Posted: Tue Feb 13, 2018 17:35 Post subject: OpenVPN DNS Site to Site
First thanks to eibgrad he helped me get this far.
I have read a few articles but cannot seem to get this working. I am sure it has to do with setup and traffic.
in pictures and stuff please ignore the AsusServer and AsusTS things. The references i found had me put those in and i havent removed them incase i need them and i just haven't implemented them correctly.
OpenVPN Client:
LAN IP:192.168.11.67
OpenVPN IP: 10.8.0.2
Setup WAP: WAN Disabled, DHCP Server Disabled, DNSMasq Enabled(See image for settings)
Primary ISP Router[Client Side]:
LAN IP:192.168.11.1
Static Routes:
192.168.1.0/24 192.168.11.67
10.8.0.0/24 192.168.11.67
DHCP Server Enabled
Primary ISP Router[Server Side]:
LAN IP:192.168.1.1
Static routes:
192.168.11.0/24 192.168.1.64
10.8.0.0/24 192.168.1.64
DHCP Server Enabled
DNS Server: 192.168.1.82 (I have a DC acting as the DNS for the server side. If the local DNS cant find it, it forwards it to Primary ISP Router.)
OpenVPN Server:
LAN IP:192.168.1.64
OpenVPN IP: 10.8.0.1
Setup WAP: WAN Disabled, DHCP Server Disabled, DNSMasq Enabled(See image for settings)
ComputerB:
LAN IP: 192.168.1.81
Currently I can ping across using IP addresses. So ComputerA can ping 192.168.1.81 and get a response, and vice versa.
I know my goal is this from ComputerA[client side]
1) check local DNS for name
2) check server DNS for name
3) pass to client/server side fallback [primary ISP router]
I only care about step 3 with regards to which is used if that also directs traffic. I do not want internet traffic from client to be tunneled thru the server to get to the internet. It can use its own ISP to get internet. I don't need to bog down the server with youtube videos.
I have tried to modify the resolv.dnsmasq to have the following and changed the basic setup local dns to 0.0.0.0 so the router doesnt look anywhere
Results:
nameserver 192.168.1.64[82]
nameserver 192.168.11.1
Also right now i am telnet to client router trying to ping computerB from the router itself and not form the computer. 1 step at a time i am learning. Every time i try and ping computerB form the router though it responds with "ping: bad address 'ComputerB'"
It seems to be somewhat what i am looking for. Clearly i need to be able to direct a DNS request to my main domain. domain.net. So i added to additional config
domain=domain.net
expand-hosts
I also tried adding the following and restarting the router. 1 at a time not both at the same. and sure if i ping domain.net it works, but not COmputerB or COmpuyterB.domain.net.
server=/domain.net/192.168.1.82
address=/domain.net/192.168.1.82
how do i get the router to to look at the domain i guess what it boils down to because right now it is not seeing that even though i have the ip of the DNS shows up in the /tmp/resolvdnsmasq file
if I add the following tot he DNSMasq additional config
address=/ComputerB/192.168.1.81
i am sure it will work, but i dont want to do that for 50 computers. I feel there is something simple i am missing
That is what i was thinking. I was trying all those commands as you have written, but it revolves around the dd-wrt being the DNS.
On the server side I have, as you stated, i have a ubuntu server running an active domain which i want to tap in to.
Your method is what i was hoping to avoid. Going through and basically manually assigning item names and IP addresses. However, my little experience with this am curious if it will do exactly what i need.
For instance, I manually assign each computer name with its address within the DNSMasq configuration as you have written, would it actually relay information. So if i ping computerA will it translate and ping its address so i can get a proper ping response. or if i RDP to computerA will i actually be able to RDP to it?
I went on a short vacation and do not have internet to really test this until sunday when i return. I will attempt to do your suggestion and just see if it does what i need when i return. I dont mind going through and doing the manual assignments if it will do what i need.
the server side is a Ubuntu DC. The client side has no DC, it is just using the ISP router as its DNS. I only need DC functionality at the server site.
With regard to the firewall on the server side I do have SPI firewall enabled, but among all those settings is there a specific combination i need or something specifically checked/unchecked? It is all default right now.
In the router, do i need to open a DNS port forward to the server router for port 53 DNS requests?
Also, with the server directive, should i be able to see this added to the /tmp/resolv.dnsmasq file?
I can ping computer on the server but not computer.mydomain.com. So i think that is my first issue.
And i am using Ubuntu, but as an active directory and then using windows AD control software to maintain it.
ANother oddity, i just tried to do on the server side nslookup 192.168.1.70 and it came back with unable to find IP, non existant domain.
Edit: Ok the non-existant domain is because of the Ubuntu running an AD and me using windows AD control. It appears there ar eno reverse name lookups within the AD setp by Ubuntu. I think i can solve the nslookup issue by making a reverse lookup zone. But need to research a lot before i do that. Dont want to blow up the current DC. I dont have a redundant system.