I recently had a problem setting up OpenVPN for a residential customer trying to connect to his office network. Everything looked great and should have been working without issue. The TAP adapter would grab the expected /30 bit subnet without issue, pushed settings were applied, and the VPN logs had nothing but good report. Unfortunately something sinister was indeed going on.
Taking a quick look in WireShark I noticed that the UDP packets were being dropped. This baffled me as I had already disabled all firewalls on the machine in order to trouble shoot. Including the packaged pinche basura firewall that comes with the McAfee Internet Security Suite bloatware jamboree.
After uninstalling McAfee all problems with connecting vanished, drives were mapped, and databases were connected to.
Having intermittent problems hitting your favorite UNC path over openvpn? Does your Domain Controller turn it’s back on you randomly over the tunnel asking for authentication as if it no longer knows who you are?
If you have been plagued by any of the above anomalies you are not alone! Unfortunately hair loss products, Viagra, those vitamins you bought from GNC, or any other magical elixir of some unknown origin will not help.
You may even find yourself going down the same foolhardy path as yours truly. Thinking that editing %SystemRoot%\System32\Drivers\etc\hosts with the FQDN and NetBIOS names of all your favorite hosts will suffice only to be greeted with the grotesqueness of an authentication prompt repeatedly prompting you for information it should already know until you become mad. Finding yourself breaking out those emergency cyanide pills and washing them down with a flask of hemlock.
Wait friend! No need for such drastic measures yet. Simply edit your servers config file to include the following:
push "dhcp-option DNS ip.of.dc"
Make sure your client config allows pushing by having the following cleverly named setting of:
Now once you’ve restarted your server and client you should see your DC IP set as the default name server when typing ‘nslookup’ at the command line.
Yes a simply fix but still worthy enough to stop any self mutilation.
I recently had a server die and had move a few services to a new location. While it is never a good thing when this happens it helps to look on the bright side. In this case, I reevaluated our current OpenVPN setup and changed a few things. The most obvious change was to drop Ethernet bridging and go with a routed setup. The second change, which is what the topic is about, was to push WINS instead of DNS.
The main reason I decided to push good old legacy WINS instead of DNS is because I do not like the idea of having DNS queries going through a tiny VPN tunnel. However I needed users to be able to resolve network names. This is simple enough to setup in the OpenVPN configuration by adding the "push ‘dhcp-option WINS ip.to.my.wins’".
Setting up a WINS server is only a matter of add "wins support = yes" to your smb.conf if your running a Samba server and then restarting the service.
Now I don’t query the office DNS server every time I clear my DNS cache and I can access everything by it’s network name instead of it’s IP.