /var/etc/openvpn/server2.ca 
    cert /var/etc/openvpn/server2.cert 
    key /var/etc/openvpn/server2.key 
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    comp-lzo
    push "route 192.168.20.0 255.255.255.0"
    
    push "dhcp-option DNS 192.168.20.10"
    
    push "dhcp-option WINS 192.168.20.10"
    
    

    Client  override

    ifconfig-push 10.0.8.2 10.0.8.1
    push "dhcp-option DOMAIN Fercon.Dorval.Local"
    push "dhcp-option DNS 192.168.20.10"
    push "dhcp-option WINS 192.168.20.10"
    iroute 192.168.10.0 255.255.255.0
    
    

    Client side:

    2.1-RELEASE (i386)
    built on Wed Sep 11 18:16:22 EDT 2013
    FreeBSD 8.3-RELEASE-p11

    Working as Gateway for network with windows server (2003) as DC, AD, DHCP, DNS, WINS

    client2.conf

    dev ovpnc2
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_client2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 24.37.176.226
    tls-client
    client
    lport 0
    management /var/etc/openvpn/client2.sock unix
    remote ----- 1194
    ifconfig 10.0.8.2 10.0.8.1
    route 192.168.20.0 255.255.255.0
    ca /var/etc/openvpn/client2.ca 
    cert /var/etc/openvpn/client2.cert 
    key /var/etc/openvpn/client2.key 
    tls-auth /var/etc/openvpn/client2.tls-auth 1
    comp-lzo
    
    

    Both firewall rules are set on any on openvpn tab and outbound is on auto.

    If someone can give me a hint on this i would appreciate (even if the hint is just a link).

    Thanks



  • First, is your WINS server working locally?

    Check the Active Registrations on your WINS server, are your machines registering themselves with the server?

    Provided it's working, the config looks ok, but you have to remember this is a site-to-site tunnel (not road warrior), so the Firewall on the remote end is getting all the settings, but not the workstations.

    If you're using WINS, the remote end can access your shares by name by adding the WINS (044) scope option to the remote DCHP server and entering "192.168.20.10".

    This can also be done with DNS, but someone else will have to chime in on how to configure that.



  • Thanks for the reply marvosa

    @marvosa:

    First, is your WINS server working locally?

    Yes

    Check the Active Registrations on your WINS server, are your machines registering themselves with the server?

    Yes

    If you're using WINS, the remote end can access your shares by name by adding the WINS (044) scope option to the remote DCHP server and entering "192.168.20.10".

    I will try that and comeback with result.



  • Ok

    I add the remote WINS server in both DHCP but without any result.  :(

    Still digging for a solution though.



  • Did you verify that the remote clients received the new WINS setting?

    All the clients will need a release/renew otherwise they won't receive the new config until their DHCP lease is up, which can be up to 8 days by default.



  • Thanks

    I will check that.

    I had to reboot my both firewall cause after some test, i could'nt even ping server side. I found something in my openvpn log on client side.

    Mar 17 12:17:13 openvpn[44812]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
    Mar 17 12:17:13 openvpn[44812]: ERROR: FreeBSD route add command failed: external program exited with error status: 1

    So i guess it's part of the problem.

    i will check for that and comeback with result.



  • Ok update

    I found on an other thread the reason of those error. It append when you try to push a route and the route is already there . So i change my config file for the following and got no more error. I still can't reach by hostname but i will work on it after the users are gone.

    server2.conf

    dev ovpns2
    dev-type tun
    tun-ipv6
    dev-node /dev/tun2
    writepid /var/run/openvpn_server2.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local ----
    tls-server
    server 10.0.8.0 255.255.255.0
    client-config-dir /var/etc/openvpn-csc
    ifconfig 10.0.8.1 10.0.8.2
    tls-verify /var/etc/openvpn/server2.tls-verify.php
    lport 1194
    management /var/etc/openvpn/server2.sock unix
    push "route 192.168.20.0 255.255.255.0"
    route 192.168.10.0 255.255.255.0
    ca /var/etc/openvpn/server2.ca 
    cert /var/etc/openvpn/server2.cert 
    key /var/etc/openvpn/server2.key 
    dh /etc/dh-parameters.1024
    tls-auth /var/etc/openvpn/server2.tls-auth 0
    comp-lzo
    
    

  • LAYER 8 Global Moderator

    Its a site to site you said, not road warrior..

    So you pushing stuff to clients is not going to do much good for the clients connected to the other pfsense.

    So you have wins on each side?  Is this one AD or different AD setups - I see one site called Fercon.Dorval.Local", does the other site use the same domain?



  • @johnpoz:

    Its a site to site you said, not road warrior..

    So you pushing stuff to clients is not going to do much good for the clients connected to the other pfsense.

    Ok, i will change that. I put this cause i look in the sticky post " Site-To-Site OpenVPN using PKI (something of a howto)" so i tought it was the way to do it.

    So you have wins on each side?

    Yes

    Is this one AD or different AD setups - I see one site called Fercon.Dorval.Local", does the other site use the same domain?

    Different AD setups with different domain (Cadroporte.Blainville.Local).

    Thanks for the reply ;)


  • LAYER 8 Global Moderator

    So is this a site to site?  Still not clear?

    Or are clients from one side actually connecting to the other pfsense as a vpn client?



  • It's a site to site.

    users on both side got shared folders with others. I know….. that's the "heritage" from the guy before me. I'm working at bring everyting on a file server but for now on, i got to live with this.


  • LAYER 8 Global Moderator

    Well then just point your AD dns to the other AD dns for that domain via a conditional forwarder.  Have each AD dns look to your wins as well.



  • Well, i didn't findout to make it work so i used the hard way. Creating a list of all pc, create a batch to update lmhost and run it over each network. It's far then neat and clean but it works.

    Thanks for everyone !


Log in to reply