Page 1 of 2 12 LastLast
Results 1 to 10 of 15
  1. #1
    Untanglit
    Join Date
    Nov 2016
    Location
    Cincinnati, OH
    Posts
    24

    Default OpenVPN issues and DNS PC name resolution

    OpenVPN issues and DNS resolution

    Issues: I believe the 2nd issue is related to the 1st.
    First Issue: OpenVPN connects and I can map network drives using IP address, but computer names will not resolve. Have set DNS to push, but has not resolved the issue.

    Secondary Issue: is that client uses accounting software on the network called Peachtree (Sage 50). Software runs on all the client machines in the office (Laptops) and it also runs on the Server (desktop in the office with static IP). The Peachtree server stores all of the accounting info and each of the clients run Peachtree on the clients and it uses the mapped network drives to access the company data on the Peachtree server. (ie: mapped drive is equal to \\computername\peachtree or \\10.0.66.117\peachtree ) both options work, but when connecting to the network from outside using one of the client laptops and OpenVPN connection it will the Peachtree instance fails and says stopped working

    New client installation… Simple network. (Diagram included)
    Network Diagram.JPG

    Spectrum Business class internet: Modem is set in bridge mode with all routing and DHCP disabled with one external WAN address (paid… Static)

    Untangle U25x appliance:
    • WAN interface set as static with the ISP assigned IP address, subnet, gateway, and 2 DNS entries (works perfect
    • Internal Interface is set at dynamic using the IP range of 10.0.66.1/24 with 255.255.255.0 subnet. This interface us running DHCP and all clients receive an IP in this range.
    • Managed Switch – Unifi 8 port POE with a static IP assigned (10.0.66.2)
    • 2 Wireless Access Points – Unifi AC Pro with static IPs assigned (10.0.66.4 & 10.0.66.5)
    • Untangle is the DHCP server
    • Untangle is the DNS server
    • Untangle is running OpenVPN module or addon. Open VPN connects perfectly, but can not resolve to any PC name on the network, but can resolve or ping any IP address on the network
    • OpenVPN is configured within Untangle to the following IP range 172.16.244.0/24
    • OpenVPN clients are set to Full Tunnel and Push DNS
    • OpenVPN has exported network of 10.0.66.1
    • Untangle DNS Server has static entry of “PeachtreeServerName” (10.0.66.117)

    I am struggling with what piece I am missing to make this configuration work as planned. I have read as much as I can find about OpenVPN and DNS resolving by name and IP, but not luck so far getting this to work.

    On a separate note, I figured the solution would be to just map all network drive using the IP address and that would be my work around, and that works except the Peachtree accounting software will not connect while going through the VPN. I researched multiple Peachtree/VPN issues and found reference to opening a few ports since the Peachtree software runs a version of Pervasive SQL. Not sure, I would do this as a port forward or as a firewall rule since it would be traffic going through the VPN. (???)

    My gut says the 2 issues are related and solving one will probably help with the other. Would like any advice from someone who may have tackled OpenVPN and computer name (network drive mappings). Also one last item I should mention… there is no domain controller in this environment. This is a LAN that all computers are in the same workgroup and file sharing etc… works perfectly fine. In addition, I have set the OpenVPN software to run as Administrator. All Client PCs running Windows 10 Pro.

    Thanks in advance for any help.

  2. #2
    Untanglit
    Join Date
    Nov 2016
    Location
    Cincinnati, OH
    Posts
    24

    Default

    Could this be a split tunnel vs full tunnel issue? Maybe I need to go back to split tunnel vs full tunnel!

  3. #3
    Untanglit
    Join Date
    Nov 2016
    Location
    Cincinnati, OH
    Posts
    24

    Default

    nobody???

  4. #4
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,013

    Default

    My guess is the DNS issue is due to the way windows does name look ups. VPN connection doesn't have a DNS suffix associated with it. So when your computer tries to resolve your mapped drives, it fails because it doesn't realize that your single name references are intended for the domain. On the Networking tab select IPv4 and hit properties, then Advanced. On the DNS tab supply your Untangle server domain name in the 'DNS suffix for this connection' box.

    Also I have had nothing but issues with Windows mapped WAN network shares as drives. It's a outdated method which is unreliable on WAN based connections. It's better to just create a IP based shortcut on the computer to access the remote share volume.
    Last edited by jcoffin; 03-15-2018 at 07:41 AM.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,946

    Default

    What? No... mapped drives work fine over a VPN, but you DO need to configure DNS properly. Domain members will assume the DNS name of the domain in their search order automatically. If Untangle is pushing a custom DNS of the AD supporting DNS server, the client when connected will happily resolve FQDNs or short names just fine. Using IP's what is this the 90s? CONFIGURE A WORKING DNS!

    The problem here is there appears to be no domain, and if there is having DHCP and DNS roles on Untangle places it in a barely functional state.

    Now, how to resolve this?

    Config -> Network -> Hostname. Make sure the domain name field has something in it you're going to use. This configures the DNS suffix passed out to all DHCP clients of Untangle. You might as well give Untangle a hostname too, the default is Untangle which is fine too. Now, directly below is the Public Address stuff, if you have a public DNS name you want to use for Untangle you need to manually specify it here. That way OpenVPN and all the public services can use the public name space, while your internal network uses the private one you're building. If you don't split this, or you don't make a subdomain space for your internal space... YOU'RE GOING TO HAVE ISSUES. I'm going to proceed here assuming you've got Untangle in the hostname field, example.com in the domain name field, and use IP address from External selected at the bottom. But really, you should make a public DNS name if possible, it means you don't have to reissue VPN clients when your public address changes.

    Now, apps -> OpenVPN -> Settings -> Server

    Make sure your site-name is something unique, make note of the address space, make sure NAT OpenVPN traffic is enabled, then hit the group's tab to the right. Edit the group the busted client is in, default group is the default one. Now here you can select full tunnel if you want the connected client to get to the Internet via the VPN providing Untangle filtration for the remote device. I usually leave this off however for performance reasons. But you DO need to enable Push DNS, and given you've mentioned Untangle's DNS service is active for your network, the push DNS server should be OpenVPN Server. Then below, see that Push DNS Domain box? That's got to be set to match what's in the domain name field on the hostname tab. This is where you set a DNS suffix for your VPN clients! Now that DHCP clients, and OpenVPN clients get the same DNS suffix, we can move on to the last step. (Warning, changing settings in the OpenVPN group may require reissuing the client from Untangle and reinstalling it on the client platform I forget what does and doesn't require this)

    Config -> network -> DNS server.

    Untangle is a DNS server, but it can only resolve things that it knows about. Given that servers are typically statically configured, even if they are only overgrown workstations there is no name entry put in here by default! So MAKE one! peachtree.example.com and point it at 10.0.66.117. Assuming example.com is in both the domain fields, when you connect via VPN the client will now be able to resolve peachtee.example.com or simply peachtree to 10.0.66.117, you can test with nslookup on the remote station while it's connected.

    Once that's done your mapped drives will work! If they do not... remember that address space IP range I told you to make note of? The one in apps -> OpenVPN -> Settings -> Server? Yeah that one? You need to go configure the windows firewall on your peachtree "server" to trust that IP range. Or, simply configure the Windows firewall to be disabled. But beware, these settings in a nondomain network have an annoying tendency to be reset with Windows updates at arbitrary intervals. I highly recommend the deployment of a domain so you can use group policy to configure the firewall into a disabled state, you'll have far more consistent luck. Heck, you can just add the IP range in question to sites and services, which makes it part of the domain default trusted ip ranges... very handy. But, I assume you don't have all this wonderful magic that makes things easy, so just make sure you have an RMM tool or something reliable for remote control of that server so you can kick the firewall as needed. Oh, and just in case you aren't aware disabling the Windows Firewall service will not do what you want... so don't do that.

    Finally, remember that NAT box? Apps -> OpenVPN -> Settings -> Server, NAT OpenVPN Traffic, sometimes you actually do want that OFF... some things hate it... if you do have to turn it off beware, you've got windows firewalls that will certainly see that address space now, so it WILL be in the way. Be ready to disable it, at least for testing. It's been years since I supported Peachtree, so I cannot say if that SQL engine is a problem here. But your issue sounds a ton like Windows Firewall being stupid, which is what it does... honestly I turn it off for all but public profiles these days.
    Last edited by sky-knight; 03-15-2018 at 09:28 AM.
    dbh1 likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Untanglit
    Join Date
    Nov 2016
    Location
    Cincinnati, OH
    Posts
    24

    Default

    Thanks Sky Knight! I will give some of this a try this evening.

    I do already have Push DNS set and I have Full tunnel enabled as well under the groups. I think perhaps the missing piece may be the domain field in the push dns settings. I do have a host name set up and a fqdn pointing to the ip and it is resolving correctly. In fact the connection to openvpn (on untangle) is resolving to utfw.xxxxxxxx.host (I purchased a domain of xxxxxxxxx.host just for this purpose).

    I do not believe i put the domain name of xxxxx.host in the push dns domain entry. I have several times ran nslookup after connecting successfully to the office network and nslookup returns the correct ip address of the untangle dns server. Just that resolving by computer name never works. so I am fingers crossed its the fact that i didn't enter the domain name in the push dns domain block.

    I was a bit confused by being prepared to disable the NAT checkbox for the openvpn connection. I thought this would have to be enabled for the export of the 10.0.66.1/24 to function correctly?

  7. #7
    Untanglit
    Join Date
    Nov 2016
    Location
    Cincinnati, OH
    Posts
    24

    Default

    Sky Knight....

    If adding the domain name in the push dns domain block works... does this now mean that i create a static dns entry for peachtree.xxxxx.host and point it to the ip address of 10.0.66.117?

    My current static dns entry is just "peachtree" pointed to 10.0.66.117.

  8. #8
    Untanglit
    Join Date
    Nov 2016
    Location
    Cincinnati, OH
    Posts
    24

    Default

    Quote Originally Posted by jcoffin View Post
    My guess is the DNS issue is due to the way windows does name look ups. VPN connection doesn't have a DNS suffix associated with it. So when your computer tries to resolve your mapped drives, it fails because it doesn't realize that your single name references are intended for the domain. On the Networking tab select IPv4 and hit properties, then Advanced. On the DNS tab supply your Untangle server domain name in the 'DNS suffix for this connection' box.

    Also I have had nothing but issues with Windows mapped WAN network shares as drives. It's a outdated method which is unreliable on WAN based connections. It's better to just create a IP based shortcut on the computer to access the remote share volume.
    I am able to use mapped drives just fine with the ip addresses, but was really hoping to get dns to resolve by computer name/host names or netbios name (I guess depending on which of these particular terms is correct)

  9. #9
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    24,946

    Default

    Quote Originally Posted by dhmoore74 View Post
    Sky Knight....

    If adding the domain name in the push dns domain block works... does this now mean that i create a static dns entry for peachtree.xxxxx.host and point it to the ip address of 10.0.66.117?

    My current static dns entry is just "peachtree" pointed to 10.0.66.117.
    Yes, the DNS entry should be the FQDN, not the short name.

    The reason the NAT feature was added to OpenVPN was so that the Windows firewalls would see the LOCAL Untangle Ip address as the source, instead of the actual VPN client IP address. This gets around the local firewall problem, but not all things especially databases like this... it can break stuff. Which is why I have it disabled on EVERYTHING, every single Untangle I use. Except... interestingly enough my own... why? Because I don't have a domain in my home office. And I don't need anything but RDP to work, and RDP works fine over NAT. But not everything does...

    Step 1, get DNS resolution working properly, when nslookup can resolve peachtree, and peachtree.domain.com correctly... your maps should just fire up with NAT in place.
    Step 2, test Peachtree, if it doesn't work because the SQL won't connect, then you have to disable NAT, kick the Windows Firewall, and try again.
    Last edited by sky-knight; 03-15-2018 at 11:31 AM.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  10. #10
    Untanglit
    Join Date
    Nov 2016
    Location
    Cincinnati, OH
    Posts
    24

    Default

    Sky Knight... Thanks! That helps alot. Ill post back here later tonight and let ya know how it all turned out. I think its gonna work now that you provided me the key piece of missing information. Thanks!

    David

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2