Resolve Hostnames over OpenVPN

[Wingsfan87]

Background: Three sites set up to connect over OpenVPN. I have everything working thanks to @Martineau 's script that allows me to dynamically assign client login iroute. I can access everything fine by IP addresses, but I was curious if it is possible to set it up to resolve local hostnames over OpenVPN? And if yes, how would I do that?

Set up:
Open VPN Server - RTAC68R - ver 380.65.2
Open VPN Client 1 - RTAC68R- ver 380.65.2
Open VPN Client 2 - RTAC5300 - ver 380.65.2

Settings:
Interface Type = TUN
Push LAN to clients = Yes
Direct Clients to redirect Internet traffic = No
Respond to DNS = No

I want the internet traffic and internet DNS to remain local at each site. It's the local DNS that should forward and resolve for each site.

 

[Wingsfan87]

Just following up on my old post. Can anyone help?

 

[RMerlin]

Respond to DNS = No

If you want to use the DNS, then you need to tell your OpenVPN server to respond to DNS requests. A local DNS cannot forward to the remote DNS because it has no idea which domain name that remote DNS is authoritative for.

 

[Wingsfan87]

If you want to use the DNS, then you need to tell your OpenVPN server to respond to DNS requests. A local DNS cannot forward to the remote DNS because it has no idea which domain name that remote DNS is authoritative for.

Is that WAN DNS requests too? I don't want it going to the sever for all my DNS just the local DNS to the remote.but none of my internet traffic.

 

[RMerlin]

Is that WAN DNS requests too? I don't want it going to the sever for all my DNS just the local DNS to the remote.but none of my internet traffic.

It depends on how your client implements it, it's not controlled by the server.

 

[Wingsfan87]

It depends on how your client implements it, it's not controlled by the server.

So I changed the OpenVPN server options and set

Respond to DNS = Yes
Advertise DNS to client = Yes

Restarted the OpenVPN server and clients but I am unable to resolve names on the server side subnet from the clients. Note I also flushed DNS on my PC to ensure I was picking up the latest settings from the client router however I can't ping nor nslookup clients on the server side.

Another weird side effect. I can't ping the server side IP's either. Request timed out. However I have no issue accessing them via URL for web enabled devices and no issues accessing IP over RDP.

 

[Wingsfan87]

So I have updated to latest 380.66 Beta5. And no luck on getting this to work. Do I have to do some further static routes under LAN to get it work?

I can RDP or HTTP and explore to any IP on the server subnet and client 2 subnet from client 1 subnet and vice versa on all 3. However I am unable to ping anything except for the routers on each subnet and NSLookup does not resolve any hostname and neither will ping.

Any ideas? as noted I do have respond to DNS and advertise dns to client set to yes.

 

[Wingsfan87]

Hey @Martineau any ideas on this? Your script is still working like a charm but I am seeing the issues where I can't ping the remote subnet. I can RDP/network shares using the remote subnet IP (serverside/client sides) but ping replies no host found. Same for Nslookup.

 

[Wingsfan87]

@RMerlin thanks for the latest update 380.66! Just following up as I still haven't been able to figured this one out. Any thoughts on what I need to do? I did as you suggested and set the OpenVPN server to Respond to DNS and Advertise DNS. Is there anything I need to do on the OpenVPN client routers to get them to resolve hostnames and/or ping over the OpenVPN tunnel?

Clients can ping the OpenVPN Server router but nothing on the OpenVPN server local subnet. And can ping each other's Client routers local IP's but can't ping any clients. However IP's doing RDP and file share's (samba) works fine. And hostnames do not work for anything.

Example:
OpenVPN Server local subnet 192.168.2.x and openvpn subnet 10.2.0.x - are pingable from open vpn clients subnet PC's
OpenVPN client local subnets 192.168.4.x and 192.168.3.x can ping each others OpenVPN client routers but nothing behind the client's subnets

Hostnames of none of the subnets are resolvable.

I even entered domains in the DHCP under LAN. So like Bhome, Dhome, Dwork and tried using that to resolve like ping workpc.dwork or just workpc or nslookup from the client 1 or OpenVPN server side but neither will resolve.

Not sure if you have to enter static routes etc under LAN or not and if so not sure what to point to what.

 

[RMerlin]

Make sure you enable the option to Push LAN to clients, and that you run the client with elevated privileges so it can setup the route.

You might also need to ensure that both subnets don't clash. If both LANs are in the same subnet, you will have problems bridging the two.

 

[Wingsfan87]

Make sure you enable the option to Push LAN to clients, and that you run the client with elevated privileges so it can setup the route.

You might also need to ensure that both subnets don't clash. If both LANs are in the same subnet, you will have problems bridging the two.

Thanks Merlin. Push LAN to clients is enabled.

What do you mean about running client with elevated privileges?

Server= Asus AC68U at my Dad's house - local subnet 192.168.2.0/24 - VPN subnet 10.2.0.0/24 set to TUN and Push to Lan and Respond to DNS/Advertise DNS set to Yes and Client to Client equals yes and LAN domain name set to Dhome
Client1 = Asus AC68U at the Dad's business - local subnet 192.168.3.0/24 LAN Domain name set to Dwork
Client2 = My Asus AC5300 router at home - local subnet 192.168.4.0/24 LAN domain set to Bhome

From each subnet I can only ping the IP of the router of each subnet. I cannot ping any other device behind any of the subnets by IP.
No name resolves across the network. It doesn't work from the server to client 1 and client 2 and vice versa.

However I can use RDP and use file share/Explorer to any device IP on the clients 1 and 2 from the server side
I can do the same from the client 1 subnet to the server and client 2 subnet
Same from the client 2 subnet I can use RDP and file share/Explorer to any device IP on the client 1 and server side subnets

But no names will resolve though can't access by hostname nor by hostname.localdomainname

What other settings am I missing? Why wont the pings work to the IP's when the RDP works and File Shares work to the IP? And why wont any of the hostnames resolve or work and no NSLookup.

 

[RMerlin]

What do you mean about running client with elevated privileges?

Under Windows it must be run as Administrator.

Why wont the pings work to the IP's when the RDP works and File Shares work to the IP?

Probably because your target computer's firewall is blocking it.

 

[Wingsfan87]

Under Windows it must be run as Administrator.



Probably because your target computer's firewall is blocking it.

I don't have a Windows client. This is an OpenVPN site to site setup only on Asus Routers. The clients are Asus Routers not PC's on the local subnet. Doesn't matter if I run an elevated CMD to ping or not. Still doesn't resolve.

Also the target PC firewall isn't blocking it as I can ping it all day long or resolve the name on the same subnet. I just cant do it over openvpn from one of the other sides.

 

[RMerlin]

I don't have a Windows client. This is an OpenVPN site to site setup only on Asus Routers. The clients are Asus Routers not PC's on the local subnet. Doesn't matter if I run an elevated CMD to ping or not. Still doesn't resolve.

Site-to-site might require setting up static routes. Check on these forums, people posted guides in the past on how to setup a site-to-site tunnel.

 

[Martineau]

This is an OpenVPN site to site setup only on Asus Routers. The clients are Asus Routers not PC's on the local subnet. Doesn't matter if I run an elevated CMD to ping or not. Still doesn't resolve.

Configure the OpenVPN Server to push the search (DOMAIN) directive (RMerlin doesn't support the DOMAIN-SEARCH directive)

push   "dhcp-option   DOMAIN   $(nvram  get  lan_domain)"

You can either do this individually for each client (CCD) or for ALL connections in the OpenVPN Server's custom configuration GUI.

So if you have your VPN Client 'Accept DNS Configuration=Strict, then when you connect to the OpenVPN Server, effectively the above directive should insert the 'search' directive into the local 'resolv.conf' along with the 'nameserver' DNS pushed by the remote OpenVPN Server
e.g.

nameserver   10.3.2.1
search       Glenmorangie.lan
nameserver   isp.dns.1.xxx
nameserver   isp.dns.2.xxx

e.g. I am able to issue

ping   DS-416

PING DS-416 (10.3.2.140): 56 data bytes
64 bytes from 10.3.2.140: seq=0 ttl=63 time=25.578 ms
64 bytes from 10.3.2.140: seq=1 ttl=63 time=24.027 ms

and DS-416 is actually resolved as DS-416.Glenmorangie.lan rather than my local DS-416.Martineau.lan.

Clearly there are limitations to this technique, so if this doesn't work for you then if you wish to access resources via name on the OpenVPN Server LAN, then you will need to tediously add the appropriate 'static' entries to the client router's hosts file - either manually (hard-coded) or via an openvpn-event triggered script.

 

[Wingsfan87]

Configure the OpenVPN Server to push the search (DOMAIN) directive (RMerlin doesn't support the DOMAIN-SEARCH directive)

push   "dhcp-option   DOMAIN   $(nvram  get  lan_domain)"

You can either do this individually for each client (CCD) or for ALL connections in the OpenVPN Server's custom configuration GUI.

So if you have your VPN Client 'Accept DNS Configuration=Strict, then when you connect to the OpenVPN Server, effectively the above directive should insert the 'search' directive into the local 'resolv.conf' along with the 'nameserver' DNS pushed by the remote OpenVPN Server
e.g.

nameserver   10.3.2.1
search       Glenmorangie.lan
nameserver   isp.dns.1.xxx
nameserver   isp.dns.2.xxx

e.g. I am able to issue

ping   DS-416

PING DS-416 (10.3.2.140): 56 data bytes
64 bytes from 10.3.2.140: seq=0 ttl=63 time=25.578 ms
64 bytes from 10.3.2.140: seq=1 ttl=63 time=24.027 ms

and DS-416 is actually resolved as DS-416.Glenmorangie.lan rather than my local DS-416.Martineau.lan.

Clearly there are limitations to this technique, so if this doesn't work for you then if you wish to access resources via name on the OpenVPN Server LAN, then you will need to tediously add the appropriate 'static' entries to the client router's hosts file - either manually (hard-coded) or via an openvpn-event triggered script.

@Martineau I must have totally missed this post when you replied. I just found this! Wow a little embarrassing haha.

Anyhow thank you so much always for your expertise. Just one small question, your code when it says DOMAIN are you saying use that phrase exactly or replace it with my server or client domain name that I have in each router both the client router and server router?

Or is it that one entry exactly as you entered the command text in the server custom command gui box?

 

[Wingsfan87]

@Martineau

I understand the line now to be pasted as is in the server custom code gui box.

I wasn't able to get it to resolve though still. After stopping/restarting both the Open VPN server on the router and stopping the clients on the their routers.

Does it only work on strict? I would rather have it relaxed so it checks my local dns on the client site first before going over the vpn server dns it may take longer to resolve which is ok but it should resolve still then correct?

I have different dns servers on each local client sides that are different than server side that I need too

I checked the \tmp\resolv.conf on the clients but they did not update as you shown your own. It only has the local DNS entries for the client. Not from the server and not from the other client.

 

[Wingsfan87]

Further testing I did try strict on the client side but it still didn't insert into the \tmp\resolv.conf file.

Is there something I'm missing?

 

[Wingsfan87]

Ok I figured it partially out. From the clients to the server it works with the FQDN. But not from clients to clients and not from server to clients. Not sure what else to do.

Client configuration:
Accept DNS Configuration: Strict

In custom configuration box

float
keepalive 15 60
remote-cert-tls server

Server configuration:
In custom configuration box

script-security 2
client-connect /jffs/scripts/VPNClientConnect.sh
route 192.168.3.0 255.255.255.0 vpn_gateway
route 192.168.4.0 255.255.255.0 vpn_gateway
push "route 192.168.3.0 255.255.255.0"
push "route 192.168.4.0 255.255.255.0"
push "dhcp-option DOMAIN serverdomainname"
push "dhcp-option DOMAIN client1domainname"
push "dhcp-option DOMAIN client2domainname"
push "dhcp-option DNS 192.168.2.1"
push "dhcp-option DNS 192.168.3.1"
push "dhcp-option DNS 192.168.4.1"

 

[Martineau]

From the clients to the server it works with the FQDN. But not from clients to clients and not from server to clients. Not sure what else to do.

Clearly client-to-server was the required solution for me, with the client device either being a router/phone etc.

Apologies.....I did state in the original post that there were limitations!