DNS resolution over Unifi USG L2TP VPN

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › DNS resolution over Unifi USG L2TP VPN

SumnerBoy

2076 posts

Uber Geek

ID Verified

Lifetime subscriber

#222538 16-Aug-2017 13:25

Hi there,

I have just setup a nice shiney new USG + USW-24 + 2xUAP home network, running the latest version of the Unifi controller software - v5.5.20.

I have a number of different VLANs setup and dnsmasq running on a VM on my network. The USG has DHCP disabled as dnsmasq handles everything DHCP/DNS related.

I am trying to setup a remote user VPN on the USG so I can connect in on my phone or laptop and access my main data VLAN (.10).

I followed the online guides and have enabled the USG radius server, setup the Remote User VPN (L2TP), and can successfully connect and authenticate using my Android phone. From my phone I can access the .10 VLAN via direct IP addresses.

However I cannot access anything via my internal hostnames/aliases - e.g. my openHAB server is 192.168.10.103 but is also accessible via openhab.home. However when connecting via the L2TP VPN I cannot *see* these hostnames.

I have tried leaving the VPN "Name Server" config on the USG empty, tried specifying the dnsmasq server, but nothing seems to work. Also tried explicitly setting the dnsmasq server IP address in the client VPN config, but no difference.

I know the phone can access those servers, but I just can't figure out how to get it to use the dnsmasq DNS server.

Anyone got any tips or suggestions about what I am missing here?!

Cheers,

Ben

michaelmurfy

meow
13271 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1847586 16-Aug-2017 13:56

Add a SSH key to your USG (you'll have to do this with the gateway.json file on your controller) and from there get your dnsmasq box to push its dnsmasq hostfile configuration to your USG's /etc/dnsmasq.d/ directory else format it and push it across to /etc/hosts.

Your USG will then serve these up using its internal DNS server.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

SumnerBoy

2076 posts

Uber Geek

ID Verified

Lifetime subscriber

#1847592 16-Aug-2017 14:02

It is mainly my VMs which all have static IPs, so I guess I can just copy the applicable hosts records from my dnsmasq server to the USG?

E.g.

192.168.10.104 app02 openhab

192.168.10.105 app03 media

Will the hosts file on the USG be overwritten by an upgrade? Or is that safe?

michaelmurfy

meow
13271 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1847597 16-Aug-2017 14:06

SumnerBoy:

It is mainly my VMs which all have static IPs, so I guess I can just copy the applicable hosts records from my dnsmasq server to the USG?

E.g.

192.168.10.104 app02 openhab

192.168.10.105 app03 media

Will the hosts file on the USG be overwritten by an upgrade? Or is that safe?

It'll overwrite on each provision. You're best to use the gateway.json file on your controller. Have a look at this thread at the "host-record=unifi,192.168.1.140" line.

Make sure it parses as JSON else your router will go into a provisioning loop but I am pretty sure thats what you're needing. If the router was used as a dnsmasq / dns server then you could do it directly from the controller.

Given the router is also a Debian Linux box you could potentially store your scripts in /config/scripts or pull it from the router via SCP. Just make sure all cron jobs etc are all referenced in the gateway.json file to ensure they still work after a system upgrade.

SumnerBoy

2076 posts

Uber Geek

ID Verified

Lifetime subscriber

#1847626 16-Aug-2017 15:24

Thanks Michael - that has done the trick. Manually editing /etc/hosts on the USG didn't seem to make a difference, but adding a config.gateway.json with a list of `host-record` entries (and force provisioning) has worked. Happy days!

I think I will keep things simple for now, and manually edit the config.gateway.json rather than try to auto-provision from the dnsmasq server. Baby steps and all that!

I am starting to wonder if I should run this VPN as always-on now, and remove the various port forwards I have for openHAB and MQTT etc. Would no doubt be a load more secure that way. Just a little concerned that it might effect battery life on my phone tho.

Anyways, thanks again for your guidance!

davidcole

6041 posts

Uber Geek

Trusted

#1847674 16-Aug-2017 16:48

Yeah I added all most hosts into the config file. Then all vms etc can stay dhcp and the USG will serve up the addresses.

Previously known as psycik

Home Assistant: Gigabyte AMD A8 Brix, Home Assistant with Aeotech ZWave Controller, Raspberry PI, Wemos D1 Mini, Zwave, Shelly Humidity and Temperature sensors
Media:Chromecast v2, ATV4 4k, ATV4, HDHomeRun Dual
Server Host Plex Server 3x3TB, 4x4TB using MergerFS, Samsung 850 evo 512 GB SSD, Proxmox Server with 1xW10, 2xUbuntu 22.04 LTS, Backblaze Backups, usenetprime.com fastmail.com Sharesies Trakt.TV Sharesight

SumnerBoy

2076 posts

Uber Geek

ID Verified

Lifetime subscriber

#1847678 16-Aug-2017 16:54

Am I right in saying the USG uses dnsmasq "under-the-hood"?

If that is the case can I migrate my existing dnsmasq config across to the USG (via the config file I presume?) and remove the need for a separate server on my network?

Can python scripts be run on the USG, fired from dnsmasq events, does anyone know?

davidcole

6041 posts

Uber Geek

Trusted

#1847689 16-Aug-2017 17:28

Yeh there is dnsmasq in there as well. I use that for dns4me , I download a dnsmasq file from them with all the overseas dns servers.

Not sure about python on there.

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

michaelmurfy

meow
13271 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1847729 16-Aug-2017 18:46

Yes there is Python on the USG:

admin@USG:~$ python --version
Python 2.7.3

You can store your scripts under /config/scripts which survive after a reboot. The USG also uses dnsmasq. Just ensure you set your cron jobs under the gateway.json file else it won't survive a reprovision.

Anything stored in /config/scripts/post-config.d will start under root once the configuration is loaded after a reboot and is preserved after an upgrade.

davidcole

6041 posts

Uber Geek

Trusted

#1847735 16-Aug-2017 19:14

Orly. Cron under config? Also I think they survive a reprovision. But not a fw upgrade.

michaelmurfy

meow
13271 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1847742 16-Aug-2017 19:39

davidcole: Orly. Cron under config? Also I think they survive a reprovision. But not a fw upgrade.

Yep something like this in your gateway.json file - https://murfy.nz/files/usg_cron.txt

Just make sure it parses as JSON (I use https://jsonlint.com/ to be sure) and chmod +x it.

SumnerBoy

2076 posts

Uber Geek

ID Verified

Lifetime subscriber

#1847890 17-Aug-2017 08:05

Good to know guys - thanks for that. I can see me having a bit of fun with all this, and probably breaking everything a few times in the process :).

SumnerBoy

2076 posts

Uber Geek

ID Verified

Lifetime subscriber

#1847894 17-Aug-2017 08:09

Related to my OP, when I connect to the L2TP VPN using my Android phone (after adding my hostnames to the USG config) I can happily *see* those hostnames on my internal network. However I tested things last night using my laptop, connecting to the VPN via a Wifi hotspot on my phone, and whilst I could authenticate fine, and see/ping internal IP addresses, the hostnames were not resolving.

Laptop is running W10. It was being assigned the correct DNS server, i.e. my USG internal IP. I have read a few things about Windows not using the expected DNS server when using a VPN but I got pretty confused pretty quickly. Is there something obvious I am missing here?

michaelmurfy

meow
13271 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1850801 23-Aug-2017 02:02

SumnerBoy:

Related to my OP, when I connect to the L2TP VPN using my Android phone (after adding my hostnames to the USG config) I can happily *see* those hostnames on my internal network. However I tested things last night using my laptop, connecting to the VPN via a Wifi hotspot on my phone, and whilst I could authenticate fine, and see/ping internal IP addresses, the hostnames were not resolving.

Laptop is running W10. It was being assigned the correct DNS server, i.e. my USG internal IP. I have read a few things about Windows not using the expected DNS server when using a VPN but I got pretty confused pretty quickly. Is there something obvious I am missing here?

Sorry for the late reply but I get the same on Windows 10 on my Surface using OpenVPN. Android phone works fine. I have my OpenVPN server push my internal DNS server out (which is fine) but Windows refuses to use it for anything without a domain. A simple workaround was to append .localdomain onto my domains too (essentially doubling them up) and setting the domain in my router to that also. You can do this on the UniFi portal under Settings --> Networks --> LAN (or the network name) and add the Domain Name as shown:

Still don't understand why Windows (and only Windows) does this... In your case I would assume if you were to go to http://device it is attempting to go to http://device.localdomain which currently isn't in your config file.

SumnerBoy

2076 posts

Uber Geek

ID Verified

Lifetime subscriber

#1850890 23-Aug-2017 08:09

Thanks Michael - appreciate the reply. Glad to hear it is not just me being stoopid. Will try your suggestions but to be honest I am ok just using IP addresses for the rare occasions I need to VPN in.