VPN connected but no DNS or "normal traffic"

[Justy]

Once again I am aiming at the standard out-of-the-box solution so I have setup the OpenVPN using the manual/Wiki (and forum) by this:

- first the "simple" (Windows) client: Everything works - the hosts can be reached from the client - GREAT!

- then site-to-site (both v11):

- connection establishes within seconds - and some minor traffic is flowing over time but...

- network clients cannot ping nor reach hosts through the VPN tunnel :-(

I have found these instructions on the Wiki that seems to address this problem:

I'm using site-to-site and my software clients can only talk to the main server. Why?
If you have both software clients on the road and site-to-site tunnels, the software clients will only be able to see your main site by default. To allow them to transit the tunnel(s) to other sites, simply add the VPN Address Pool to the Exported Hosts and Networks. After this is done, software clients will be able to reach all exported sites.

How can I allow software clients to resolve DNS over the tunnel?
To allow DNS resolution for software clients you'll need to modify some OpenVPN settings - if Untangle is doing DNS resolution on your network, simply check Export DNS at OpenVPN Settings > Advanced > Address Pools for any VPN Address Pools you want DNS resolution exported for. If Untangle is not resolving DNS on your network, you'll need to check Export DNS, set DNS Override to Enabled, then enter the IP address of the DNS Server under Primary IP. You may need to use the FQDN when accessing resources across the tunnel.

But I cannot find this VPN Address Pool or the Advanced OpenVPN setting in Untangle v11 (or simply my ignorance).

I may have overlooked something - or I have to add some trivial (for the experienced user) setup somewhere else?
The routing hint from the Wiki sounds promising but I cannot see where - and what to add?

I am uncertain about the NAT setting on the OpenVPN setup but it does not remedy anything in the respect - as far as I an see...

TIA

--- Configs/routes ---

Untangle server with OpenVPN

= IPv4 Rules =
0: from all lookup local
100: from all fwmark 0xfe00/0xff00 lookup 1000
32766: from all lookup main
32767: from all lookup default
50000: from 192.168.1.79 lookup uplink.1
70001: from all fwmark 0x100/0xff00 lookup uplink.1
1000000: from all lookup uplink.1

= IPv4 Table main =
10.100.1.0/24 via 10.100.1.2 dev tun0
10.100.1.2 dev tun0 proto kernel scope link src 10.100.1.1
10.100.7.0/24 via 10.100.1.2 dev tun0
10.100.100.0/24 dev eth1 proto kernel scope link src 10.100.100.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.79
192.168.1.1 dev eth0 scope link

= IPv4 Table balance =

= IPv4 Table uplink.1 =
default via 192.168.1.1 dev eth0

= IPv4 Route Rules =



= IPv6 Rules =
0: from all lookup local
32766: from all lookup main

= IPv6 Table main =
fe80::/64 dev eth1 proto kernel metric 256
fe80::/64 dev utun proto kernel metric 256

= IPv6 Table uplink.1 =


Untangle server with connecting client

= IPv4 Rules =
0: from all lookup local
100: from all fwmark 0xfe00/0xff00 lookup 1000
32766: from all lookup main
32767: from all lookup default
50000: from 192.168.1.128 lookup uplink.1
70001: from all fwmark 0x100/0xff00 lookup uplink.1
70003: from all fwmark 0x300/0xff00 lookup uplink.3
900000: from all lookup balance
1000000: from all lookup uplink.1

= IPv4 Table main =
10.100.1.0/24 via 10.100.1.5 dev tun1
10.100.1.5 dev tun1 proto kernel scope link src 10.100.1.6
10.100.7.0/24 dev eth1 proto kernel scope link src 10.100.7.1
10.100.20.0/24 via 10.100.20.2 dev tun0
10.100.20.2 dev tun0 proto kernel scope link src 10.100.20.1
10.100.100.0/24 via 10.100.1.5 dev tun1
192.168.1.0/24 dev eth3 proto kernel scope link src 192.168.1.128
192.168.1.1 dev eth3 scope link

= IPv4 Table balance =
default via 192.168.1.1 dev eth3

= IPv4 Table uplink.1 =
default via 192.168.1.1 dev eth3

= IPv4 Table uplink.3 =

= IPv4 Route Rules =

[WebFooL]

OpenVPN->Server->Groups->Edit existing or Add Group.

There Select Push DNS checkbox and you should be able to specify dns servers.

Make sure that the DNS server network is Exported.
It also looks like you have the same internal network on both sides 192.168.1.1/24 i would suggest to have uniq networks on both sides if you want to have a good time :-)

[Justy]

Thanks for the quick reply, WebFooL - appreciate your advice but...

I have just used the default setup (based on the guidance on the help page):

Push DNS - If enable, OpenVPN will "push" some DNS configuration to the remote clients when they connect. This is useful if you wish for some local names and services to properly resolve via DNS that would not publicly resolve.

Assuming that it would make the internal plummings appear correctly with the Untangle DNS server setup so it just like for the (simple) client has DNS working out-of-the-box (setup).

I now notice that I have tried the Full Tunnet setup to check whether that made a difference - which it didn't.
That may influence the routing display so I have just dumped a new display below.

I have selected (the default) option of "OpenVPN Server" which doesn't open any field for setting a DNS server (IP).

The last field is Push DNS Domain which I have left empty - again assuming the default provides the domain of the Untangle server.

So I don't see anything to change/setup!?

And YES - I am currently working out from the same IP address as I have both Untangle servers at his location.
The Untangle server that is acting as OpenVPN server is setup as DMZ host on the ISP router.
(The simple port forward did not make it alone so something was broken in the communication.)

The other Untangle is simply in the DHCP pool of the ISP router.

Can that be the origin of the problem?

--- Revised routes on Untangle OpenVPN server ---

= IPv4 Rules =
0: from all lookup local
100: from all fwmark 0xfe00/0xff00 lookup 1000
32766: from all lookup main
32767: from all lookup default
50000: from 192.168.1.79 lookup uplink.1
70001: from all fwmark 0x100/0xff00 lookup uplink.1
1000000: from all lookup uplink.1

= IPv4 Table main =
10.100.1.0/24 via 10.100.1.2 dev tun0
10.100.1.2 dev tun0 proto kernel scope link src 10.100.1.1
10.100.7.0/24 via 10.100.1.2 dev tun0
10.100.100.0/24 dev eth1 proto kernel scope link src 10.100.100.1
192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.79
192.168.1.1 dev eth0 scope link

= IPv4 Table balance =

= IPv4 Table uplink.1 =
default via 192.168.1.1 dev eth0

= IPv4 Route Rules =



= IPv6 Rules =
0: from all lookup local
32766: from all lookup main

= IPv6 Table main =
fe80::/64 dev eth1 proto kernel metric 256
fe80::/64 dev utun proto kernel metric 256

= IPv6 Table uplink.1 =

[sky-knight]

You're over complicating things.

Push DNS? Full Tunnel?

Those things have zero Bering of the DNS resolution of the far side of a site-to-site tunnel.

You need to configure DHCP for the network scope on the far remote device to pass out the correct DNS information.

[Justy]

I am just trying to find a path to get the two network to be connected through this OpenVPN site-to-site connection without (too) much complexity - just like the OpenVPN client can utilize the OpenVPN server (exported) network :-/

Unfortunately I need just a bit more info to understand your good advice - where do I setup this DHCP in relation to OpenVPN?
Does this mean that the IP's are new but the DNS names, etc. can be used?

TIA

[jcoffin]

Pushing DNS on Site to Site OpenVPN is just a bad idea and there is no setting for this. If you have site A with domain siteA.int and site B with domain siteB.int, then:

- Site A Config -> Network -> DNS should have domain siteb.int with the internal IP address of Untangle at site B.
- Site B Config -> Network -> DNS should have domain sitea.int with the internal IP address of Untangle at site A.

This way clients at site B can do IP address lookup of client names at site A and vice versa.

[Justy]

OK - I'll have to look further into this DNS setup - thanks, it makes good sense...

But I got confused about the "no setting for this" as it is (as I have experienced) the Default Group setting in OpenVPN by default is

2015.09.18 - UT2 - OpenVPN Groups.png

So I should change the Default Group to "nothing", i.e. no function at all?

[Justy]

Pushing DNS on Site to Site OpenVPN is just a bad idea and there is no setting for this. If you have site A with domain siteA.int and site B with domain siteB.int, then:

- Site A Config -> Network -> DNS should have domain siteb.int with the internal IP address of Untangle at site B.
- Site B Config -> Network -> DNS should have domain sitea.int with the internal IP address of Untangle at site A.

This way clients at site B can do IP address lookup of client names at site A and vice versa.

OK - now looking into this matter. Sorry for my ignorance but does this siteb.int have a signicant meaning or is it just descriptive?
E.g. if the servers are called UTA and UTB; for UTA: would that be UTB.int (because int has a special meaning) or is it simply UTB? Or should it be fully qualified as UTB.my-domain.com?
Does that mean that DNS on UTB is adding hosts after UTA's DNS for the clients?

I just thought that all this was "automatically" injected by the Push DNS flag - but that's just due to my ignorance :-/

Appreciating your insight so I don't stumble around and getting more confused in the process!

PS: Still not understanding where and how DHCP has to be setup and enabled as sky-knight mentions...?

[sky-knight]

No it's not automatically added, the only thing that push option does is send specified DNS servers to the VPN client when it connects. And again, it has no impact on a site to site tunnel.

Your problem is that you don't understand basic routing, nor do you understand basic DNS functionality. This stuff is as simple as its going to get, but it is a bit of an Earth moving education when you do it for the first time. The forums won't be able to efficiently help you, we can't really do DNS 101, and TCP/IP 101 courses here. Untangle support may be able to help you if you open a ticket, but you're going to need to be patient.

Can you use IP addresses on both sides of the tunnel? It'd be nice to know that this is just DNS we're arguing with.

[Justy]

I am very open for DNS 101 reference so I can get better acquianted with this domain but I had hoped to get a Best Practise experience.
I have noticed how many have had this nice "plug two Untangle over OpenVPN and it works!" experience.
The only problem is that the finer details are left out of forums/Wiki but that may due to this DNS 101 base requirement.
So I know that I am SO close - but not as close as the client that works out of the box.

My educational background is Master in Computer Science so my background is quite useful to comprehend the overall functionality but the nitty gritty details in this DNS domain is not something I have worked with - beyond in terms of Untangle.


As noted above, the tunnel is up and running.
I can ping IP addresses but no (DNS) names are found - which made sense as pointed out by jcoffin.

So in my simple/stupid understanding, I just need to have the DNS tables populated about the hosts on "the other side"...

PS: DNS and DHCP are of course also fully functional on either site - it is just the cross-the-tunnel naming I am trying to figure out so I can access machines across the tunnel.