Il server DNS locale non risolve i nomi quando la macchina è connessa alla VPN


1

Sto provando a configurare una piccola rete VPN usando OpenVPN che mi consentirà di collegarmi alla mia postazione di lavoro in ufficio da casa.

Ho già configurato il server OpenVPN, generato chiavi e file di configurazione del client. Tutto funziona Posso collegarmi alla mia macchina da lavoro in ufficio da casa tramite RDP, ma c'è un problema: i nomi DNS per le risorse locali non possono essere risolti quando il PC di lavoro è connesso alla mia VPN:

C:\Users\user>nslookup jira.corporate_domain.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.54.11

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

C:\Users\user>nslookup google.com
DNS request timed out.
    timeout was 2 seconds.
Server:  UnKnown
Address:  192.168.54.11

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to UnKnown timed-out

C:\Users\user>nslookup google.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    google.com
Addresses:  2607:f8b0:4008:808::200e
          216.58.219.142

Ho aggiunto il nostro server DNS locale al file di configurazione del client e ho aggiunto anche una route statica per questo, non funziona. Ecco le impostazioni correnti sul client:

Sistema operativo PC client: Windows 10

client_config.ovpn :

client
nobind
dev tun
key-direction 1
remote-cert-tls server

remote vpn.dns_name_of_my_server.ru 443 tcp
http-proxy proxy.corporate_dns_name.com 3129
dhcp-option DNS 192.168.54.11 
route 192.168.54.11 255.255.255.255 192.168.37.1
route 192.168.70.11 255.255.255.255 192.168.37.1

ipconfig /all sul client:

C:\Users\user>ipconfig /all
Windows IP Configuration
   Host Name . . . . . . . . . . . . : S0003445
   Primary Dns Suffix  . . . . . . . : ad.corporate_domain.com
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : Yes
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : ad.corporate_domain.com
Ethernet adapter Ethernet 3:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : TAP-Windows Adapter V9
   Physical Address. . . . . . . . . : 00-FF-B6-98-50-62
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::cd6:8fec:5f45:9f4f%11(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.255.6(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.252
   Lease Obtained. . . . . . . . . . : 30 сентября 2016 г. 17:23:51
   Lease Expires . . . . . . . . . . : 30 сентября 2017 г. 17:23:50
   Default Gateway . . . . . . . . . :
   DHCP Server . . . . . . . . . . . : 192.168.255.5
   DHCPv6 IAID . . . . . . . . . . . : 369164214
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-ED-10-9F-10-C3-7B-4C-A0-FA
   DNS Servers . . . . . . . . . . . : 192.168.54.11
                                       8.8.8.8
                                       8.8.4.4
   NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter Ethernet:
   Connection-specific DNS Suffix  . : ad.corporate_domain.com
   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
   Physical Address. . . . . . . . . : 10-C3-7B-4C-A0-FA
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::1c57:9c8c:64b2:1aeb%5(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.37.106(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : 29 сентября 2016 г. 11:04:00
   Lease Expires . . . . . . . . . . : 7 октября 2016 г. 11:03:57
   Default Gateway . . . . . . . . . : 192.168.37.1
   DHCP Server . . . . . . . . . . . : 192.168.70.21
   DHCPv6 IAID . . . . . . . . . . . : 51430267
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-ED-10-9F-10-C3-7B-4C-A0-FA
   DNS Servers . . . . . . . . . . . : 192.168.70.11
                                       192.168.54.11
   NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter VirtualBox Host-Only Network:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter
   Physical Address. . . . . . . . . : 08-00-27-00-34-4C
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::8cd8:5f1d:f24f:fc95%13(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.56.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 201850919
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-ED-10-9F-10-C3-7B-4C-A0-FA
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Ethernet adapter VirtualBox Host-Only Network #2:
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : VirtualBox Host-Only Ethernet Adapter #2
   Physical Address. . . . . . . . . : 08-00-27-00-F8-A8
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::e0b9:a45e:e853:1456%9(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.99.1(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 285736999
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-ED-10-9F-10-C3-7B-4C-A0-FA
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{E1337BD8-BE7B-4699-B5B6-6404A1995408}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.ad.sperasoft.com:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . : ad.sperasoft.com
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{B6985062-CC79-4BE2-9963-92484A01C1D6}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #3
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
Tunnel adapter isatap.{9CB069EA-424F-4D8A-AE63-43372ED9F0BF}:
   Media State . . . . . . . . . . . : Media disconnected
   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #5
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes

Il server DNS locale è disponibile tramite ping:

C:\Users\user>ping 192.168.54.11

Pinging 192.168.54.11 with 32 bytes of data:
Reply from 192.168.54.11: bytes=32 time=41ms TTL=126
Reply from 192.168.54.11: bytes=32 time=41ms TTL=126
Reply from 192.168.54.11: bytes=32 time=42ms TTL=126
Reply from 192.168.54.11: bytes=32 time=40ms TTL=126

Ping statistics for 192.168.54.11:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 40ms, Maximum = 42ms, Average = 41ms

Anche la rotta statica funziona bene a giudicare da tracert:

C:\Users\user>tracert 192.168.54.11

Tracing route to 192.168.54.11 over a maximum of 30 hops

  1    <1 ms    <1 ms    <1 ms  192.168.37.1
  2    40 ms    39 ms    39 ms  192.168.50.2
  3    44 ms    40 ms    40 ms  192.168.54.11

Trace complete.

Cosa mi manca?


opzione block-outside-dns sul client forums.openvpn.net/viewtopic.php?t=21633
maudam

@maudam, ho aggiunto questo parametro alla configurazione del client mentre ero connesso tramite RDP e sembra che abbia rotto la configurazione poiché la riconnessione non ha avuto successo e ho perso la connessione a quella macchina. Non sono sicuro di cosa sia andato storto, posso controllare solo il lunedì
Ilya Khadykin

Risposte:


1

Potresti aver funzionato spingendo il suffisso DNS del dominio sul tuo client e spostando l'adattatore TAP all'inizio dell'ordine di binding (metrica più bassa). Sei riuscito a eseguire il ping del nome di dominio completo degli host di dominio che stavi cercando di raggiungere?


grazie per aver dedicato del tempo a rispondere. Non ho maneggiato per farlo funzionare (probabilmente a causa della mia mancanza di conoscenza). Ma immagino che sia un buon momento per riprovarci. Dammi un po 'di tempo per ripensare tutto e creare una configurazione iniziale.
Ilya Khadykin

0

Ok, non ero in grado di risolvere un problema iniziale con la risoluzione DNS, ma dopo un po 'di riflessione mi sono reso conto che la VPN per l'attività menzionata (una possibilità di connettersi alla stazione di lavoro da Internet) è un eccesso.

È molto più semplice configurare l'inversione della porta ssh inversa per 3389 (RDP) e bypassare il firewall aziendale utilizzando il server proxy HTTP esistente (il daemon ssh sul server VPS dovrebbe essere in ascolto sulla porta 443 affinché funzioni correttamente)

Utilizzando il nostro sito, riconosci di aver letto e compreso le nostre Informativa sui cookie e Informativa sulla privacy.
Licensed under cc by-sa 3.0 with attribution required.