Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 18 replies
  • Answers 3 answers
  • Subscribers 2 subscribers
  • Views 18248 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

OpenVPN DNS issue

Marcel Hoffmann

Hi there,

I have built a new VPN configuration for SSL VPN but I have troubles with name resolution.

We have a split DNS with the same DNS suffix existing inside and outside out network.

The connection comes up, nslookup hostname.our-domain.de queries the internal DNS server and gives back an IP. So far so good.

But when I ping that IP or use RDP the Windows clients tries to connect to an external IP because our domain-name also exists in the WWW. This doesn't make sense to me because nslookup works.

The gateway metrik of the sophos default route is higher than the route metrik for the wlan gateway - that's my problem. For testing purposes I used a metrik >500 on the WLAN adapter, reconnected and now everything works and th eclient always queries the internal DNS.

But that's not a solution because I don't want to mess up the metrik settings in our corporate network.

Is there a way to set the metrik to 1 through the sophos appliance or the VPN-client?

Thanks and regards

Marcel



This thread was automatically locked due to age.
Parents
  • 0

    Hi Michael, 

    I see you have an internal DNS server, this server could be used as an alternate server to resolve DNS queries for a domain you do not want to be resolved by DNS forwarders. Try configuring  request routing in the Network Services> DNS>  Request routing section.

    Hope that helps.

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi,

    I have configured the internal DNS-servers as forwarders in Network Services> DNS and also in Remote access > Advanced. Now I have also added the servers as suggested in the request routing section. Thanks for the suggestion, hope DNS works better now with SSL VPN ...

Reply Children
  • 0 in reply to Marcel Hoffmann

    Marcel, it sounds like you aren't following DNS best practice, as that would not have your internal servers configured as Forwarders in 'Network Services >> DNS'.  If you still need help, please show pictures of the 'Global, 'Forwarders' and 'Request Routing' tabs so that we can see what we're dealing with.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    I configured the internal DNS-Servers following the help in the menue  ("Forwarders can be provided by your ISP, or can be in your internal network). So at first they were only set to internal DNS servers. I changed this now to external forwarders, although I am not sure if that's the reson for my problem. I also configured DNS request routing. I also added internal DNS servers in the "remote access / advanced"-tab.

    By the way - the UTM is currently not the standard-gateway for our network and all our clients get internal DNS-servers by windows DHCP. We "only" use the UTM as web-proxy and reverse proxy.

    But maybe I found my problem - in the global tab only internal and MGMT-networks were allowed. The SSL VPN network range wasn't in that list. I changed that :).

  • 0 in reply to Marcel Hoffmann

    Good news, Marcel!

    That was one of the comments I made in my first response in this thread.  I've re-formatted that post - if it had been formatted that way in the beginning, would you have recognized the issue then?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    sorry, I must have overlooked that. When reading it again, it seems crystal clear.

    Thanks again for helping me, great support.

    Cheers

    Marcel

  • 0 in reply to Marcel Hoffmann

    Hi again,

    sorry, I still have the same troubles. DNS only works after adding a manual gateway with metric 1. 

    Then my route table looks like this:

    The first route is the standard gateway of my WLAN-adapter

    The second route is the manually added gateway

    The third route is the automatically created route that's added after connection

    Netzwerkziel Netzwerkmaske Gateway  Schnittstelle Metrik
    0.0.0.0  0.0.0.0  192.168.43.1   92.168.43.107   1000
    0.0.0.0  0.0.0.0  10.25.176.1  10.25.176.2  2
    0.0.0.0  128.0.0.0  10.25.176.1  10.25.176.2  257

    Without the second route my name resolution fails and only the external DNS gets queried ... :(

  • 0 in reply to Marcel Hoffmann

    Thanks, Marcel.  We all tend to skim-read here - I know I often miss important things.  I'm glad that my reformatting made the post clearer for the next person and I'm reminded to make simple, clear sentences and paragraphs instead of dense thoughts.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Marcel Hoffmann

    Ahhh-ha!  That nails it, Marcel!

    0.0.0.0  128.0.0.0  10.25.176.1  10.25.176.2  257

    That's an ancient bug that we haven't seen since before 2010, I think - it never occurred to me to even look for this now.   If you're using the "Internet" object in your SSL VPN Profile, replace it with two definitions: {0.0.0.0/1} and {128.0.0.0/1}.

    Does that resolve your issue?  What do you see if you execute the following as root at the command line?

    cc get_object REF_NetworkInternet|grep \'netmask\'

    If you have a paid license, Sophos Support should see this as something strange has happened.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    I changed the local networks from "any" to 0.0.0.0/1 and 128.0.0.0/1

    But I wonder, why 0.0.0.0/0 won't work? Currently I can't test it, I'm waiting for somebody with a mobile hotspot :)

    The commandline cc get_object REF_NetworkInternet|grep \'netmask\' shows

    'netmask'=> 0

    I already opened up a case @sophos but no response so far ...

  • 0 in reply to Marcel Hoffmann

    Hi again,

    I hope I made the correct changes ... but I don't see any improvement. Routes are still the same.

    I changed the networks in "Remote access>SSL>Local Networks" from "any" to the networks you suggested.

Unfiltered HTML