Resolve hostname between openvpn clients

SystemR89 · 11-08-2010, 05:11 AM

Hi,
I've a fully working openvpn network but it works only using ip address.

Clients should comunicate each other thought the server. To semplify the managment of clients I'd like to use their hostname instead their ip. there are a way to achieve it?

Now openvpn assign ip address to the clients, but if is needed I can install other software on the server, it's a Debian machine.

Noway2 · 11-08-2010, 11:56 AM

In order to have hosts resolve by name you will either need to put entries in (all of) the hosts tables or use DNS. DNS can be a little tricky with Openvpn, depending on your wishes. What I mean is that typically one would use a combination of DHCP and DNS and create dynamic DNS whereby hosts get assigned an IP address and this links to the DNS server to resolve the name. OpenVPN by default uses a pseudo DHCP and by default won't link to the DNS to update the configuration. If you can be sure that the remote clients will always have the same VPN (IP) address, the easiest thing to do would be to create a static name to adress mapping and put these in the DNS zone configuration. Similarly, you could put these mappings in the hosts file(s).

You can use a regular DHCP server, but in order to get it to bind to your VPN interface, the VPN interface will need to be created first.

SystemR89 · 11-09-2010, 04:49 AM

I found this script: http://oldwiki.openwrt.org/OpenVPNDNS.html

but adding (learn-address /var/lib/openvpn/learn-address.sh) in openvpn everything won't work anymore.. Clients can connect to the server but communications between hosts are broken.
The script is executable, clients get the ip and the log is apparently the same as option deactivated.

Noway2 · 11-09-2010, 12:06 PM

It looks like that script attempts to learn the host name and dynamically add it to the hosts file and then tell DNSMasq to update itself according to this. I will assume for now that it does this and that you are using DNSMasq for your DNS server and answer your comment:

Quote:

Clients can connect to the server but communications between hosts are broken

This is a second issue, one that I didn't get into in my initial reply. The problem becomes one of routing and there are several aspects to it. Lets say you have LAN hosts, A,B,C, and S with S acting as the VPN server. Remote client R connects to the server S and the two devices should be able to talk to each other. Client R then wants to communicate with client A,B, or C and it can resolve their address. Lets assume that your LAN is 192.168.0.x and R has been given VPN address 192.168.0.100 and S is 192.168.0.50 and A is 192.168.0.1. R does a lookup and sees that A is at 192.168.0.1 and it is configured to route across the virtual tunnel (VPN). When A attempts to reply, it sees R as being at 192.168.0.100 and sends the packet out on its interface. Unfortunately, R isn't really at 192.168.0.100 - and the VPN on the server S must be configured to intercept this traffic and proxy between A and R.

This is where the NAT and IP Masquerading come into play that you often read about in the OpenVPN documentation.

Personally, I have never gotten this to work and it is not for a lack of trying. If you do manage to get this to work, I would be very interested in how and what worked for you.

SystemR89 · 11-10-2010, 04:56 AM

Quote:

Originally Posted by Noway2

It looks like that script attempts to learn the host name and dynamically add it to the hosts file and then tell DNSMasq to update itself according to this. I will assume for now that it does this and that you are using DNSMasq for your DNS server and answer your comment:

This is a second issue, one that I didn't get into in my initial reply. The problem becomes one of routing and there are several aspects to it. Lets say you have LAN hosts, A,B,C, and S with S acting as the VPN server. Remote client R connects to the server S and the two devices should be able to talk to each other. Client R then wants to communicate with client A,B, or C and it can resolve their address. Lets assume that your LAN is 192.168.0.x and R has been given VPN address 192.168.0.100 and S is 192.168.0.50 and A is 192.168.0.1. R does a lookup and sees that A is at 192.168.0.1 and it is configured to route across the virtual tunnel (VPN). When A attempts to reply, it sees R as being at 192.168.0.100 and sends the packet out on its interface. Unfortunately, R isn't really at 192.168.0.100 - and the VPN on the server S must be configured to intercept this traffic and proxy between A and R.

This is where the NAT and IP Masquerading come into play that you often read about in the OpenVPN documentation.

Personally, I have never gotten this to work and it is not for a lack of trying. If you do manage to get this to work, I would be very interested in how and what worked for you.

Sorry, probably I didn't explain it well. I think that it's not a routing problem because without "learn-address /var/lib/openvpn/learn-address.sh" in the server configuration the communications between each client works well.
With this trick instead I can't ping any client from server, server from client or client to client. Looking openvpn log apparently nothing goes wrong when a client establish the connection.
/etc/hosts.openvpn-clients isn't filled so I tried using ip address

Permissions and executable flags was set correctly.

begleysm · 07-11-2019, 03:18 PM

Your `/etc/resolv.conf` file defines where your computer should look to resolve hostnames into IP addresses. The basic problem is that `/etc/resolv.conf` doesn't get updated when you run `openvpn` by default.

Here's what you need to do to fix the problem.

1.) Append the following onto your `server.conf` file on your OpenVPN server machine (typically located at `/etc/openvpn/server.conf`) to have the server to the client where to look to convert hostnames to IP addresses.

Code:

push "dhcp-option DNS 192.168.1.1"
push "dhcp-option DOMAIN mylocaldomain.lan"

2.) Install `resolvconf` on your client machine and link the standard `resolv.conf` to `resolvconf`'s version with the following commands to have a function capable of modifying `resolv.conf`

Code:

sudo apt install resolvconf
sudo mv /etc/resolv.conf /etc/resolv.conf.orig
sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf

3.) Append the following to the bottom of your `client.ovpn` file to run `resolvconf` whenver the OpenVPN server is connected to or disconnected from.

Code:

up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

4.) Whenever you run `openvpn` you'll have to do so with the `-script-security 2` flag to allow `openvpn` to run `resolvconf`. Here is an example call

Code:

sudo openvpn --script-security 2 --config /path/to/client.ovpn

You can read a more detailed version of the above instructions with some example code of my (working) OpenVPN server here: https://steamforge.net/wiki/index.ph..._%26_hostnames