Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)DNS resolution over Unifi USG L2TP VPN
SumnerBoy

2079 posts

Uber Geek
+1 received by user: 306

ID Verified
Lifetime subscriber

#222538 16-Aug-2017 13:25
Send private message

Hi there,

 

I have just setup a nice shiney new USG + USW-24 + 2xUAP home network, running the latest version of the Unifi controller software - v5.5.20.

 

I have a number of different VLANs setup and dnsmasq running on a VM on my network. The USG has DHCP disabled as dnsmasq handles everything DHCP/DNS related.

 

I am trying to setup a remote user VPN on the USG so I can connect in on my phone or laptop and access my main data VLAN (.10).

 

I followed the online guides and have enabled the USG radius server, setup the Remote User VPN (L2TP), and can successfully connect and authenticate using my Android phone. From my phone I can access the .10 VLAN via direct IP addresses. 

 

However I cannot access anything via my internal hostnames/aliases - e.g. my openHAB server is 192.168.10.103 but is also accessible via openhab.home. However when connecting via the L2TP VPN I cannot *see* these hostnames.

 

I have tried leaving the VPN "Name Server" config on the USG empty, tried specifying the dnsmasq server, but nothing seems to work. Also tried explicitly setting the dnsmasq server IP address in the client VPN config, but no difference.

 

I know the phone can access those servers, but I just can't figure out how to get it to use the dnsmasq DNS server.

 

Anyone got any tips or suggestions about what I am missing here?!

 

Cheers,

 

Ben

Create new topic
michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1847586 16-Aug-2017 13:56
Send private message

Add a SSH key to your USG (you'll have to do this with the gateway.json file on your controller) and from there get your dnsmasq box to push its dnsmasq hostfile configuration to your USG's /etc/dnsmasq.d/ directory else format it and push it across to /etc/hosts.

 

Your USG will then serve these up using its internal DNS server.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



SumnerBoy

2079 posts

Uber Geek
+1 received by user: 306

ID Verified
Lifetime subscriber

  #1847592 16-Aug-2017 14:02
Send private message

It is mainly my VMs which all have static IPs, so I guess I can just copy the applicable hosts records from my dnsmasq server to the USG?

 

E.g.

 

192.168.10.104  app02  openhab

 

192.168.10.105  app03  media

 

Will the hosts file on the USG be overwritten by an upgrade? Or is that safe?

michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1847597 16-Aug-2017 14:06
Send private message

SumnerBoy:

 

It is mainly my VMs which all have static IPs, so I guess I can just copy the applicable hosts records from my dnsmasq server to the USG?

 

E.g.

 

192.168.10.104  app02  openhab

 

192.168.10.105  app03  media

 

Will the hosts file on the USG be overwritten by an upgrade? Or is that safe?

 

It'll overwrite on each provision. You're best to use the gateway.json file on your controller. Have a look at this thread at the "host-record=unifi,192.168.1.140" line.

 

Make sure it parses as JSON else your router will go into a provisioning loop but I am pretty sure thats what you're needing. If the router was used as a dnsmasq / dns server then you could do it directly from the controller.

 

Given the router is also a Debian Linux box you could potentially store your scripts in /config/scripts or pull it from the router via SCP. Just make sure all cron jobs etc are all referenced in the gateway.json file to ensure they still work after a system upgrade.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.



SumnerBoy

2079 posts

Uber Geek
+1 received by user: 306

ID Verified
Lifetime subscriber

  #1847626 16-Aug-2017 15:24
Send private message

Thanks Michael - that has done the trick. Manually editing /etc/hosts on the USG didn't seem to make a difference, but adding a config.gateway.json with a list of `host-record` entries (and force provisioning) has worked. Happy days!

 

I think I will keep things simple for now, and manually edit the config.gateway.json rather than try to auto-provision from the dnsmasq server. Baby steps and all that!

 

I am starting to wonder if I should run this VPN as always-on now, and remove the various port forwards I have for openHAB and MQTT etc. Would no doubt be a load more secure that way. Just a little concerned that it might effect battery life on my phone tho.

 

Anyways, thanks again for your guidance!

 

 

davidcole
6099 posts

Uber Geek
+1 received by user: 1465

Trusted

  #1847674 16-Aug-2017 16:48
Send private message

Yeah I added all most hosts into the config file. Then all vms etc can stay dhcp and the USG will serve up the addresses.




Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight 

SumnerBoy

2079 posts

Uber Geek
+1 received by user: 306

ID Verified
Lifetime subscriber

  #1847678 16-Aug-2017 16:54
Send private message

Am I right in saying the USG uses dnsmasq "under-the-hood"?

 

If that is the case can I migrate my existing dnsmasq config across to the USG (via the config file I presume?) and remove the need for a separate server on my network?

 

Can python scripts be run on the USG, fired from dnsmasq events, does anyone know?

 
 
 
 

Stream your favourite shows now on Apple TV (affiliate link).
davidcole
6099 posts

Uber Geek
+1 received by user: 1465

Trusted

  #1847689 16-Aug-2017 17:28
Send private message

Yeh there is dnsmasq in there as well. I use that for dns4me , I download a dnsmasq file from them with all the overseas dns servers.

Not sure about python on there.




Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight 

michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1847729 16-Aug-2017 18:46
Send private message

Yes there is Python on the USG:

 

admin@USG:~$ python --version
Python 2.7.3

 

You can store your scripts under /config/scripts which survive after a reboot. The USG also uses dnsmasq. Just ensure you set your cron jobs under the gateway.json file else it won't survive a reprovision.

 

Anything stored in /config/scripts/post-config.d will start under root once the configuration is loaded after a reboot and is preserved after an upgrade.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

davidcole
6099 posts

Uber Geek
+1 received by user: 1465

Trusted

  #1847735 16-Aug-2017 19:14
Send private message

Orly. Cron under config? Also I think they survive a reprovision. But not a fw upgrade.




Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight 

michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1847742 16-Aug-2017 19:39
Send private message

davidcole: Orly. Cron under config? Also I think they survive a reprovision. But not a fw upgrade.

 

Yep something like this in your gateway.json file - https://murfy.nz/files/usg_cron.txt

 

Just make sure it parses as JSON (I use https://jsonlint.com/ to be sure) and chmod +x it.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

SumnerBoy

2079 posts

Uber Geek
+1 received by user: 306

ID Verified
Lifetime subscriber

  #1847890 17-Aug-2017 08:05
Send private message

Good to know guys - thanks for that. I can see me having a bit of fun with all this, and probably breaking everything a few times in the process :).

 

 

 
 
 
 

Shop now on Samsung phones, tablets, TVs and more (affiliate link).
SumnerBoy

2079 posts

Uber Geek
+1 received by user: 306

ID Verified
Lifetime subscriber

  #1847894 17-Aug-2017 08:09
Send private message

Related to my OP, when I connect to the L2TP VPN using my Android phone (after adding my hostnames to the USG config) I can happily *see* those hostnames on my internal network. However I tested things last night using my laptop, connecting to the VPN via a Wifi hotspot on my phone, and whilst I could authenticate fine, and see/ping internal IP addresses, the hostnames were not resolving.

 

Laptop is running W10. It was being assigned the correct DNS server, i.e. my USG internal IP. I have read a few things about Windows not using the expected DNS server when using a VPN but I got pretty confused pretty quickly. Is there something obvious I am missing here?

michaelmurfy
meow
13579 posts

Uber Geek
+1 received by user: 10910

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1850801 23-Aug-2017 02:02
Send private message

SumnerBoy:

 

Related to my OP, when I connect to the L2TP VPN using my Android phone (after adding my hostnames to the USG config) I can happily *see* those hostnames on my internal network. However I tested things last night using my laptop, connecting to the VPN via a Wifi hotspot on my phone, and whilst I could authenticate fine, and see/ping internal IP addresses, the hostnames were not resolving.

 

Laptop is running W10. It was being assigned the correct DNS server, i.e. my USG internal IP. I have read a few things about Windows not using the expected DNS server when using a VPN but I got pretty confused pretty quickly. Is there something obvious I am missing here?

 

 

Sorry for the late reply but I get the same on Windows 10 on my Surface using OpenVPN. Android phone works fine. I have my OpenVPN server push my internal DNS server out (which is fine) but Windows refuses to use it for anything without a domain. A simple workaround was to append .localdomain onto my domains too (essentially doubling them up) and setting the domain in my router to that also. You can do this on the UniFi portal under Settings --> Networks --> LAN (or the network name) and add the Domain Name as shown:

 

Click to see full size

 

Still don't understand why Windows (and only Windows) does this... In your case I would assume if you were to go to http://device it is attempting to go to http://device.localdomain which currently isn't in your config file.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

SumnerBoy

2079 posts

Uber Geek
+1 received by user: 306

ID Verified
Lifetime subscriber

  #1850890 23-Aug-2017 08:09
Send private message

Thanks Michael - appreciate the reply. Glad to hear it is not just me being stoopid. Will try your suggestions but to be honest I am ok just using IP addresses for the rare occasions I need to VPN in.

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright