New Member
Posts: 5
Registered: ‎06-25-2014
Accepted Solution

Name resolution across OpenVPN

[ Edited ]

I have successfully set up two EdgeMax Lite routers and created an OpenVPN connection between them. I'm able to reach computers on subnet A (192.168.0.0/24) from subnet B (192.168.2.0/24) and vice versa. However, name resolution doesn't work.

(I followed the instructions in the SOHO Example followed by the OpenVPN site-to-site setup.)

If I ping computers by IP address, the response is good. If I try to ping by name, I get "Ping request could not find host computername."

Unfortunately I am not terribly experienced with networking beyond the basics of DHCP and DNS. I think that DNS and WINS are involved here, but I don't understand WINS nor how I can configure the VPN server of the EdgeMax router to resolve names across the VPN.


Accepted Solutions
Regular Member
Posts: 745
Registered: ‎11-06-2013
Kudos: 230
Solutions: 26

Re: Name resolution across OpenVPN

Ah ha! Found it. The single hostname fails. but a two part name or a fully qualified hostname works.

set system static-host-mapping host-name somepc inet 10.1.1.2
set system static-host-mapping host-name somepc.somedomain inet 10.1.1.2
set system static-host-mapping host-name somepc.somedomain.local inet 10.1.1.2

 I set this up in my ERL. the network 10.1.1.0/24 is across vtun7 

here are the results.

C:\>ping somepc.somedomain.local

Pinging somepc.somedomain.local [10.1.1.2] with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=42ms TTL=126
Reply from 10.1.1.2: bytes=32 time=22ms TTL=126
Reply from 10.1.1.2: bytes=32 time=23ms TTL=126
Reply from 10.1.1.2: bytes=32 time=22ms TTL=126

Ping statistics for 10.1.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 22ms, Maximum = 42ms, Average = 27ms

C:\>ping somepc.somedomain

Pinging somepc.somedomain [10.1.1.2] with 32 bytes of data:
Reply from 10.1.1.2: bytes=32 time=24ms TTL=126
Reply from 10.1.1.2: bytes=32 time=23ms TTL=126
Reply from 10.1.1.2: bytes=32 time=22ms TTL=126
Reply from 10.1.1.2: bytes=32 time=25ms TTL=126

Ping statistics for 10.1.1.2:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 22ms, Maximum = 25ms, Average = 23ms

C:\>ping somepc
Ping request could not find host somepc. Please check the name and try again.

 

View solution in original post


All Replies
Established Member
Posts: 2,364
Registered: ‎05-30-2012
Kudos: 795
Solutions: 30

Re: Name resolution across OpenVPN

Your EdgeMax or VPN connection has nothing to do with DNS. You need to setup a DNS server and let devices use it for resolving.

New Member
Posts: 5
Registered: ‎06-25-2014

Re: Name resolution across OpenVPN

I realize the routers aren't doing any sort of DNS, but instead just providing the DNS server addresses for clients to use. At neither location is a DNS server running, but name resolution works within the context of either subnet. Without running a DNS server, how is name resolution working at all? I thought whatever mechanism allows name resolution to work on one subnet could be somehow utilized from the other to get the same lookup result.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: Name resolution across OpenVPN

Add the address of the router on the other side of the tunnel to the dns-server addresses handed out by dhcp.

This will allow clients to check with the other router for dns as well as the local router.  You might have to play with it a bit to find the best setup.  Might be better to set router system dns-server address as the other router.  DHCP from the ISP to router will still give public dns resolution.

New Member
Posts: 5
Registered: ‎06-25-2014

Re: Name resolution across OpenVPN

Thanks for this suggestion. I'll give it a try and let you know what I find.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: Name resolution across OpenVPN

I haven't actually tried to do this across a vpn.  I know it's doable with an actual dns-server, I would think it would be doable using the other edgeRouter for that purpose.  As I said, you might have to play with a few different methods to find what works.

Emerging Member
Posts: 44
Registered: ‎06-19-2014
Kudos: 10

Re: Name resolution across OpenVPN

[ Edited ]

I'm trying to get name resolution working through OpenVPN myself.

And to do that, I've tried the following:

• Installed samba on the EdgeRouter (requires the full version of sed to be installed first) on both ends

configure
set system package repository squeeze components 'main contrib non-free'
set system package repository squeeze distribution squeeze
set system package repository squeeze url http://http.us.debian.org/debian

set system package repository squeeze-security components main
set system package repository squeeze-security distribution squeeze/updates
set system package repository squeeze-security url http://security.debian.org
commit
save
exit
sudo apt-get update
sudo apt-get install wget
wget http://ftp.us.debian.org/debian/pool/main/s/sed/sed_4.2.1-7_mips.deb -P /config/auth/
sudo dpkg -i /config/auth/sed_4.2.1-7_mips.deb
sudo apt-get install samba

 

• Setting both ends up as WINS servers and getting them to announce to each other so they receive hostnames from the other subnet by editing the /etc/samba/smb.conf file:

sudo apt-get install nano
sudo mv /etc/samba/smb.conf /etc/samba/smb.default.conf
sudo nano /etc/samba/smb.conf

And adding this

[global]
 netbios name = EdgeRouter
 server string = EdgeRouter
 wins support = yes
 domain master = yes
 local master = yes
 preferred master = yes
 os level = 65
 name resolve order = wins lmhosts hosts bcast
 remote announce w.x.y.z

• Setting the DHCP server to tell clients to use the EdgeRouter as a WINS server.

But so far I haven't gotten it to work.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: Name resolution across OpenVPN

After a little more playing around and looking things over, I'm going to recommend trying to set one of the system name-server settings to match the remote router tunnel IP, or a valid viewable network router IP.  And add the listen-on interface of the tunnel on the remote router so that it listens for dns querries from that interface.  This would need to be done on both ends to make it reciprical.

dns forwarding.png
Emerging Member
Posts: 44
Registered: ‎06-19-2014
Kudos: 10

Re: Name resolution across OpenVPN

[ Edited ]

Is it correct to say that DNS name resolution won't automatically show up in the list of network devices? i.e. it will only respond to requests for a specific name, instead of giving your PC a list of all names that are available

That's why I've been trying to use WINS

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: Name resolution across OpenVPN

I believe that you are correct on this.  Maybe someone with more expertise can confirm?

Regular Member
Posts: 745
Registered: ‎11-06-2013
Kudos: 230
Solutions: 26

Re: Name resolution across OpenVPN

Honestly, I would never bother with something like this. Instead, just setup specific hostname mapping for the services that need to use names at the opposite site. For basic SMB purposes, you should have zero reason to access all devices by name at the opposite site. If you need to access every device by name, then you are not "basic" and you should have some specific method of DNS resolution setup.

What you likely need cross-site is server names (not generally DHCP assigned anyway), NAS, and maybe printers. The servers will need hardcoded host mapping anyway because they are not DHCP assigned, so nothing updates the router's DNS anyway. The NAS and printers should have static DHCP mapping so the local ERL will know th amapping for those by default. You will just need to set up the static mapping on the opposite ERL.

ubnt@ubnt:# set system static-host-mapping host-name SERVERA inet 10.10.10.10

 

New Member
Posts: 5
Registered: ‎06-25-2014

Re: Name resolution across OpenVPN

Sorvani, This does sound much simpler. I actually have no need for all devices to be resolved by name, only a server and a couple of printers as you said. I think I'll probably just do this and call it a day.
Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: Name resolution across OpenVPN

That is similar to my setup, except that all my internal dns is handled by my domain controller so dhcp just gives the dns-server address as an available dns-server.

Emerging Member
Posts: 44
Registered: ‎06-19-2014
Kudos: 10

Re: Name resolution across OpenVPN

[ Edited ]

In my case there are a lot of PC's on each LAN and they all get their IP addresses through DHCP, and they all need to be accessible through the VPN (not just a few), so maintaining static host mapping would be too much work.

There's also no domain controller, and the devices need to be automatically discoverable.

So in that case, DNS is not the appropriate method, WINS is. But I'm just having difficulty trying to get the EdgeRouter to work as a WINS server.

I'm tempted to buy another router with third party firmware and using that as a WINS server (I've used RT-N16's and RT-N66U's with TomatoUSB on my home network, and they work perfectly as WINS servers just by ticking a single check box in the web UI. And I can even add a custom command like remote announce right there in the web UI too)

I'm not sure what exactly Redtailed is trying to use his OpenVPN bridge for, so I'm not sure if DNS or static host mapping would be appropriate in his case (it may be).

Regular Member
Posts: 745
Registered: ‎11-06-2013
Kudos: 230
Solutions: 26

Re: Name resolution across OpenVPN

In your case, you can make the opposite router the secondary DNS choice for each router. When a lokup fails for the primary DNS, it should go get it from the other which would be the router which knows the information.

Never tried this, but it is what was suggested earlier by @CowboyJed 

Emerging Member
Posts: 44
Registered: ‎06-19-2014
Kudos: 10

Re: Name resolution across OpenVPN

[ Edited ]

@sorvani wrote:

In your case, you can make the opposite router the secondary DNS choice for each router. When a lokup fails for the primary DNS, it should go get it from the other which would be the router which knows the information.

Never tried this, but it is what was suggested earlier by @CowboyJed 


That would be fine if you know all the hostnames you need to connect to in advance (which could be the case for Redtailed). Though in my case the devices need to be automatically discoverable, which DNS won't solve.

*edit*

Well, it does look like static host name mapping as you suggested works for Redtailed's situation.

Established Member
Posts: 1,043
Registered: ‎02-17-2014
Kudos: 386
Solutions: 40

Re: Name resolution across OpenVPN

The secondary dns-server address on my remote site router is the domain dns-server in my primary network, accessed through the OpenVPN tunnel.  On the primary network, the domain controller does both dhcp as well as dns and is setup to update all addresses managed through dhcp with the dns-server.  Servers which are set staticly without using dhcp are manually entered into the dns-server.

Emerging Member
Posts: 44
Registered: ‎06-19-2014
Kudos: 10

Re: Name resolution across OpenVPN

[ Edited ]

In my case I'm trying to allow every single PC on the network to be automatically accessible and discoverable through the VPN, and I won't necessarily know all their hostnames in advance. There is no domain or domain controller.

If you know the names of the machines you want to connect to in advance, and only need to connect to specific machines, DNS works. But if all machines are to be automatically discoverable (as if they were in the same subnet), I think WINS is needed.

Though in my case I also only want it to happen in one direction, which is why I'm trying to use remote announce in samba instead of remote browse sync

Regular Member
Posts: 745
Registered: ‎11-06-2013
Kudos: 230
Solutions: 26

Re: Name resolution across OpenVPN


@Knowbody wrote:

In my case I'm trying to allow every single PC on the network to be automatically accessible and discoverable through the VPN, and I won't necessarily know all their hostnames in advance. There is no domain or domain controller.

If you know the names of the machines you want to connect to in advance, and only need to connect to specific machines, DNS works. But if all machines are to be automatically discoverable (as if they were in the same subnet), I think WINS is needed.

Though in my case I also only want it to happen in one direction, which is why I'm trying to use remote announce in samba instead of remote browse sync


You should move this to your own thread. you are trying to get a different answer.

 

Emerging Member
Posts: 44
Registered: ‎06-19-2014
Kudos: 10

Re: Name resolution across OpenVPN