#StackBounty: #vpn #windows-10 #internal-dns #split-dns #split-tunnel Windows 10 Always On VPN, Split DNS, NRPT, and how to configure w…

Bounty: 500

Here’s the setup:

  • Windows 10 1803 clients
  • Server 2012R2 RRAS server
  • Always On VPN device tunnel setup per these instructions, with split tunneling.
  • Device VPN only has routes to 1 DC/DNS server, and our configuration manager server, so it can be managed and new users can authenticate when away from the office. When users need full access to the office network, there is a separate user VPN they can connect to. This works well, except for DNS.
  • AD domain name is example.local
  • Public domain name is example.com

The problem:

  • We use split DNS for our public domain name – so mail.example.com resolves to an internal IP address when using our internal DNS servers, and our public address from the outside world.
  • I need VPN clients to resolve it to the public address. The device VPN doesn’t let them talk to the internal address for mail.example.com, so they can’t get their email.
  • I’d also like (but not a must have) DNS resolution for local services at other locations to work properly – eg. when I’m in the offices of Other Corp, DNS for othercorp.local works even with the VPN connected.

What I want to happen:

  • Queries for example.local go over the VPN to our internal DNS servers
  • Everything else, including example.com, use the DNS servers provided by the LAN/Wifi connection the laptop is connected to.
  • The other user based VPN (which routes all traffic over the VPN) continues to use our internal DNS servers for everything.

What I’ve tried:

  • Setting Name Resolution Policy Table rules for example.local pointing at our internal DNS servers. This does seem to work, queries for example.local go over the VPN…but so does everything else.
  • Setting NRPT rules for example.com, with blank DnsServers field, which should make sure they are excluded. Seems to have no effect.
  • Setting NRPT rules for example.com, with public resolvers for the DnsServer. This does work, but breaks at remote locations that block anything but their own dns resolvers (which many of the sites my users travel to do), and doesn’t solve the local services problem.
  • Setting “Use the following DNS server addresses” on the VPN connection in network connections, and leaving it blank. No effect, the VPN connection still gets set to use our internal servers.
  • Setting “Use the following DNS server addresses”, and putting in a public DNS server like 8.8.8.8. When connected, I end up with 3 DNS servers on that interface, with our internal ones at the top and 8.8.8.8 at the bottom of the list.

I suspect that if I could get the VPN to not list any DNS servers at all, the NRPT rules would kick in just for example.local, and everything would work properly. But I can’t find a way to make it not use the ones provided by the RRAS server.


Get this bounty!!!

#StackBounty: #wine #vpn #winetricks Error while installing an exe using winehq

Bounty: 50

I’m trying to install forticlient vpn on Ubuntu. Since the forticlient client (Linux version) doesn’t support VPN, I’m trying to use wine and install a windows version.

When I try to install, I get the below error

The digital signature on the installer package is invalid. Installation aborted.

Any leads on how I can overcome this?

On a windows machine, I would uncheck the option of installing with a valid signature. I’m not sure on how to do this in wineHQ.


Get this bounty!!!

#StackBounty: #vpn #nas #busybox Instal and setup IKEv2/IPsec on WD PR4100

Bounty: 50

I have a WD PR4100 NAS and would like to set up a IKEv2/IPsec VPN tunnel. Currently, I am using OpenVPN as it is installed.

I believe the system is BusyBox based. Any suggestions on how to install the package dependencies and set up the connection? Specifically, I am trying to connect with this tutorial. I am currently looking into docker implementations. However, it will be better if I can natively install and set up the connection instead of using a docker.

The only docker I have found that can act as a client (others only act as servers) is this, although when I edit the files as in the above tutorial, and then run

docker rm strongswan; docker run --net=host -v $PWD/config/strongswan.conf:/etc/strongswan.conf -v $PWD/config/ipsec.conf:/etc/ipsec.conf -v $PWD/config/ipsec.secrets:/etc/ipsec.secrets -v $PWD/config/ipsec.d:/etc/ipsec.d --name=strongswan stanback/alpine-strongswan-vpn

I get the following output

Starting strongSwan 5.6.1 IPsec [starter]...
modprobe: can't change directory to '/lib/modules': No such file or directory
no netkey IPsec stack detected
modprobe: can't change directory to '/lib/modules': No such file or directory
no KLIPS IPsec stack detected
no known IPsec stack detected, ignoring!
00[DMN] Starting IKE charon daemon (strongSwan 5.6.1, Linux 4.1.13, x86_64)
00[KNL] unable to create netlink socket: Protocol not supported (93)
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv6 on port 4500 failed
00[NET] installing IKE bypass policy failed
00[NET] installing IKE bypass policy failed
00[NET] enabling UDP decapsulation for IPv4 on port 4500 failed
00[LIB] feature CUSTOM:libcharon in critical plugin 'charon' has unmet dependency: CUSTOM:kernel-ipsec
00[KNL] received netlink error: Operation not permitted (1)
00[KNL] unable to create IPv4 routing table rule
00[KNL] received netlink error: Operation not permitted (1)
00[KNL] unable to create IPv6 routing table rule
00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
00[LIB]   file coded in unknown format, discarded
00[LIB] building CRED_CERTIFICATE - X509 failed, tried 4 builders
00[CFG]   loading ca certificate from '/etc/ipsec.d/cacerts/caCert.pem' failed
00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
00[CFG] loading crls from '/etc/ipsec.d/crls'
00[CFG] loading secrets from '/etc/ipsec.secrets'
00[CFG]   loaded EAP secret for kazoku@protonmail.com
00[CFG] loaded 0 RADIUS server configurations
00[LIB] failed to load 1 critical plugin feature
00[DMN] initialization failed - aborting charon
00[KNL] received netlink error: Operation not permitted (1)
00[KNL] received netlink error: Operation not permitted (1)
charon has quit: initialization failed
charon refused to be started
ipsec starter stopped

Apart from this I do not know if it is even possible to install everything separately and not use a docker as the BusyBox based system is limited from what I can see.


Get this bounty!!!

#StackBounty: #networking #mac #vpn #dns #cisco Re-order or "prioritize" DNS server over Cisco AnyConnect VPN on Mac

Bounty: 100

I have Cisco AnyConnect on my Mac (10.13.6), and the DNS resolution works properly for our internal hostnames. The output of scutil looks fine:

2015MBP:~ craig$ scutil --dns
DNS configuration

resolver #1
  search domain[0] : dns1.mycompany.com
  search domain[1] : dns2.mycompany.com
  search domain[2] : hsd1.ma.comcast.net
  nameserver[0] : 10.xx.xx.xx (<-- AN INTERNAL COMPANY IP)
  nameserver[1] : 10.xx.xx.xx (<-- AN INTERNAL COMPANY IP)
  flags    : Request A records, Request AAAA records
  reach    : 0x00000002 (Reachable)
  order    : 1

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records, Request AAAA records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : hsd1.ma.comcast.net
  nameserver[0] : 192.168.1.1
  if_index : 5 (en0)
  flags    : Scoped, Request A records, Request AAAA records
  reach    : 0x00020002 (Reachable,Directly Reachable Address)

However, I notice that it’s using the company DNS for things that it doesn’t need to:

2015MBP:~ craig$ nslookup apple.com
Server:         10.xx.xx.xx.   (<-- SAME COMPANY IP FROM ABOVE)
Address:        10.xx.xx.xx#53

Non-authoritative answer:
Name:   apple.com
Address: 17.178.96.59
Name:   apple.com
Address: 17.142.160.59
Name:   apple.com
Address: 17.172.224.47

Is there a way to tell macOS to prioritize my ISP for hostname resolution, and only to fallback to the VPN DNS for lookups that fail the first time?


Get this bounty!!!

#StackBounty: #vpn #l2tp #lede Connect my work VPN with my LAN via l2tp and connects

Bounty: 50

I need to connect my work LAN from my HOME LAN via VPN.

How to set it up?

Below is my settings and my ifconfig:

l2tp-sygnusvpn Link encap:Point-to-Point Protocol  
          inet addr:192.168.140.180  P-t-P:192.168.220.254  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1450  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:98 (98.0 B)  TX bytes:94 (94.0 B)

tab 1[tab 1]

tab2[tab 2]

tab3[tab 3]


Get this bounty!!!

#StackBounty: #vpn #l2tp #lede LEDE Connect my work VPN with my LAN via l2tp and connects

Bounty: 50

Ciao!

How are you?

I need to connect my work to my VPN to my LAN because I work remote and now we have to use the work LAN from my HOME LAN.

Do you guys how to set it up?

Below is my settings and my ifconfig:

l2tp-sygnusvpn Link encap:Point-to-Point Protocol  
          inet addr:192.168.140.180  P-t-P:192.168.220.254  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1450  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:98 (98.0 B)  TX bytes:94 (94.0 B)

Thanks,
Patrik

PS:

tab 1[tab 1]

tab2[tab 2]

tab3[tab 3]


Get this bounty!!!

#StackBounty: #networking #network-manager #vpn #openvpn How to add openvpn connection in the GUI using .ovpn .p12 and .key files

Bounty: 200

I’m trying to install an openvpn connection on my Ubuntu 18.04 laptop.

From my openvpn provider I got a username/password and a zip containing three files:

myvpn.openvpn
myvpn.p12
myvpn.key

The myvpn.openvpn file looks like this (just replaced the ip address by stars):

dev tun
persist-tun
persist-key
cipher AES-256-CBC
auth SHA1
tls-client
client
resolv-retry infinite
remote ***.***.***.*2 1194 udp
verify-x509-name "MyVPN" name
auth-user-pass
pkcs12 myvpn.p12
tls-auth myvpn.key 1
remote-cert-tls server
redirect-gateway def1

I tried connecting from the command line, which works perfectly fine using

sudo openvpn --config myvpn.ovpn

But since I need to connect to this vpn all the time I want to be able to do it using the GUI. So I’m trying to follow this guide on askubuntu, but it doesn’t behave like in the screenshots. When I try to add a new vpn connection in the gui and select the option to “Import from file” and select the .openvpn file it automatically sets things up like this (UI is in Dutch, but I guess most of it should be understandable for English speakers):

enter image description here

The first thing that I noticed is that it selects the .p12 file for the CA-Cert, the User Cert and the User Private Key. Next to that it asks for a username and password (which I have), but also for a “Password User Key” (the last input field) of which I have no clue what it is.
I tried various combinations, but I always get the same error (also translated from Dutch):

Activation of network connection failed

I guess the variation which comes closest to the command line option is this one:

enter image description here

But that gives the same error.

Then there’s also the button “Advanced..”. Opening that scared the shit out of me. I simply have no idea where to begin in there.

Does anybody know how I can get this working somehow? Why is the command line option working perfectly, but is the UI so hard to get going? All tips are welcome!


Get this bounty!!!