Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 12 replies
  • Subscribers 28 subscribers
  • Views 1134 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VPN does not resolve local hosts on linux

oldgoodname

Hi guys,

I am using a Sophos XG v19 as gateway and try to connect via SSL VPN from a Linux notebook.

I configured the SSL VPN as in the sophos own video-tutorial and I found some other tutorials showing the same steps.

When I try to connect from terminal, it works fine, except the DNS resolution. The DNS resolves only public domain-entries. So I think it uses a public-dns-server.

I tried different SSL Settings, configuring no dns or the IP of the sophos itself, because the sophos firewall is the internal dns server.  I also activated the "Use as default Gateway" switch, for not having a split-tunnel.

I think everything should be correct, but I am not able to ping internal hosts by there fqdn, but IP address works fine. So I think the DNS could be wrong. I checkt the /etc/resolv.conf, but there is only one entry showing up:

# Generated by Network Manager

nameserver127.0.0.53

So I am not sure, which one really is in use, when connected by VPN. When I am connected directly to the lan, the DNS on the Sophos firewall works without problems.

I also tried to import the config file into the network manager, which works. But when I try to connect, password field always shows up, so I think it does not work generally or with MFA, or I did it wrong.

So my 2 questions are:

  1. Do you have any suggestion, what to configure, that resolving local DNS host is possible via VPN?
  2. How to correctly import the sophos openvpn config file into the network manager, and where to type in the password and where the MFA token, that i correctly works? -> I would prefer this over connecting via terminal.

I currently use KDEneon distribution.

Thanks a lot in advance and best regards



Edited TAGs
[edited by: Erick Jan at 6:25 AM (GMT -8) on 15 Nov 2022]
Parents
  • 0

    Hi oldgoodname

    Thank you for reaching out to the community please check by adding your DNS server IP on SSL VPN setting as per the snapshot : 

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hi Bharat,

    I did that before, but it doesn't work.

    If the DNS host is the sophos itself, does it matter which vLan interface IP address I configure here? Because the ssl-vpn-subnet does not have a vLan interface.

    I think it is not possible to configre a vlan ID for the physical interface, so the physical interface has a dummy-ip-address and I am only using the vLan-interfaces. Can that lead to problems?

    Thank you very much and best regards

  • 0 in reply to oldgoodname

    Hi oldgoodname

    Please go to Configure -->Network -->DNS and share DNS you have set on Sophos XG 

    Thanks 

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hi Bharat,

    I am using static DNS entries for IPv4 (9.9.9.9 / 149.112.112.112 / 84.200.69.80). IPv6 is also set to static entries, but they are empty because I am not using it at the moment.

    I have some static dns-host configured as FQDN like -> host1.domain.local

    best regards

  • 0 in reply to oldgoodname

    Hi oldgoodname 

    Please share errors or error messages output  related to DNS after user connects with SSL VPN

    Thanks

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

Reply Children
  • 0 in reply to Bharat J

    Hi Bharat,

    I try to begin again to make clear, what I have configured and how it looks like on my linux notebook. As I mentioned before, I have everything set up as described in this video: https://support.sophos.com/support/s/article/KB-000035542?language=en_US

    So far so easy. I think it could be a DNS problem, so this is the DNS config in the global SSL VPN config:

    IPv4 DNS = 10.xx.xx.xx as primary and 9.9.9.9 as secondary

    The internal DNS is the sophos xg itself. It is the IP address of the management-vlan with a vlan-id. So I think it should be reachable to the ssl-vpn user, even if it is another vlan, because it directly terminates on the sophos xg.

    The sophos is also the DNS in my local network, which works perfect because the DHCP sets the DNS server 10.xx.xx.xx for all DHCP clients. No problem here. If the host is not in my local network, I forward the request to a global DNS as described in the earlier post:

    DNS1: 9.9.9.9

    DNS2: 149.112.112.112

    DNS3: 84.200.69.80

    And I think it is not best practice, that the sophos xg ip is DNS1.

    When I connect via vpn with the terminal command: sudo openvpn --config config.ovpn

    and I check the DNS settings with: resolvectl status tun0

    I get the following:

    Current scopes: none

    No configured DNS server shows up. So maybe it uses the DNS server from wifi connection??? Don't know how to check 100% which is in use.

    When I import the config file into the network manager of linux and i connect, the following DNS settings show up:

    Current scopes: DNS

    Currend DNS Server: 10.xx.xx.xx

    DNS Server: 10.xx.xx.xx and 9.9.9.9

    So it shows up as configured in the global ssl vpn config. So far so good, because I prefer this method over the one in the terminal because its more comfortable. I can ping internal clients and open theire web-site.

    So for me, everything works as expected and I am happy, because I prefer the connection within the GUI then on the terminal. Yesterday I had problems with this method, because I thought, it will use the correct username of the user, from which I downloaded the config file. But I think the config file do not have user specific configuration, so I had to configure the username in the network manager.

    Personally I don't need help anymore, even VPN over terminal still isn't working due to missing DNS config on the client.

    thanks guys an best regards

  • 0 in reply to oldgoodname

    Ok, I think i have to take back, what I said. I had overseen, that while connected to vpn over network manager, I still was connected over terminal. So with 2 vpn connections (terminal and network manager), it works. Only connected by network manager, I can ping all the hosts by there FQDN (internal and external), but I cannot connect to them in the browser (public websites and internal websites).

    Internal-vlan-ip-ranges and the group Internet IPv4 should be allowed to be reachable via VPN. I am also OK, if I have to use split tunnel, so external websites will work directly over internet connection and not over VPN.

    Any suggestion?

  • 0 in reply to oldgoodname

    Hi oldgoodname 

    When User as default Gateway is turned on we have to make sure the firewall rule is there to allow or move the traffic towards WAN that is VPN-WAN firewall rule 

    Use as default gateway Use this remote access policy as default gateway. When on, all traffic, including external internet requests, is forwarded to a default gateway. When off, internal and external traffic is handled by different gateways.

    Please share output now traffic is flowing over SSL VPN for DNS with help of tcpdump 

    console>tcpdump 'host <IP address> and port 53

    check if anything drop from Sophos XG with drop packet pacture 

    console>drop-packet-capture  'host <IP address> and port 53

    Thanks and Regards

    "Sophos Partner: Infrassist Technologies Pvt Ltd".

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bharat J

    Hi Bharat,

    sorry for my late response. I was a littel bit busy the last days.

    I can try your suggestion, but I need some more days. I will come back to you in a few days.

    best regards

  • 0 in reply to Bharat J

    Hi Bharat,

    this is a really pain to investigate. I deleted the imported openvpn-config file in the network-manager an reimported it, but while connected to the vpn, the old dns-servers are still present, even if they are not in the vpn config. Seems they are saved somewhere else in the network-adapter tun0 config, but I don't know how to reset. The reason why I wanted that was, because I added the sophos xg and 9.9.9.9 as dns server manually to the vpn-config on the client, and I thought, it will use the sophos xg and 9.9.9.9 only when the sophos can't resolve it. This is not the case, it is more like round-robin, so the current dns-server always jumping from sophos to 9.9.9.9 and back, which causes problems.

    I tried to open a website in the browser and then check the firewall logs. I see an accepted firewall-entry to the IP on port 443, but nothing in the web-filter-log (maybe because no webfilter is applied?). So may this is a hint, why i can resolve the url to ip, but not able to open the website in the browser?

    tcpdump shows, that the URL of the website i tried, was successfully resolved by the sophos xg and the IP was sent back to the vpn client. So this seems to work, but as I described above, not when I open it with a browser. So I also did a tcpdum with port 443. But here I also see a connection form the client to the website on port 443.

    Last was to check with the command drop-packet-capture, and the result may help:

    Hope you have a final hint for me.

    Thanks and best regards

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML