VPN does not resolve local hosts on linux

Hi oldgoodname

Thank you for reaching out to the community please check by adding your DNS server IP on SSL VPN setting as per the snapshot : 

Thanks and Regards

Hi Bharat,

I did that before, but it doesn't work.

If the DNS host is the sophos itself, does it matter which vLan interface IP address I configure here? Because the ssl-vpn-subnet does not have a vLan interface.

I think it is not possible to configre a vlan ID for the physical interface, so the physical interface has a dummy-ip-address and I am only using the vLan-interfaces. Can that lead to problems?

Thank you very much and best regards

Hi oldgoodname

Please go to Configure -->Network -->DNS and share DNS you have set on Sophos XG 

Thanks 

Hi Bharat,

I am using static DNS entries for IPv4 (9.9.9.9 / 149.112.112.112 / 84.200.69.80). IPv6 is also set to static entries, but they are empty because I am not using it at the moment.

I have some static dns-host configured as FQDN like -> host1.domain.local

best regards

Hi oldgoodname 

Please share errors or error messages output  related to DNS after user connects with SSL VPN

Thanks

DNS server (this is a hierarchical system that allows you to forward requests to other servers and find answers). You cannot resolve localhost DNS unless you have a DNS server with an entry for localhost. Try setting it up on a Linux host. Note that Meraki does not have a DNS server (some firewalls do).

hostname resolution in the office-This works for some hosts on the same VLAN, but over broadcast, not over DNS. IT does not work between subnets (different VLANs). Again, the answer is: Implement a DNS server.

MAC Address Resolution-MAC addresses apply only to the local LAN segment (same physical network). In this case, it is the same VLAN. Therefore, Mac addresses such as remote VPN hosts will not be resolved.

This may help,
J Wick

Hi Bharat,

I try to begin again to make clear, what I have configured and how it looks like on my linux notebook. As I mentioned before, I have everything set up as described in this video: https://support.sophos.com/support/s/article/KB-000035542?language=en_US

So far so easy. I think it could be a DNS problem, so this is the DNS config in the global SSL VPN config:

IPv4 DNS = 10.xx.xx.xx as primary and 9.9.9.9 as secondary

The internal DNS is the sophos xg itself. It is the IP address of the management-vlan with a vlan-id. So I think it should be reachable to the ssl-vpn user, even if it is another vlan, because it directly terminates on the sophos xg.

The sophos is also the DNS in my local network, which works perfect because the DHCP sets the DNS server 10.xx.xx.xx for all DHCP clients. No problem here. If the host is not in my local network, I forward the request to a global DNS as described in the earlier post:

DNS1: 9.9.9.9

DNS2: 149.112.112.112

DNS3: 84.200.69.80

And I think it is not best practice, that the sophos xg ip is DNS1.

When I connect via vpn with the terminal command: sudo openvpn --config config.ovpn

and I check the DNS settings with: resolvectl status tun0

I get the following:

Current scopes: none

No configured DNS server shows up. So maybe it uses the DNS server from wifi connection??? Don't know how to check 100% which is in use.

When I import the config file into the network manager of linux and i connect, the following DNS settings show up:

Current scopes: DNS

Currend DNS Server: 10.xx.xx.xx

DNS Server: 10.xx.xx.xx and 9.9.9.9

So it shows up as configured in the global ssl vpn config. So far so good, because I prefer this method over the one in the terminal because its more comfortable. I can ping internal clients and open theire web-site.

So for me, everything works as expected and I am happy, because I prefer the connection within the GUI then on the terminal. Yesterday I had problems with this method, because I thought, it will use the correct username of the user, from which I downloaded the config file. But I think the config file do not have user specific configuration, so I had to configure the username in the network manager.

Personally I don't need help anymore, even VPN over terminal still isn't working due to missing DNS config on the client.

thanks guys an best regards

Hi Jimmy,

thanks for your reply. See my answer above.

best regards

Ok, I think i have to take back, what I said. I had overseen, that while connected to vpn over network manager, I still was connected over terminal. So with 2 vpn connections (terminal and network manager), it works. Only connected by network manager, I can ping all the hosts by there FQDN (internal and external), but I cannot connect to them in the browser (public websites and internal websites).

Internal-vlan-ip-ranges and the group Internet IPv4 should be allowed to be reachable via VPN. I am also OK, if I have to use split tunnel, so external websites will work directly over internet connection and not over VPN.

Any suggestion?

Hi oldgoodname 

When User as default Gateway is turned on we have to make sure the firewall rule is there to allow or move the traffic towards WAN that is VPN-WAN firewall rule 

Please share output now traffic is flowing over SSL VPN for DNS with help of tcpdump 

console>tcpdump 'host <IP address> and port 53

check if anything drop from Sophos XG with drop packet pacture 

console>drop-packet-capture  'host <IP address> and port 53

Thanks and Regards