OpenVPN.eu
http://forum.openvpn.eu/

Zerina/IpCOP Tunnel Help
http://forum.openvpn.eu/viewtopic.php?f=44&t=6480
Page 1 of 1

Author:  diamond187 [ 21.08.2009 17:15 ]
Post subject:  Zerina/IpCOP Tunnel Help

Hello everyone,

I've recently installed ZERINA-0.9.5b on IPCop 1.4.21 for roadwarrior access and everything is working great... To a point. The problem is that I can't seem to nail down where the problem is and hoping that others out there with more experience with OpenVPN may be able to offer their advice.

Main network is 192.168.0.0/24, VPN is 10.0.0.0/24. Using TUN (TAP would be preferable, but apparently doesn't work yet) and have a client connected via the VPN back to the office. Things more-or-less work.

Works: dns lookups (see below), ping, etc.
Doesn't work: file server synchronization, accessing hosts on the home LAN via their domain name (see below).

Environment is Windows domain, server 2003 AD. Have added the in.arpa for the 10.0.0.0/24 network, and when a remote client connects it shows up both in the domain DNS and the reverse lookup. If I try to connect to the client via IP it works great; however, here's where it gets weird. I ping a clent by hostname: reply from 10.0.0.5 (for instance). Everything is happy. I take that SAME hostname into IE, Firefox, or in this case the app we are wanting to use remotely (ONSSI Video server), and I end up getting out openDNS search page. The DNS on both the LAN machine and the road warrior are setup to ONLY look to the internal network, so the only way I would get the OpenDNS page would be for an unknown host that was forwarded from the MS DNS server AFAIK.

Obviously, TUN is a L3 solution and there may be more needed to get the server to synchronize and not be in 'offline files' mode to work; however, if I can ping a hostname or nslookup an ip address without problem, why the heck would I not be able to connect to it VIA IE/Firefox (if those work, I'd bet me ONSSI software will follow suite)? There is no proxy setup on the browsers, and the remote network that I'm tunneling through doesn't use OpenDNS, so if for some reason it was going out over eth1 instead of the TUN interface, it wouldn't pull OpenDNS out.

Is this a routing/DNS issue? Is there any way to get the browser to be able to find the host that ping/nslookup does? Additionally and probably a more common question, how does one enable the OpenVPN client over a TUN interface to connect to the server and synchronize files?

It seems that most of this would be a moot point over a TAP interface being L2, but from all I have been able to see TAP simply isn't doable at this time; is this true, or just not doable in the very nice, easy, slick GUI that the zerina addon provides.

Sorry for all the questions, but I've been banging my head on this in my spare time for a week now; I'm running out of spare time! :)

Thanks in advance,

Diamond187

Author:  dl5ym [ 22.08.2009 08:17 ]
Post subject:  Re: Zerina/IpCOP Tunnel Help

diamond187 wrote:
Hello everyone,

I've recently installed ZERINA-0.9.5b on IPCop 1.4.21 for roadwarrior access and everything is working great... To a point. The problem is that I can't seem to nail down where the problem is and hoping that others out there with more experience with OpenVPN may be able to offer their advice.

Main network is 192.168.0.0/24, VPN is 10.0.0.0/24. Using TUN (TAP would be preferable, but apparently doesn't work yet) and have a client connected via the VPN back to the office. Things more-or-less work.
10.0.0.0 not best idea - yes it works, but 10.0.0.0 discribes also the whole subnet...
Quote:
Works: dns lookups (see below), ping, etc.
Doesn't work: file server synchronization, accessing hosts on the home LAN via their domain name (see below).
Quote:
Environment is Windows domain, server 2003 AD. Have added the in.arpa for the 10.0.0.0/24 network, and when a remote client connects it shows up both in the domain DNS and the reverse lookup.
makes only sense, if you use additional ccd 's (its not in the GUI)
otherwise each client gets each connect different IPs
Quote:

If I try to connect to the client via IP it works great; however, here's where it gets weird. I ping a clent by hostname: reply from 10.0.0.5 (for instance). Everything is happy. I take that SAME hostname into IE, Firefox, or in this case the app we are wanting to use remotely (ONSSI Video server), and I end up getting out openDNS search page.

..........

Obviously, TUN is a L3 solution and there may be more needed to get the server to synchronize and not be in 'offline files' mode to work; however, if I can ping a hostname or nslookup an ip address without problem, why the heck would I not be able to connect to it VIA IE/Firefox (if those work, I'd bet me ONSSI software will follow suite)? There is no proxy setup on the browsers, and the remote network that I'm tunneling through doesn't use OpenDNS, so if for some reason it was going out over eth1 instead of the TUN interface, it wouldn't pull OpenDNS out.

Is this a routing/DNS issue? Is there any way to get the browser to be able to find the host that ping/nslookup does? Additionally and probably a more common question, how does one enable the OpenVPN client over a TUN interface to connect to the server and synchronize files?
...........
Diamond187

perhaps you can yourself help you:
try each client with a : nslookup target
and you will see the answer of nameservers...

Unix has host, dig commands, shows you nameserverinfo, must be one on win too....(did never try ). ther are some "M$ special ways" in name resolutions, you should try first with FQDN ... if pings/IP-resolution works, there are probably no routing problems.

F.

Author:  diamond187 [ 24.08.2009 16:04 ]
Post subject:  Re: Zerina/IpCOP Tunnel Help

dl5ym wrote:
10.0.0.0 not best idea - yes it works, but 10.0.0.0 discribes also the whole subnet...

I was paraphrasing a bit there. Actual is 10.10.10.0/24, which would be the subnet from 10.10.10.1 - 10.10.10.254
dl5ym wrote:
makes only sense, if you use additional ccd 's (its not in the GUI)
otherwise each client gets each connect different IPs


I'm not sure I follow you on that one, what do you mean there?

dl5ym wrote:
perhaps you can yourself help you:
try each client with a : nslookup target
and you will see the answer of nameservers...

Unix has host, dig commands, shows you nameserverinfo, must be one on win too....(did never try ). ther are some "M$ special ways" in name resolutions, you should try first with FQDN ... if pings/IP-resolution works, there are probably no routing problems.

F.


Well, both ping and nslookup work great with both the FQDN and just the hostname, so it seems that the dns is working both forward and reverse. What isn't working in this case is going to the same FQDN/Hostname through an internet browser (firefox/ie) nor is the server able to synchronize (offline files). The browser part is driving me insane, as there is no hosts override, DNS seems to be working just fine on that very machine, and no proxy is setup to change that between a CLI ping and Firefox/IE.

Any other ideas what may be going on here? I keep coming back to routing myself since I simply can't think of any other reason why something layer 3 would ping / nslookup but not work via a browser. Any help would be greatly appreciated!

Thanks,
Diamond187

Author:  dl5ym [ 24.08.2009 17:34 ]
Post subject:  Re: Zerina/IpCOP Tunnel Help

diamond187 wrote:
dl5ym wrote:
10.0.0.0 not best idea - yes it works, but 10.0.0.0 discribes also the whole subnet...

I was paraphrasing a bit there. Actual is 10.10.10.0/24, which would be the subnet from 10.10.10.1 - 10.10.10.254
dl5ym wrote:
makes only sense, if you use additional ccd 's (its not in the GUI)
otherwise each client gets each connect different IPs


I'm not sure I follow you on that one, what do you mean there?

dl5ym wrote:
perhaps you can yourself help you:
try each client with a : nslookup target
and you will see the answer of nameservers...

Unix has host, dig commands, shows you nameserverinfo, must be one on win too....(did never try ). ther are some "M$ special ways" in name resolutions, you should try first with FQDN ... if pings/IP-resolution works, there are probably no routing problems.

F.


Well, both ping and nslookup work great with both the FQDN and just the hostname, so it seems that the dns is working both forward and reverse. What isn't working in this case is going to the same FQDN/Hostname through an internet browser (firefox/ie) nor is the server able to synchronize (offline files). The browser part is driving me insane, as there is no hosts override, DNS seems to be working just fine on that very machine, and no proxy is setup to change that between a CLI ping and Firefox/IE.

Any other ideas what may be going on here? I keep coming back to routing myself since I simply can't think of any other reason why something layer 3 would ping / nslookup but not work via a browser. Any help would be greatly appreciated!

Thanks,
Diamond187

Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
http://www.phpbb.com/