local DNS for site to site VPN

[simonbr]

I have 2 RT-n66u using firmware 380.69 configured site-to-site vpn and they are working. I can ping clients using IP both sides no problem. I am now trying to get the NETBIOS/DNS working so i can ping using names but cant seem to figure it out.

I configured the server's router domain name to "server.lan" and the client VPN "Accept DNS Configuration" to strict, I can ping names on the server side from the client side using the prefix. I've tried to set a different domain name on the clients router "client.lan" but cant ping names on the client router side using the prefix.

Is there any tricks or configuration help available?

 

[ColinTaylor]

I think as a starting point you need to decide whether you really want/need NetBIOS as well as DNS. They work in completely different ways and each requires their own setups both on the server side and the client side. NetBIOS is usually more tricky because it works on broadcast packets, which won't travel between networks.

As for your DNS issue - I don't know because I've never used that setup, but it sounds like it's working as expected. If you're pushing the server-side DNS server to the client-side devices then I would not expect devices on the client-side to resolve fully qualified "local" names anymore. Because the DNS server they are querying has no knowledge of any of the device names on the client-side.

 

[simonbr]

thanks for the reply. I was under the impression that NETBIOS was not used anymore. I might of not read properly....

Isnt there a way to put on the server router a local prefix route ?

 

[ColinTaylor]

thanks for the reply. I was under the impression that NETBIOS was not used anymore. I might of not read properly....

I only mentioned NetBIOS because you said you were trying to get it working.

Isnt there a way to put on the server router a local prefix route ?

Yes, but at the end of the day any fully qualified name lookup will go to 1 server. That server needs to know how to deal with all requests. How you achieve your goal depends on your network design.

 

[simonbr]

Sorry i'm not sure of all the terminology so i had included NETBIOS.

Ill give you some details of my network
LAN 1, OpenVPN server side, 192.168.1.0/24 (server.lan prefix)
LAN 2, Client side, 192.168.2.0/24 (client.lan prefix)

site-to-site VPN is working correctly, ping IP from client to server and vise-versa works great. All I would like to do now is be able to ping using the computer names.

 

[ColinTaylor]

All I would like to do...

It sounds simple, but to make it reliable is difficult without using more than just Asus routers.

For example;

IF your LAN to LAN link is permanent, you could use the same domain name on both sides and configure ALL clients to register their names with a single DNS server. This is similar to what happens in a corporate network. The problem with this in your case is that it is reliant on the VPN tunnel never going down.

On a side note: If you didn't care about using fully qualified "local" names but were happy to use short names then you can ignore the whole DNS issue by using NetBIOS name resolution, IF all your clients are Windows (or Samba).

 

[simonbr]

i set both domains to the same server.lan and both routers to use 192.168.1.1 for DNS. All this did is the client side did not have to use the prefix anymore when doing a ping. Server could still not ping names on the client side.

All my clients are windows, how would i implement NetBIOS over the VPN?

 

[ColinTaylor]

All my clients are windows, how would i implement NetBIOS over the VPN?

I strongly suggest you don't go down this path unless you really understand what you're doing. NetBIOS isn't a substitute for a working DNS setup. All the problems you're facing with DNS will have equivalent problems in NetBIOS. Nowadays DNS is ubiquitous whereas NetBIOS isn't.

It would be helpful if we knew a bit more about your network and what you're hoping to achieve. You say it's a site to site VPN, is this a permanent connection like a remote office connecting to the main office? What do you want to happen if the VPN link goes down, give access to the internet or block access? I'm assuming ALL traffic from client.lan is going through the VPN, or are you using policy routing? Any other considerations?

(I expect the solution will be beyond my own knowledge but given the information above I'm sure there are others that can provide the best answer.)

 

[ColinTaylor]

i set both domains to the same server.lan and both routers to use 192.168.1.1 for DNS. All this did is the client side did not have to use the prefix anymore when doing a ping. Server could still not ping names on the client side.

The clients would all need to be using 192.168.1.1 as their DNS server and they would need to be rebooted so that they can reregister their names in DNS.

 

[simonbr]

I am trying to share some file sharing systems from both sides. I don't want all traffic for internet to be sent over the VPN. If the VPN goes down the VPN will be down and thats all, I don't need any backup.

I tried to configure the DNS for all systems to be 192.168.1.1 and rebooted systems, still not working correctly.

 

[ColinTaylor]

OK How about this:

Going back to your original setup with two different subnets and two different domains, server.lan (192.168.1.0/24) and client.lan (192.168.2.0/24).

Change the VPN "Accept DNS Configuration" to Disabled. As I understand it with this setup local name resolution should work as normal on each side (including internet sites like www.google.com).

Then for each router modify its dnsmasq configuration so that lookups for the other domain are forwarded to the other router. Normal lookups will still be forwarded to the internet as before.

/jffs/configs/dnsmasq.conf.add

server=/client.lan/192.168.2.1

and

server=/server.lan/192.168.1.1

Change the IP addresses as appropriate for your routers.

 

[simonbr]

Configured everything back to normal and added the dnsmasq.conf.add to both routers, rebooted and verified /etc/dnsmasq.conf to confirm it was added.

192.168.1.0/24
server.lan
server=/client.lan/192.168.2.1

192.168.2.0/24
client.lan
server=/server.lan/192.168.1.1

Same results, ping IP both ways works great, ping name from client to server LAN works. Name from server side to client still does not resolve.

 

[ColinTaylor]

Did you change the client's VPN "Accept DNS Configuration" setting and confirm that both short names and fully qualified local names now work?


From a client attached to the server.lan network can you directly query the other DNS server?

nslookup mypc.client.lan 192.168.2.1

where mypc.client.lan is a FQDN that is already known to 192.168.2.1

EDIT: Are you using TUN or TAP as your OpenVPN interface type?

 

[simonbr]

I verified the Accept DNS config on the client VPN side and it is disabled. I did a ping to the short name and fully qualified names locally on both sides, it works fine. Using TUN as the interface type.

I performed the nslookup from the server.lan side to a FQDN on the client side and it timed out. It is not resolving the server name either, just showing unknown. I did the same on the client.lan side to a server.lan name and it worked (of course) and resolved the router as the server name.

I'm including a screen shot of the VPN settings on both sides.

 

[ColinTaylor]

Thanks for the extra information.

You said earlier that you could ping any IP address in client.lan from server.lan. Can you ping 192.168.2.1 from 192.168.1.1?

 

[simonbr]

yes it works, I just tried from a server.lan PC and from the router SSH also, ping 192.168.2.1

 

[ColinTaylor]

OK, that's a bit strange. So it looks like the routing is working but for some reason you can't send DNS queries to 192.168.2.1.

Do you have any non-default DNS related settings on the router, like ad-blockers or dns filter?

Can you check the dnsmasq config on 192.168.2.1

grep interface /etc/dnsmasq.conf

 

[simonbr]

both routers just updated and defaulted before starting this testing. No filtering or anything else added.

dnsmasq on 192.168.2.1 is as follows

interface=br0
interface=ppp1*
no-dhcp-interface=ppp1*

same on the 192.168.1.1 is

interface=br0
interface=ppp1*
no-dhcp-interface=ppp1*
interface=tun21

could iptables be blocking anythign? I turned off the firewall on both routers.

 

[ColinTaylor]

I don't think it's the firewall. I'm thinking that dnsmasq has to be told what interface to listen and respond on.

If you look on 192.168.2.1 there should be an interface for the VPN client connection. What is it called? I'm guessing something like tun11.

ifconfig -a

Add that interface name to the dnamasq.conf on 192.168.2.1, so (assuming it's tun11):

server=/server.lan/192.168.1.1
interface=tun11

 

[simonbr]

This works! thank you very much.

Is there any way to have them on the same domain or to have the DHCP server send out the additional suffix so when we ping from one side to the other it we dont have to include the suffix.