Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Openvpn site to site and remote hostname

    Scheduled Pinned Locked Moved OpenVPN
    13 Posts 3 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      ripus
      last edited by

      Hi all

      I know ti might be simple for you but after a lot of research i still cant find out.

      I nee to resolve remote network by hostname. Everything work well with IP but cant resolve hostname. If it was not because i got 50 users both side with multiple share folder access, i whouln't bother and only map by IP.

      There's the setup

      Server side:

      2.1-RELEASE (i386)
      built on Wed Sep 11 18:16:22 EDT 2013
      FreeBSD 8.3-RELEASE-p11

      Working as Gateway for network with windows server (2003) as DC, AD, DHCP, DNS, WINS

      server2.conf

      dev ovpns2
      dev-type tun
      tun-ipv6
      dev-node /dev/tun2
      writepid /var/run/openvpn_server2.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-128-CBC
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local ------
      tls-server
      server 10.0.8.0 255.255.255.0
      client-config-dir /var/etc/openvpn-csc
      ifconfig 10.0.8.1 10.0.8.2
      tls-verify /var/etc/openvpn/server2.tls-verify.php
      lport 1194
      management /var/etc/openvpn/server2.sock unix
      push "route 192.168.20.0 255.255.255.0"
      route 192.168.10.0 255.255.255.0
      ca /var/etc/openvpn/server2.ca 
      cert /var/etc/openvpn/server2.cert 
      key /var/etc/openvpn/server2.key 
      dh /etc/dh-parameters.1024
      tls-auth /var/etc/openvpn/server2.tls-auth 0
      comp-lzo
      push "route 192.168.20.0 255.255.255.0"
      
      push "dhcp-option DNS 192.168.20.10"
      
      push "dhcp-option WINS 192.168.20.10"
      
      

      Client  override

      ifconfig-push 10.0.8.2 10.0.8.1
      push "dhcp-option DOMAIN Fercon.Dorval.Local"
      push "dhcp-option DNS 192.168.20.10"
      push "dhcp-option WINS 192.168.20.10"
      iroute 192.168.10.0 255.255.255.0
      
      

      Client side:

      2.1-RELEASE (i386)
      built on Wed Sep 11 18:16:22 EDT 2013
      FreeBSD 8.3-RELEASE-p11

      Working as Gateway for network with windows server (2003) as DC, AD, DHCP, DNS, WINS

      client2.conf

      dev ovpnc2
      dev-type tun
      tun-ipv6
      dev-node /dev/tun2
      writepid /var/run/openvpn_client2.pid
      #user nobody
      #group nobody
      script-security 3
      daemon
      keepalive 10 60
      ping-timer-rem
      persist-tun
      persist-key
      proto udp
      cipher AES-128-CBC
      up /usr/local/sbin/ovpn-linkup
      down /usr/local/sbin/ovpn-linkdown
      local 24.37.176.226
      tls-client
      client
      lport 0
      management /var/etc/openvpn/client2.sock unix
      remote ----- 1194
      ifconfig 10.0.8.2 10.0.8.1
      route 192.168.20.0 255.255.255.0
      ca /var/etc/openvpn/client2.ca 
      cert /var/etc/openvpn/client2.cert 
      key /var/etc/openvpn/client2.key 
      tls-auth /var/etc/openvpn/client2.tls-auth 1
      comp-lzo
      
      

      Both firewall rules are set on any on openvpn tab and outbound is on auto.

      If someone can give me a hint on this i would appreciate (even if the hint is just a link).

      Thanks

      1 Reply Last reply Reply Quote 0
      • M
        marvosa
        last edited by

        First, is your WINS server working locally?

        Check the Active Registrations on your WINS server, are your machines registering themselves with the server?

        Provided it's working, the config looks ok, but you have to remember this is a site-to-site tunnel (not road warrior), so the Firewall on the remote end is getting all the settings, but not the workstations.

        If you're using WINS, the remote end can access your shares by name by adding the WINS (044) scope option to the remote DCHP server and entering "192.168.20.10".

        This can also be done with DNS, but someone else will have to chime in on how to configure that.

        1 Reply Last reply Reply Quote 0
        • R
          ripus
          last edited by

          Thanks for the reply marvosa

          @marvosa:

          First, is your WINS server working locally?

          Yes

          Check the Active Registrations on your WINS server, are your machines registering themselves with the server?

          Yes

          If you're using WINS, the remote end can access your shares by name by adding the WINS (044) scope option to the remote DCHP server and entering "192.168.20.10".

          I will try that and comeback with result.

          1 Reply Last reply Reply Quote 0
          • R
            ripus
            last edited by

            Ok

            I add the remote WINS server in both DHCP but without any result.  :(

            Still digging for a solution though.

            1 Reply Last reply Reply Quote 0
            • M
              marvosa
              last edited by

              Did you verify that the remote clients received the new WINS setting?

              All the clients will need a release/renew otherwise they won't receive the new config until their DHCP lease is up, which can be up to 8 days by default.

              1 Reply Last reply Reply Quote 0
              • R
                ripus
                last edited by

                Thanks

                I will check that.

                I had to reboot my both firewall cause after some test, i could'nt even ping server side. I found something in my openvpn log on client side.

                Mar 17 12:17:13 openvpn[44812]: ERROR: FreeBSD route add command failed: external program exited with error status: 1
                Mar 17 12:17:13 openvpn[44812]: ERROR: FreeBSD route add command failed: external program exited with error status: 1

                So i guess it's part of the problem.

                i will check for that and comeback with result.

                1 Reply Last reply Reply Quote 0
                • R
                  ripus
                  last edited by

                  Ok update

                  I found on an other thread the reason of those error. It append when you try to push a route and the route is already there . So i change my config file for the following and got no more error. I still can't reach by hostname but i will work on it after the users are gone.

                  server2.conf

                  dev ovpns2
                  dev-type tun
                  tun-ipv6
                  dev-node /dev/tun2
                  writepid /var/run/openvpn_server2.pid
                  #user nobody
                  #group nobody
                  script-security 3
                  daemon
                  keepalive 10 60
                  ping-timer-rem
                  persist-tun
                  persist-key
                  proto udp
                  cipher AES-128-CBC
                  up /usr/local/sbin/ovpn-linkup
                  down /usr/local/sbin/ovpn-linkdown
                  local ----
                  tls-server
                  server 10.0.8.0 255.255.255.0
                  client-config-dir /var/etc/openvpn-csc
                  ifconfig 10.0.8.1 10.0.8.2
                  tls-verify /var/etc/openvpn/server2.tls-verify.php
                  lport 1194
                  management /var/etc/openvpn/server2.sock unix
                  push "route 192.168.20.0 255.255.255.0"
                  route 192.168.10.0 255.255.255.0
                  ca /var/etc/openvpn/server2.ca 
                  cert /var/etc/openvpn/server2.cert 
                  key /var/etc/openvpn/server2.key 
                  dh /etc/dh-parameters.1024
                  tls-auth /var/etc/openvpn/server2.tls-auth 0
                  comp-lzo
                  
                  
                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Its a site to site you said, not road warrior..

                    So you pushing stuff to clients is not going to do much good for the clients connected to the other pfsense.

                    So you have wins on each side?  Is this one AD or different AD setups - I see one site called Fercon.Dorval.Local", does the other site use the same domain?

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • R
                      ripus
                      last edited by

                      @johnpoz:

                      Its a site to site you said, not road warrior..

                      So you pushing stuff to clients is not going to do much good for the clients connected to the other pfsense.

                      Ok, i will change that. I put this cause i look in the sticky post " Site-To-Site OpenVPN using PKI (something of a howto)" so i tought it was the way to do it.

                      So you have wins on each side?

                      Yes

                      Is this one AD or different AD setups - I see one site called Fercon.Dorval.Local", does the other site use the same domain?

                      Different AD setups with different domain (Cadroporte.Blainville.Local).

                      Thanks for the reply ;)

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        So is this a site to site?  Still not clear?

                        Or are clients from one side actually connecting to the other pfsense as a vpn client?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • R
                          ripus
                          last edited by

                          It's a site to site.

                          users on both side got shared folders with others. I know….. that's the "heritage" from the guy before me. I'm working at bring everyting on a file server but for now on, i got to live with this.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Well then just point your AD dns to the other AD dns for that domain via a conditional forwarder.  Have each AD dns look to your wins as well.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            1 Reply Last reply Reply Quote 0
                            • R
                              ripus
                              last edited by

                              Well, i didn't findout to make it work so i used the hard way. Creating a list of all pc, create a batch to update lmhost and run it over each network. It's far then neat and clean but it works.

                              Thanks for everyone !

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.