Page 1 of 2 12 LastLast
Results 1 to 10 of 13
  1. #1
    Newbie
    Join Date
    Jun 2021
    Posts
    6

    Default OpenVPN Site to Site DNS issues

    Good morning all!

    I'm working on connecting a remote network to our main office location using 2 Untangle boxes with OpenVPN site to site tunneling, but I'm having some issues with DNS names resolving.

    Here's a quick rundown of our setup:

    Main Office-
    Modem (w/ static IP) > Untangle box (default gateway) > Switch > Windows Domain Network (DC does DHCP, DNS, etc)
    10.10.1.x subnet

    Remote Office-
    Modem/Router (w/ static IP, default gateway, serves DHCP) > Untangle box > Switch > PCs
    10.1.10.x subnet
    Main Office domain controllers are in the DNS Domain settings
    The internal interface is bridged and the external interface points to the modem/router with DNS settings pointing to Comcast DNS servers. The modem/router DNS is also the Comcast DNS servers, but I've also experimented with putting the Untangle box IP here as well as the Main Office DNS server IP and got mixed results.

    I have both Untangle boxes connected successfully using OpenVPN site to site. From the remote Untangle box, I can resolve DNS names of servers in the Main Office (using the tools in the Network > Troubleshooting tab). From a PC behind the remote Untangle box, I can access servers via IP, but not their hostnames.

    I would like to be able to access things from both ends by hostname. I would also like to setup a DC at the remote location as a backup.

    I hope this is enough information, if not I'd be more than happy to provide anything else needed to get some input on this. I'm a developer, not necessarily a networker, so I'm doing my best with the knowledge I have. Any and all help would be greatly appreciated!

  2. #2
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,024

    Default

    Oh this is fun, now let me underscore why you're having trouble...

    You see all those DNS settings in the OpenVPN module? Not a single one of them does jack squat for a site-to-site tunnel!

    Now, if I were you, I'd be looking hard into making Untangle a router at the remote office. Untangle bridges are great things, but terminating VPN tunnels on them creates complexity that can make you prematurely bald. In deference to your hairline, avoid that mess!

    Now... on to best practices for this according to Rob.

    Main site, sounds like you're all but set here. I recommend you have Untangle using ISP or public DNS of some sort. Config -> Network -> DNS, Domain DNS Server section on the right is where you want your domain specific stuff. That's TWO zones. domain.tld, and whatever your reverse zone is you can copy the domain straight out of MSDNS into the domain side of Untangle, the server side on Untangle is your AD supporting DNS server IP address. You don't have to have reverse, only forward will support all domain actions, reverse just makes your Untangle reports pretty.

    Anyway, this configuration gives Untangle a DNS resolution path that's independent of AD, and therefore more fault tolerant, but still forwards all appropriate requests that come to it to AD. Which has a horde of benefits I won't go into here, let's just say it also saves your hair!

    It's critical you understand the above, because once you move to the remote Untangle, you need to do all this AGAIN. Except now we don't have a DC there, and it's DHCP and DNS. So now Untangle must pass out an appropriate DNS Suffix via DHCP (config -> Network -> hostname -> domain name field), along with whatever else it needs to hand out to support the domain. This configuration can be left largely default if you utilize that domain DNS Servers configuration to once again forward AD DNS to the AD server over the tunnel. Get this right on Untangle itself, and you'll never need a special configuration for your workstations beyond a tunnel ever again.

    Get this wrong and you may get it working, but you'll be forever dorking with DNS. Which causes hair loss... I don't know about you but I'm trying to keep what I have left up there!
    TirsoJRP likes this.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  3. #3
    Master Untangler TirsoJRP's Avatar
    Join Date
    Oct 2010
    Posts
    459

    Default

    Quote Originally Posted by sky-knight View Post
    Get this wrong and you may get it working, but you'll be forever dorking with DNS. Which causes hair loss... I don't know about you but I'm trying to keep what I have left up there!
    Or gray hair... plenty of it.

  4. #4
    Newbie
    Join Date
    Jun 2021
    Posts
    6

    Default

    Thank you so much for your help! As for my hair, I'm lucky enough to still have a full heads worth and I plan on keeping it that way if I can.

    I don't know if/how much I can change on the main site end, but I do have full control over the remote office. So I should have my remote office Untangle work in router mode and serve DHCP from it, correct? Currently on the remote site, under Config > Network > Hostname > Domain Name Field I have the main site domain here (company-name.local). I also have the in office DCs in the domain controller DNS settings. I'm not sure about reverse zone, I don't really know what that is.

    After my lunch break I'm gonna try to change the Untangle box here at the remote site to router mode and report back!

  5. #5
    Untangle Ninja sky-knight's Avatar
    Join Date
    Apr 2008
    Location
    Phoenix, AZ
    Posts
    26,024

    Default

    Ok, if you're just working with the remote side then focus on that. The two systems are islands! They should be configuration duplicates for a uniform user experience, but they technically do not have to be!

    Your Domain Name field set to the AD domain name sets the DNS suffix handed out by any DHCP scope on Untangle to support that AD namespace, so yes that's done and good. But this only applies if Untangle is doing DHCP, and if Untangle is a bridge... it isn't! Which is why I say get that thing in router mode!

    Don't worry about the reverse zone, just a couple of domain entries on the DNS tab are enough. If you've done both things correctly, AND the tunnel is online! You will be able to resolve DNS names from AD.

    So to test, you open up a command prompt and do nslookup addomain.tld If it comes back with stuff, you should be set. You might still have short name resolution issues, but to test that you need a short name of a network resource. nslookup nameofresource and see if it works, if it doesn't then your DNS suffix is wrong OR you fat fingered the test name.

    And again you don't have to have reverse DNS, what that does is make Untangle's reports pretty with real AD names. You don't have to have this... it works quite well without it. It's just a quality of life thing.
    Rob Sandling, BS:SWE, MCP
    NexgenAppliances.com
    Phone: 866-794-8879 x201
    Email: support@nexgenappliances.com

  6. #6
    Newbie
    Join Date
    Jun 2021
    Posts
    6

    Default

    Thank you sky-knight for all of your help! Putting the Untangle box at the remote site in Router mode to server DHCP has done the trick! I can now talk from both sides of the network and I was able to bring 2 of my servers onto our main office domain. Everything seems to be working as expected now, although I'll do more testing today.

    I can't buy you a beer, but can I email you a gift card or something for your help? You saved me loads of time.
    CMcNaughton likes this.

  7. #7
    Master Untangler CMcNaughton's Avatar
    Join Date
    Feb 2015
    Location
    Denver, CO
    Posts
    194

    Default

    Quote Originally Posted by passportamerica View Post
    I can't buy you a beer, but can I email you a gift card or something for your help? You saved me loads of time.
    Nice! I mean, sky-knight isn't always the hero that our forum needs, but he's the one we deserve!
    sperman likes this.

  8. #8
    Newbie
    Join Date
    Jun 2021
    Posts
    6

    Default

    One issue just happened and I'm sure it's something I missed. All of my WiFi devices are no longer accessing the internet and I can't seem to access my router by it's IP 10.1.10.1. Any ideas?

  9. #9
    Master Untangler TirsoJRP's Avatar
    Join Date
    Oct 2010
    Posts
    459

    Default

    Quote Originally Posted by passportamerica View Post
    One issue just happened and I'm sure it's something I missed. All of my WiFi devices are no longer accessing the internet and I can't seem to access my router by it's IP 10.1.10.1. Any ideas?
    Your wifi router should be configured as an access point.

  10. #10
    Newbie
    Join Date
    Jun 2021
    Posts
    6

    Default

    Yeah my devices can connect to it, but they have no internet. The router is a part of the modem so it's like:

    Modem / Router > Untangle > Rest of the network

    Do I need to disable the WAP on the router and put a different router behind the Untangle box?

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2