Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 2642 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL VPN use Windows DNS server fail

Jeff x

I switched from a workgroup to a domain. I was using the UTM as a DNS server with static network definitions for the servers that are hosted behind the UTM. Some of the servers are accessible from both local and external clients so I went with the second option as listed in post #1 of the DNS Best Practices.

I was able to get everything working since switching to a Windows DNS server (DC) but I can’t get the SSL VPN to use the Windows DNS server. I have to keep the static network definitions and specify the UTM as one of the DNS servers under Remote Access -> Advanced in order to access the servers via the VPN.

I do not have a WINS server. Under Network Services -> DNS -> Request routing, I tried adding 2.242.10.in-addr.arpa -> the Windows DNS server but it did not make any difference. I have cleared the cache on the UTM and devices after each change.

What am I missing or doing wrong?



This thread was automatically locked due to age.
Parents
  • 0

    Interesting...

    If I remove the SSL VPN pool from Web filtering, it appears the Windows DNS server is being used because I'm able to access/resolve the internal web servers that are not accessible to the public.

    However, with the SSL VPN pool removed from web filtering, I cannot access any external website even by its IP. If I perform a ping for google.com (or any website), I do not get a response but I do get the domain's IP. Am I supposed to have a default masquerading rule for the SSL VPN pool and a default firewall rule?

    With VPN Pool (SSL) added to the Allowed Networks under Web Filtering, a masquerading rule (VPN Pool (SSL) -> External (WAN)) and a firewall rule (VPN Pool (SSL) -> Any -> Internal : Allow) in place, I get the following error when accessing a webserver that is behind the UTM:

    2021:08:26-10:25:45 gateway httpproxy[24487]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="10.242.2.2" dstip="<public IP of website>" user="" group="" ad_domain="" statuscode="500" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xd90cca00" url="https://mysite.tld/" referer="" error="Connection refused" authtime="0" dnstime="2" aptptime="67" cattime="83" avscantime="0" fullreqtime="11479" device="0" auth="0" ua="" exceptions="" category="9998" reputation="unverified" categoryname="Uncategorized" country="United States"

    If I once again remove VPN Pool (SSL) from the Allowed Networks under Web Filtering and keep the masquerading and firewall rules, everything seems to work. I can resolve/access internal only servers and public websites.

    So what changes need to be made to make everything work so web filtering can be used for the VPN users?

    --------------------------------------------------------------------
    Sophos UTM 9.718-5 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • 0 in reply to Jeff x

    Hmm, well my set up doesn't mimic yours because I found no use for a domain at home, and keep things in a workgroup.  it just tends to make a mess with UTM integration for me.

    I don't have any override DNS in the Advanced tab like you show above which might be your issue there, and my VPN can gain access to internal DNS names with keeping the UTM as my DNS, as well as internet traffic.  I don't use the web filtering on UTM for VPN clients.  

    I'd have to do some more digging on this, but I'm betting it's a combination of how you have your config between the SSL and DNS set up.

    Bob might also have a better grasp of this, as he is more versed in the domain aspect with UTM.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • 0 in reply to Amodin

    Thank you for your help!

    This was not a DNS issue after all. All seems to be working except for not being able to use the web proxy for VPN users. I've tried every combo of settings that I can think of but none work.

    I noticed a strange thing when adding/removing the SSL VPN pool to the web proxy; I get the following results for my VPN user's IP address when visiting a PHP page hosted behind the UTM:

    With VPN Pool (SSL) added to the Allowed Networks under Web Filtering:

    • $_SERVER[REMOTE_ADDR] = 192.168.1.20 (this is the IP address of the server, should be IP of VPN user)
    • $_SERVER['HTTP_X_FORWARDED_FOR'] = 10.242.2.2 (IP of VPN user as it should be)
    • $_SERVER['REMOTE_HOST'] = blank

    Without VPN Pool (SSL) added to the Allowed Networks under Web Filtering, with or without VPN -> external masquerading rule:

    • $_SERVER[REMOTE_ADDR] = 50.x.x.x (this is the external IP address which is also what is specified in the VPN masquerading rule)
    • $_SERVER['HTTP_X_FORWARDED_FOR'] = 50.x.x.x
    • $_SERVER['REMOTE_HOST'] = blank

    I didn't need a domain either but I wanted to learn. Definitely make things more complicated. One nice thing about using a separate DNS server is having the ability to add MX records and other little perks.

    Maybe Bob or someone else who has encountered this VPN/web filter issue will chime in.

    --------------------------------------------------------------------
    Sophos UTM 9.718-5 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Reply
  • 0 in reply to Amodin

    Thank you for your help!

    This was not a DNS issue after all. All seems to be working except for not being able to use the web proxy for VPN users. I've tried every combo of settings that I can think of but none work.

    I noticed a strange thing when adding/removing the SSL VPN pool to the web proxy; I get the following results for my VPN user's IP address when visiting a PHP page hosted behind the UTM:

    With VPN Pool (SSL) added to the Allowed Networks under Web Filtering:

    • $_SERVER[REMOTE_ADDR] = 192.168.1.20 (this is the IP address of the server, should be IP of VPN user)
    • $_SERVER['HTTP_X_FORWARDED_FOR'] = 10.242.2.2 (IP of VPN user as it should be)
    • $_SERVER['REMOTE_HOST'] = blank

    Without VPN Pool (SSL) added to the Allowed Networks under Web Filtering, with or without VPN -> external masquerading rule:

    • $_SERVER[REMOTE_ADDR] = 50.x.x.x (this is the external IP address which is also what is specified in the VPN masquerading rule)
    • $_SERVER['HTTP_X_FORWARDED_FOR'] = 50.x.x.x
    • $_SERVER['REMOTE_HOST'] = blank

    I didn't need a domain either but I wanted to learn. Definitely make things more complicated. One nice thing about using a separate DNS server is having the ability to add MX records and other little perks.

    Maybe Bob or someone else who has encountered this VPN/web filter issue will chime in.

    --------------------------------------------------------------------
    Sophos UTM 9.718-5 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Children
No Data
Unfiltered HTML