Windows built-in VPN - having issues with DNS resolution during initial log on from lock screen

I’m having trouble with my Mobile Client VPN - I’m pretty sure the problem is with DNS resolution in Windows.
I want the Mobile VPN to be split tunnel, mostly need to access file shares on the VPN side (by FQDN), don’t care about internet traffic.

I am using pfSense IPsec Mobile Client.

Configuration

Everything below this is unchecked (WINS Servers, Phase2 and Login Banner)

On the Windows side, the VPN is set up as an “All Users” VPN. My end goal is for users to be able to use the ‘network logon’ on the lock screen to be able to log into the laptop for the first time. This is not working. Everything else about the VPN works - I can do a network logon if I’ve logged into the machine before, and once I’m in Windows, I can access my network shares and the split tunnel seems to work just fine.

IPv4 Settings (in the Windows VPN adapter)

1
2
3
4

ipconfig /all after connecting to VPN

So everything works fine, but when I try to logon with an account that I’ve never used before, I get the following message:
“We can’t sign you in with this credential because your domain isn’t available”
and in the eventvwr
“Name resolution for the name DOMAINNAME.com timed out after non of the configured DNS servers responded.”
(Although looking at the pfSense logs, it appears that the VPN connection was established, just that Windows couldn’t access DOMAINNAME.COM)

HOWEVER - if I “Use default gateway on remote network” (in Advanced TCP/IP settings of the VPN adapter) I can log on with the account for the first time and access my file shares (just can’t access the internet) but I don’t want my internet traffic to go over the VPN.

Any ideas?

See where you have that default route unticked in image 2? Windows adds a class-based route, which for you (since you’re using a “Class C” address from the RFC1918 192.168.0.0/16 supernet) means that Windows only considers 192.168.253.0/24 reachable over the VPN. Which doesn’t include your DNS servers, which means your AD is unresolvable.

edit - potential fixes are fix your firewall to allow Internet traffic and use a default route on the VPN, or re-IP and use one of the larger Class “B” or “A” RFC1918 ranges - if your VPN gives out an IP address on 10.0.253.0/24, then Windows will add a route for 10.0.0.0/8 via the VPN.

edit 2 - another potential fix might be a virtual IP on the pfSense box inside 192.168.253.0/24, which port forwards UDP+TCP/53 to your domain controllers, and the VPN hands out those IPs as part of the config.

So, I actually just fixed it after looking over the config screenshots I posted. Been bothering me for 2 days and it was something simple.

Added mydomain.com to “DNS Suffix for this connection” and that seemed to fix it.

I’m pretty sure that since it didn’t have that in there, the VPN would connect, then Windows would look for mydomain.com using the ethernet or wifi adapter, not the VPN adapter. Adding that pushed it to the top of the ‘search list’

Strange. According to my experience of Windows VPNs, it still shouldn’t work - adding that setting only affects the resolution of unqualified hostnames, which is a hostname with no dots. By looking up your AD “mydomain.com”, that isn’t an unqualified hostname anymore, so that setting should be totally irrelevant. Not to mention that since the DNS server should be unreachable, you could query anything you like and it should fail anyway.

Still, glad it’s working for you!

To be fair, I am creating it by using powershell, and adding this route:

Add-VpnConnectionRoute -ConnectionName “VPN Connection” -DestinationPrefix 192.168.1.0/24

Which encodes the route into the pbk file. I think distribute the pdk with Group Policy files

Interesting - I’ve never come across that particular cmdlet. Maybe because it’s new in Windows 8.1 and I’ve been tending to focus on stuff that works all the way back to 7. TIL though, thanks for the tip!