I've been running OpenVPN on our Bering 2.4.2 firewall for some time now. However, I have never been able to resolve FQDNs running as clients so I've been using HOSTS files in place. I would like to see if I could get around this limitation as this requires maintenance of these HOSTS files from time to time. Our network uses a three interface model- loc, dmz, & net. The name of the firewall is 'firewall'.
We support Windows and OS X clients. The Windows OpenVPN client Here's the openvpn.conf in condensed format: server 10.8.0.0 255.255.255.0 ifconfig-pool-persist /var/state/openvpn-ipp.txt push "route 192.168.1.0 255.255.255.0" route 192.168.1.0 255.255.255.0 firewall push "dhcp-option DNS 10.8.0.1" push "dhcp-option DNS 192.168.1.254" push "dhcp-option WINS 192.168.1.1" push "dhcp-option DOMAIN dawnsign.com" I have dnsmasq running on 192.168.1.254 & 192.168.2.254. I've confirmed that the Shorewall is configured as follows: - Add a new zone to /etc/shorewall/zones: vpn VPN Remote Subnet - Add the tun interface to /etc/shorewall/interfaces: vpn tun+ - You can either open the traffic between the vpn zone and the local net completely with adding loc vpn ACCEPT vpn loc ACCEPT to /etc/shorewall/policy - or just add the ports you want to open in /etc/shorewall/rules. - As last step add your vpn to the shorewall tunnel defintions (/etc/shorewall/tunnels) openvpn net 0.0.0.0/0 openvpn:udp:1195 net 0.0.0.0/0 What do I need to do in order to get names resolved on all openVPN clients? The following are possibilities but I would like to gather feedback from you guys first. 1) Do I need to enable any of the following in openvpn.conf? ;push "redirect-gateway def1" or ;push "redirect-gateway" 2) do I need to modify the /etc/shorewall/rules to allow port 53 connections between VPN and fw? I'd appreciate any advice you may have for us. ~Doug ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 ------------------------------------------------------------------------ leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
