Hello there, I’ve been scratching my head for some time but couldn’t find a way to sort this out.
I recently rolled out laptops for the first time in my new company, and people are quite happy. It was tough but I managed to get AO VPN working with certificates like a charm, it’s absolutely invisible to the average user.
However, I have a hard time finding out one simple thing : DNS entries.
My setup is a Fortigate 101F with an IPSec tunnel, I have a range 10.0.10.0/24 with desktops and laptops when they are inside out network (for performance-related issue, the VPN turns-on only when exiting our network) and a range 10.212.135.0/24 for our VPN clients.
I can perfectly communicate between those ranges, however there’s one issues : client will write their primary interface’s IP in our DNS server, meaning that if I connect from home where my IP on my local network is on a 10.0.0.0/24 range, I will end up with wrong DNS record instead of the usual 10.212.135.5 I should take and be reachable from.
and I want the VPN interface to take precedence but not completely replace the other interface, as it may still be used when the user is not remote. So, the DNS record should update itself just like when a computer changes range when switching from lan to wlan - both records may exist, or one record may be dynamically updated regularly.
Anyone faced a smiliar problem and found a good way to navigate this ? So far, whenever I need to remotely push installations and scans on machines, I just scan the whole range to see which machine is online, but I’d rather work with DNS and simply lookup the hostname
DisableNRPTForAdapterRegistration is what healed our situation a few years ago. Hasn’t been an issue since.
Edit: Meaning, if I go to the office and fire up there, my entries update to the user VLAN stuff without overlap just fine. Same when I head back home.
I can post the whole thing as example but I believe these elements are relevant:
<!--new node to register client IP address in DNS to enable manage out -->
<RegisterDNS>true</RegisterDNS>
<!-- inside/outside detection -->
<TrustedNetworkDetection>domain.net</TrustedNetworkDetection>
I followed this : https://blog.naglis.no/?p=3481 and I noticed that I already stumbled upon Hick’s blog about this issue (google anything related to AO VPN and you will eventually).
I’m almost done solving this. Basically, after getting the “register this connection’s address DNS” from the VPN DNS’s properties, if you add the DisableNRPTForAdapterRegistration, you eventually get your machine to register their DNS correctly when remote.
However, I don’t know how to get that checkmark automatically, since I tried the solution on the blog and it’s not working - I had to manually tick it. I will continue to look it up and update it when I’m done.
Edit : I think I nailed it. Unlike what is said in the blog, you need to put the relevant DNS in the XML
I don’t have <DnsServers> in my VPN profile so I don’t believe that one is required. The VPN client is able to get that information from DHCP.
This is a sanitized version of my VPN profile
<VPNProfile>
<NativeProfile>
<Servers>vpn.domain.net</Servers>
<NativeProtocolType>IKEv2</NativeProtocolType>
<CryptographySuite>
<AuthenticationTransformConstants>SHA256128</AuthenticationTransformConstants>
<CipherTransformConstants>AES128</CipherTransformConstants>
<EncryptionMethod>AES128</EncryptionMethod>
<IntegrityCheckMethod>SHA256</IntegrityCheckMethod>
<DHGroup>Group14</DHGroup>
<PfsGroup>PFS2048</PfsGroup>
</CryptographySuite>
<Authentication>
<MachineMethod>Certificate</MachineMethod>
</Authentication>
<RoutingPolicyType>SplitTunnel</RoutingPolicyType>
<!-- disable the addition of a class-based route for the assigned IP address on the VPN interface -->
<DisableClassBasedDefaultRoute>true</DisableClassBasedDefaultRoute>
</NativeProfile>
<Route>
<Address>10.1.0.0</Address>
<PrefixSize>16</PrefixSize>
</Route>
<Route>
<Address>10.2.0.0</Address>
<PrefixSize>16</PrefixSize>
</Route>
<!-- need to specify always on = true -->
<AlwaysOn>true</AlwaysOn>
<!-- new node to specify that this is a device tunnel -->
<DeviceTunnel>true</DeviceTunnel>
<!--new node to register client IP address in DNS to enable manage out -->
<RegisterDNS>true</RegisterDNS>
<!-- inside/outside detection -->
<TrustedNetworkDetection>domain.net</TrustedNetworkDetection>
</VPNProfile>
Correct but I wasn’t sure if the same detection was also used to avoid sending dns record updates for the wrong interface.
I’ve got a similar setup (scripted installs for always on VPN) but I don’t have issues with the client publishing home IPs to DNS. I could post my whole XML if you want.
I have issues with stale DNS records because windows routing for VPNs likes to reuse IPs when another client disconnects.
