It is currently 15.12.2017 15:57


All times are UTC




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Zerina/IpCOP Tunnel Help
PostPosted: 21.08.2009 17:15 
DES
DES

Joined: 11.08.2009 20:06
Posts: 2
Hello everyone,

I've recently installed ZERINA-0.9.5b on IPCop 1.4.21 for roadwarrior access and everything is working great... To a point. The problem is that I can't seem to nail down where the problem is and hoping that others out there with more experience with OpenVPN may be able to offer their advice.

Main network is 192.168.0.0/24, VPN is 10.0.0.0/24. Using TUN (TAP would be preferable, but apparently doesn't work yet) and have a client connected via the VPN back to the office. Things more-or-less work.

Works: dns lookups (see below), ping, etc.
Doesn't work: file server synchronization, accessing hosts on the home LAN via their domain name (see below).

Environment is Windows domain, server 2003 AD. Have added the in.arpa for the 10.0.0.0/24 network, and when a remote client connects it shows up both in the domain DNS and the reverse lookup. If I try to connect to the client via IP it works great; however, here's where it gets weird. I ping a clent by hostname: reply from 10.0.0.5 (for instance). Everything is happy. I take that SAME hostname into IE, Firefox, or in this case the app we are wanting to use remotely (ONSSI Video server), and I end up getting out openDNS search page. The DNS on both the LAN machine and the road warrior are setup to ONLY look to the internal network, so the only way I would get the OpenDNS page would be for an unknown host that was forwarded from the MS DNS server AFAIK.

Obviously, TUN is a L3 solution and there may be more needed to get the server to synchronize and not be in 'offline files' mode to work; however, if I can ping a hostname or nslookup an ip address without problem, why the heck would I not be able to connect to it VIA IE/Firefox (if those work, I'd bet me ONSSI software will follow suite)? There is no proxy setup on the browsers, and the remote network that I'm tunneling through doesn't use OpenDNS, so if for some reason it was going out over eth1 instead of the TUN interface, it wouldn't pull OpenDNS out.

Is this a routing/DNS issue? Is there any way to get the browser to be able to find the host that ping/nslookup does? Additionally and probably a more common question, how does one enable the OpenVPN client over a TUN interface to connect to the server and synchronize files?

It seems that most of this would be a moot point over a TAP interface being L2, but from all I have been able to see TAP simply isn't doable at this time; is this true, or just not doable in the very nice, easy, slick GUI that the zerina addon provides.

Sorry for all the questions, but I've been banging my head on this in my spare time for a week now; I'm running out of spare time! :)

Thanks in advance,

Diamond187


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Zerina/IpCOP Tunnel Help
PostPosted: 22.08.2009 08:17 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2191
diamond187 wrote:
Hello everyone,

I've recently installed ZERINA-0.9.5b on IPCop 1.4.21 for roadwarrior access and everything is working great... To a point. The problem is that I can't seem to nail down where the problem is and hoping that others out there with more experience with OpenVPN may be able to offer their advice.

Main network is 192.168.0.0/24, VPN is 10.0.0.0/24. Using TUN (TAP would be preferable, but apparently doesn't work yet) and have a client connected via the VPN back to the office. Things more-or-less work.
10.0.0.0 not best idea - yes it works, but 10.0.0.0 discribes also the whole subnet...
Quote:
Works: dns lookups (see below), ping, etc.
Doesn't work: file server synchronization, accessing hosts on the home LAN via their domain name (see below).
Quote:
Environment is Windows domain, server 2003 AD. Have added the in.arpa for the 10.0.0.0/24 network, and when a remote client connects it shows up both in the domain DNS and the reverse lookup.
makes only sense, if you use additional ccd 's (its not in the GUI)
otherwise each client gets each connect different IPs
Quote:

If I try to connect to the client via IP it works great; however, here's where it gets weird. I ping a clent by hostname: reply from 10.0.0.5 (for instance). Everything is happy. I take that SAME hostname into IE, Firefox, or in this case the app we are wanting to use remotely (ONSSI Video server), and I end up getting out openDNS search page.

..........

Obviously, TUN is a L3 solution and there may be more needed to get the server to synchronize and not be in 'offline files' mode to work; however, if I can ping a hostname or nslookup an ip address without problem, why the heck would I not be able to connect to it VIA IE/Firefox (if those work, I'd bet me ONSSI software will follow suite)? There is no proxy setup on the browsers, and the remote network that I'm tunneling through doesn't use OpenDNS, so if for some reason it was going out over eth1 instead of the TUN interface, it wouldn't pull OpenDNS out.

Is this a routing/DNS issue? Is there any way to get the browser to be able to find the host that ping/nslookup does? Additionally and probably a more common question, how does one enable the OpenVPN client over a TUN interface to connect to the server and synchronize files?
...........
Diamond187

perhaps you can yourself help you:
try each client with a : nslookup target
and you will see the answer of nameservers...

Unix has host, dig commands, shows you nameserverinfo, must be one on win too....(did never try ). ther are some "M$ special ways" in name resolutions, you should try first with FQDN ... if pings/IP-resolution works, there are probably no routing problems.

F.


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Zerina/IpCOP Tunnel Help
PostPosted: 24.08.2009 16:04 
DES
DES

Joined: 11.08.2009 20:06
Posts: 2
dl5ym wrote:
10.0.0.0 not best idea - yes it works, but 10.0.0.0 discribes also the whole subnet...

I was paraphrasing a bit there. Actual is 10.10.10.0/24, which would be the subnet from 10.10.10.1 - 10.10.10.254
dl5ym wrote:
makes only sense, if you use additional ccd 's (its not in the GUI)
otherwise each client gets each connect different IPs


I'm not sure I follow you on that one, what do you mean there?

dl5ym wrote:
perhaps you can yourself help you:
try each client with a : nslookup target
and you will see the answer of nameservers...

Unix has host, dig commands, shows you nameserverinfo, must be one on win too....(did never try ). ther are some "M$ special ways" in name resolutions, you should try first with FQDN ... if pings/IP-resolution works, there are probably no routing problems.

F.


Well, both ping and nslookup work great with both the FQDN and just the hostname, so it seems that the dns is working both forward and reverse. What isn't working in this case is going to the same FQDN/Hostname through an internet browser (firefox/ie) nor is the server able to synchronize (offline files). The browser part is driving me insane, as there is no hosts override, DNS seems to be working just fine on that very machine, and no proxy is setup to change that between a CLI ping and Firefox/IE.

Any other ideas what may be going on here? I keep coming back to routing myself since I simply can't think of any other reason why something layer 3 would ping / nslookup but not work via a browser. Any help would be greatly appreciated!

Thanks,
Diamond187


Top
Offline Profile  
Reply with quote  
 Post subject: Re: Zerina/IpCOP Tunnel Help
PostPosted: 24.08.2009 17:34 
Profi
Profi

Joined: 23.10.2007 12:10
Posts: 2191
diamond187 wrote:
dl5ym wrote:
10.0.0.0 not best idea - yes it works, but 10.0.0.0 discribes also the whole subnet...

I was paraphrasing a bit there. Actual is 10.10.10.0/24, which would be the subnet from 10.10.10.1 - 10.10.10.254
dl5ym wrote:
makes only sense, if you use additional ccd 's (its not in the GUI)
otherwise each client gets each connect different IPs


I'm not sure I follow you on that one, what do you mean there?

dl5ym wrote:
perhaps you can yourself help you:
try each client with a : nslookup target
and you will see the answer of nameservers...

Unix has host, dig commands, shows you nameserverinfo, must be one on win too....(did never try ). ther are some "M$ special ways" in name resolutions, you should try first with FQDN ... if pings/IP-resolution works, there are probably no routing problems.

F.


Well, both ping and nslookup work great with both the FQDN and just the hostname, so it seems that the dns is working both forward and reverse. What isn't working in this case is going to the same FQDN/Hostname through an internet browser (firefox/ie) nor is the server able to synchronize (offline files). The browser part is driving me insane, as there is no hosts override, DNS seems to be working just fine on that very machine, and no proxy is setup to change that between a CLI ping and Firefox/IE.

Any other ideas what may be going on here? I keep coming back to routing myself since I simply can't think of any other reason why something layer 3 would ping / nslookup but not work via a browser. Any help would be greatly appreciated!

Thanks,
Diamond187


Top
Offline Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ]  Moderator: Moderators

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created StylerBB.net