USG FLEX 50 VPN - Split DNS help
Freshman Member
Hi,
I have recently setup an IPSec VPN (client to site) on my USG FLEX 50.
It is working fine on all the devices I need it to work on. I recently came around an issue regarding DNS.
I have a local DNS server that's setup in the USG's DNS settings and it is working fine for all local devices using DHCP.
However, with the VPN, even though I manually specified the DNS servers in the VPN Connection configuration, it does not use it on client devices.
I tried to manually add a DNS search domain on the MacOS VPN connection and that seems to fix it. However this option is not available on iOS.
Is there a way to configure that option on the VPN config provisioning directly ? Or is there any other way to do what I'm trying to achieve (i.e. use a local DNS to resolve local domains on VPN clients) ?
I don't really know which settings I need to provide in order to get some help, so I figure I'll just describe the issue and provide relevant configs when asked.
Thanks.
All Replies
-
You may have to setup a Bind DNS server or other on the LAN to have VPN clients point to it
Edit
I test with IKEv2 by pointing the DNS to a VLAN on the FLEX200 and allow from IPSec_VPN to Zywall and that worked I test IKEv1 L2TP over IPSec should you be using that
Yes works on IKEv1 L2TP over IPSec too
Tested on V5.39(ABUI.1) just put DNS IP to a LAN interface IP gateway and allow from IPSec_VPN to Zywall
0 -
Thank you very much for the time and tests.
The DNS is indeed provided with my configuration, but the DNS search domain is not.
The reason why I need to provide a specific search domain is because we have some internal apps only that we expose with the same domain name we use for external+internal apps.
Internal app entries are only present in our local DNS, which should be used when connected to the VPN.
What I'm essentially looking for is an equivalent of FortiGate's split DNS (https://docs.fortinet.com/document/forticlient/7.2.0/new-features/634537/split-dns-support-for-ipsec-vpn-7-2-3) which we used at a previous job.
My VPN config is the barebone IPSec out of the wizzard, configured in remote access (server role). I'm not a VPN expert and this is my first time configuring one. I'm on a testing environment so I'm open to making changes to the configuration. I used IPSec because it seemed to me like the easy option, but if I can't have split DNS then I'm open to changing the type of VPN.
0 -
Maybe you have the client VPN with “Use default gateway on remote network” unchecked?
0 -
I think it has something to do with that.
Apparently a lot of devices (especially iOS ones) do not properly support split tunneling when it comes to DNS. The official solution seems to be to apply full tunneling
EDIT:
It would seem that opnsense has managed to fix it through the use of a specific attribute.
Don't know if that can be edited on the USG FLEX 50 though.
0
Guru Member
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 149 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 263 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight
