[SOLVED] Unable to join/access AD domain through VPN

Hi
I think this maybe similar.


openvpn road warrior works No issues.
But a site2site setup connects but the clients on server B can ping the Server A Ip addresses but can not join or login to the domain. Even after joining the domain using a road warrior account, then disconnect the road warrior account, the ad.domainname is not available.

Both servers NS7.9.2009 and both have 2 NICs red and green
Server A AD controller 192.168.238.1
Server B minimum services. 192.168.239.1
Roll to be VPN Server client to Server A via OpenVPN tunnel. Server B clients to be part of the AD domain at Server A.

Server A
**shed2office** 1207 (UDP) **SUBNET** 192.168.238.0/24 192.168.239.0/24 Running Connected (10.5.43.2)
Server B
**cshed2office** 1207 (UDP) **SUBNET** Server A public IP 192.168.239.0/24 Running Connected (10.5.43.2)

Server A
tunshed2office: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.5.43.1/24 brd 10.5.43.255 scope global tunshed2office
valid_lft forever preferred_lft forever
inet6 fe80::2165:c4ce:923d:acf2/64 scope link flags 800
valid_lft forever preferred_lft forever
Server B
tuncshed2office: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100
link/none
inet 10.5.43.2/24 brd 10.5.43.255 scope global tuncshed2office
valid_lft forever preferred_lft forever
inet6 fe80::3a59:a70c:e943:baae/64 scope link flags 800
valid_lft forever preferred_lft forever
Both servers report Tunnel is up and both route -n return routes to the other server
Server A route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 0 0 0 eth0
10.5.43.0 0.0.0.0 255.255.255.0 U 0 0 0 tunshed2office
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
192.168.238.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.239.0 10.5.43.2 255.255.255.0 UG 0 0 0 tunshed2office

Should Server A be 10.5.43.1 but it shows the same as Server B 10.5.43.2?
I have tried in the conf file for the tunnel
push “dhcp-option DNS 192.168.238.1”
Any suggestions? What have I missed, thanks.

I should add that from a client on Server B I can
\192.168.238.1\ access the shares but I am challenged for username\password even though logged in as admin account created via Road warrior
but
\srv-sb fails as it resolves to the external IP of Server A and not the internal IP 192.168.238.1

I might be on the wrong track but suspect this systemctl status on the vpn has a clue

-- Unit openvpn@shed2office.service has begun starting up.
May 30 14:40:31 srv-sb.domain.name openvpn-startup[18183]: Sun May 30 14:40:31 2021 ERROR: Cannot ioctl TUNSETIFF tap0: Device or resource busy (errno=16)
May 30 14:40:31 srv-sb.domain.name openvpn-startup[18183]: Sun May 30 14:40:31 2021 Exiting due to fatal error
May 30 14:40:31 srv-sb.domain.name systemd[1]: Started OpenVPN Robust And Highly Flexible Tunneling Application On shed2office.
-- Subject: Unit openvpn@shed2office.service has finished start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit openvpn@shed2office.service has finished starting up.

The Cannot ioctl TUNSETIFF tap0 but the config has a tun device any tap device would be used by the Road warriors on port 1194.

#
# 10base
#
dev tunshed2office
dev-type tun
persist-tun
lport 1207
proto udp
topology subnet
server 10.5.43.0 255.255.255.0
push "topology subnet"

float
multihome
daemon

#
# 20routes
#
push "route 192.168.238.0 255.255.255.0"
push "dhcp-option DNS 192.168.238.1"
route 192.168.239.0 255.255.255.0

@compsos

Hi

AFAIK, OpenVPN on NethServer needs a TUN, not a TAP connection. TAP will NOT work eg on Mobile devices…

Using a TAP (Bridging) Interface is NOT a good idea!

Maybe that’s your problem!

For OpenVPN Site2Site connections, one side has to be a “server”, like for Road Warrior connections, Server B has to act like a OpenVPN Client!

My 2 cents
Andy

@mrmarkuz From another of your posts, thank you
10602
This is working
Create a custom template for /etc/dnsmasq.conf:

mkdir -p /etc/e-smith/templates-custom/etc/dnsmasq.conf/

Create /etc/e-smith/templates-custom/etc/dnsmasq.conf/90forward with the domains you want to forward to a specific DNS like:

server=/local/[server B IP]
server=/[server A domain]/[server A IP]

Apply config:

signal-event nethserver-dnsmasq-save

Also still have each subnet as trusted network plus the openvpn tunnel. but now the clients can join the domain and run the login script.

1 Like

Thanks Andy
I did not set the dev name and the conf file suggests otherwise. But Server A is the “server” and B the client. we had comms and cloud ping but no rights to see shares or scripts.
For site2Site connections the forward maybe required and I did not see it in the instructions.

@compsos

Hi

For Samba Connections you probably need to enter the network of server B in the “trusted networks” of Server A,

Maybe also the other way around, server A’s network in Server B’s “Trusted Networks”…

Don’t forget to also enter in (on both sides) the OpenVPN “Tunnel” Network (In your case 10.5.43.0/24 ?) into “Trusted Networks”.

My 2 cents
Andy

1 Like

@Andy_Wismer
Thanks.
Yes we had done that and as I said we could ping IP addresses and could open shares via \\ip address\share. But not by URL \\server\share.
Also had to check Threat Shield and fail2ban settings.
The server manager openvpn page gives the impression that it is all good, but in reality not usable. Will have to setup a new clean installation and make sure what adjustments are needed and some of what I did can be removed.
So from scratch I would

  1. Setup the tunnel
  2. modify the dnsmasq settings
  3. add the end networks and the tunnel to trusted networks
  4. monitor other firewall stuff like fail2ban, threat shield for blockages

Other than that I am impressed with the performance of the link.

@compsos

Hi Gordon

Generally, if possible, I tend to use IPsec (V2) for Site2Site connections and OpenVPN for RoadWarrior links.

I mostly use an OPNsense box as seperate firewall, but for some of my clients / friends I helped to setup VPNs using at least one NethServer on one side, sometimes also a NethServer on both sides.

In Germany, it’s often not possible to use IPsec, but OpenVPN works without issues. In Switzerland, IPsec works almost everywhere.

Both VPNs work very well, with NethServer or in combination NethServer <-> OPNsense…

My 2 cents
Andy