Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 18 replies
  • Answers 3 answers
  • Subscribers 2 subscribers
  • Views 18244 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN DNS issue

Marcel Hoffmann

Hi there,

I have built a new VPN configuration for SSL VPN but I have troubles with name resolution.

We have a split DNS with the same DNS suffix existing inside and outside out network.

The connection comes up, nslookup hostname.our-domain.de queries the internal DNS server and gives back an IP. So far so good.

But when I ping that IP or use RDP the Windows clients tries to connect to an external IP because our domain-name also exists in the WWW. This doesn't make sense to me because nslookup works.

The gateway metrik of the sophos default route is higher than the route metrik for the wlan gateway - that's my problem. For testing purposes I used a metrik >500 on the WLAN adapter, reconnected and now everything works and th eclient always queries the internal DNS.

But that's not a solution because I don't want to mess up the metrik settings in our corporate network.

Is there a way to set the metrik to 1 through the sophos appliance or the VPN-client?

Thanks and regards

Marcel



This thread was automatically locked due to age.
  • 0

    Hi Marcel,

    "But when I ping that IP or use RDP the Windows clients tries to connect to an external IP"

    I understand that you are trying this from the outside when connected via VPN - correct?

    • In 'Remote Access >> Advanced', do you have either your internal DNS or the UTM configured as the first DNS server?
    • If the UTM is one of the DNS servers, is "VPN Pool (SSL)" in 'Allowed Networks' in 'DNS'?
    • Please compare your overall setup with DNS best practice.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    thanks for your reply. I have configured both of our internal DNS-servers in the UTM and yes, I try to reach some hosts from the outside while being connected with the VPN-client.

     

    Ping an IP-adress works, nslookup also works but when I try RDP with a hostname the name resolution fails.

    Cheers

    Marcel

  • 0 in reply to Marcel Hoffmann

    Are you sure that the subnet used for SSL VPN Remote Access doesn't overlap with a LAN behind the UTM?  You mention a WLAN - what and where is that, and does it overlap with anything?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yes, I am sure. Routing and using services by ip-adress works - it's just an issue with name resolution.

    I mentioned the wlan adapter because I used a wlan connection with a mobile hotspot for testing purposes. When I change the metrik of the adapter so that the sophos adapter (or better said the sophos gateway) is first the name resolution works. 

  • 0 in reply to Marcel Hoffmann

    Some more information: This is exactly my problem:

    http://superuser.com/questions/120038/changing-network-type-from-unidentified-network-to-private-network-on-an-openvpn

    I can avoid this, by adding the gateway ip of my ssl vpn ip range as "additional gateway" with a metric of 1 in the sophos-adapter. But that's only a workaround.

    I still hope for a better solution :).

  • 0 in reply to Marcel Hoffmann

    So, this is a problem in the client PC, not the UTM - right?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    This is a problem of every client pc on which I install the sophos-VPN client (that is of course based on OpenVPN).

    I hope the problem is clear - our domainname exists externally and internally and after successful connection the name resolution with internal DNS fails. After adding an gateway with fixed metric manually (although I use dhcp) it works most of the time (but as I found out, not always).

  • 0

    Hi Michael, 

    I see you have an internal DNS server, this server could be used as an alternate server to resolve DNS queries for a domain you do not want to be resolved by DNS forwarders. Try configuring  request routing in the Network Services> DNS>  Request routing section.

    Hope that helps.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi,

    I have configured the internal DNS-servers as forwarders in Network Services> DNS and also in Remote access > Advanced. Now I have also added the servers as suggested in the request routing section. Thanks for the suggestion, hope DNS works better now with SSL VPN ...

  • 0 in reply to Marcel Hoffmann

    Marcel, it sounds like you aren't following DNS best practice, as that would not have your internal servers configured as Forwarders in 'Network Services >> DNS'.  If you still need help, please show pictures of the 'Global, 'Forwarders' and 'Request Routing' tabs so that we can see what we're dealing with.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Unfiltered HTML