VPN and static-host-mapping


#1

Hello,
I am connected to my my network through a VPN running on VyOS. I have the DNS being served and my client seems to be aware of the DNS server. I am wondering if tehre is a way to hasve VPN clients use the system static-host-mapping entries when they connect? With my current config, they do not resolve unless I add them to my local/etc/hosts.

Here is my VPN entry:

vpn {
pptp {
remote-access {
authentication {
username foo {
password bar
}
}
mode local
}
client-ip-pool {
start 10.1.2.225
stop 10.1.2.250
}
dns-servers {
server-1 10.1.2.1
}
outside-address 0.0.0.0
}
}

Here is my DNS config:
dns {
forwarding {
cache-size 150
listen-on eth1
listen-on eth2
name-server 71.242.0.14
name-server 71.250.0.14
system
}
}

Any insight is greatly appreciated.
Larry


#2

Hello,

I would run some tests to find the issue’s specifics.

I would first confirm the VPN part itself is working by pinging first the VyOS system from the VPN client, if the ping to VyOS fails then look at your VPN as the issue.

I would then ping the DNS server’s IP from the VPN client, and if that fails look at the routing between the VPN and subnets as the issue.

I would then run a Command Prompt (or Terminal in Linux/Unix/Mac) and run ‘ipconfig /all’ in Windows or ‘ifconfig’ in Linux/Unix/Mac. This will provide your IP address(es) you have and confirm that the DNS server is the one being used.

I would then continue to use the Command prompt to run ‘nslookup’ to test DNS queries. I.e., you can run it and it will show you a prompt like ‘nslookup>’ and from there if you type something like ‘google.com’ it will query your primary DNS server and show you the response from it and which server it is.

If you run through all of this you should be able to point to which part is not working in your configuration.


#3

You have multiple machines (vyos itself, and the vpn clients) that all want to see some dns namespace. You can either replicate those names in each machine, (which is what you are doing now with static-host-mapping on vyos, and /etc/hosts on the vpn clients), or you can setup your own dns server.

If you have or can install a linux box on your local network, install Bind on that, and point the vyos and the vpn clients to it for dns service. Then setup a local namespace on Bind, and everyone sees the same names, and you only maintain that in one place - the Bind configuration on your linux server.

Depending on your vyos version, you might be able to use http://luisrato.azurewebsites.net/2014/06/17/how-to-install-vyos-routerappliance-as-dns-server/ to install bind directly on the vyos box.


#4

Hello Everyone:

I believe I found a solution for this: VyOS uses dnsmasq as the DNS Cache/Forwarder. The dnsmasq implementation in VyOS stores its configuration in the file:

[align=center]/etc/dnsmasq.conf[/align]

VyOS configuration states that it is required to specify a network interface that will listen to the DNS requests, and send those requests to the dnsmasq service. When you connect to a VyOS through a L2TP VPN connection, each connection gets its own network interface, called l2tp0, l2tp1…l2tpN, also known as l2tp+, totally bypassing the interface specified for listening for DNS requests used by the dnsmasq service.

If you look at the dnsmasq man page:

[align=center]man dnsmasq[/align]

It states that you can configure the dnsmasq service to listen for DNS requests on all network interfaces simply by omitting the:

[align=center]interface=[/align]

configuration option line on the /etc/dnsmasq.conf file.

So if you delete the “interface=” line in the dnsmasq.conf file and restart the dnsmasq service using the command:

[align=center]sudo service dnsmasq restart[/align]

at the vyos@vyos:/$ command prompt, reconnect the VPN client to the VyOS, the client should be able to lookup all DNS queries using the VyOS DNS Cache/Forwarder, provided you specified the VyOS IP address as the VPN DNS Server:

[align=center]set vpn l2tp remote-access dns-servers server-1 [/align]

All of this isn’t a permanent solution, as the VyOS configuration will always add the

[align=center]set service dns forwarding listen-on [/align]

to the /etc/dnsmasq.conf file when you make a configuration change, or reboot/restart the VyOS box.

To deter the VyOS configuration from requiring the “DNS Forwarding Service Listening Interface” to be specified, and make these changes permanent, you could modify the VyOS DNS Forwarding Service template located at:

[align=center]/opt/vyatta/share/vyatta-cfg/templates/service/dns/forwarding/node.def[/align]

Look for the line:

commit:expression: $VAR(./listen-on) != “”; “At least one interface must be configured for DNS forwarding parameter ‘listen-on’”

And replace the Not Equal signs “!=” with the Equals Equals signs “==”, so it looks exactly like this:

commit:expression: $VAR(./listen-on) == “”; “At least one interface must be configured for DNS forwarding parameter ‘listen-on’”

That way, the template will allow the VyOS listen-on configuration option to be empty when committing the configuration changes.

Please be careful when editing the VyOS configuration templates, as it might render the VyOS configuration system nonfunctional. It’s always a good idea to make a backup copy for the file before changing anything, so you have an easy way to restore everything in case something goes wrong. A simple copy command like:

[align=center]sudo cp node.def node.def.bak[/align]

Would be enough to have a recovery option. After modifying the VyOS configuration template, don’t forget to delete the "listen-on " configuration option on the VyOS configuration mode.

Let me know if this is of any help to you, as I really hope this information is useful for solving this issue.

Luis


#5

I did a recent search for this issue and found this old thread that I started. I never saw all the replies. Luis, your suggestion was the solution I needed. I just wanted to say thank you. Helped me fix a very aggravating issue that has been around for almost three years!
Larry