SSL VPN slow speed, dns question

sk8erbender
sk8erbender Posts: 74  Ally Member
First Comment Friend Collector Second Anniversary
edited April 2021 in Security

Hi guys ! Configured SSL VPN on non standard port 4433.

I have the following set up:

on my

LAN1 I have AD DHCP , DNS ( scope 192.168.0.2-192.168.0.254 mask 255.254.0.0)

(192.168.0.36 )

I also have linux dns caching and dnscrypt server (192.168.0.237).


Now here goes SSL VPN configuration ( with third party certificate for domain)

Zone ssl _vpn

( network extension local ip 192.168.200.1 )

SSL VPN POOL 192.168.100.20-192.168.100.50

DNS1 - 192.168.0.36 ( AD DNS , DHCP server)

DNS2- 102.168.0.237 ( Linux caching server)

Enable network extension

Force all client traffic to enter ssl vpn tunnel


Secu Extender connects .

But I can't connect to local machines by dns name. (for example \\smbshare.domain.local )

smb share works only with IP and http://192.168.0.36

\\192.168.0.36

Also transfer speed from shares is slow

like 200-300 kb/sec ( though no high load on ATP500 )

is there anything im missing?


Thanks!

«1

All Replies

  • jasailafan
    jasailafan Posts: 193  Master Member
    5 Answers First Comment Friend Collector Sixth Anniversary

    How about adding an Address Record in DNS?

    smbshare.domain.local 192.168.0.36

  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    edited November 2019

    Sorry if stupid question where do I put it in on ATP500 ?

    atp500 have no DNs.


    active directory is dns server

    and linux server with dns

  • [Deleted User]
    [Deleted User] Posts: 118  Ally Member
    5 Answers First Comment Friend Collector Fifth Anniversary

    @sk8erbender

    SSL VPN will have an disadvantage(in compare with L2TP) when it comes to throughput

    it's limited to 10Mbp's.

    you can see that if you open your adapter settings when connected.

    When setting force all traffic to tunnel this will cause more bandwidth, and also slower connection speed in the end..

    But in your case this is needed , otherwise you cannot resolve on DNS name in vpn.

    Can you Put the firewall as first DNS server in the SSL VPN config. I believe this should solve the issue.

    Is your Firewall successfully connected with ad? Does it show up in active directory under computers?

    Regarding resolving DNS

    what @jasailafan i think means you can find here, but i think this is not your solution you are seeking..


  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary

    So you mean I remove those DNS servers, put DNS server as Zyxel USG and manually add server names that I need to work ? It's good that I dont have many servers to try.. Will tell how it goes.

  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary

    Also is there going to be improvement over 10 mbs?

  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary

    Is your Firewall successfully connected with ad? Does it show up in active directory under computers?

    I did not join ATP Device to domain.

  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary

    What exactly steps to join in domain? Does joining to domain come from ATP or to join it I go to active directory - computers- add computer ?

  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary
    edited November 2019

    Ok Did some tests.


    Ive put DNS server Zywall IP 192.168.200.1

    Ive put test.domain.local 192.168.0.48 in DNS zone


    Connecting to SSL VPN


    trying to ping test.domain.local get answer

    Pinging test.domain.local [127.0.0.200] with 32 bytes of data:

    Reply from 127.0.0.200: bytes=32 time<1ms TTL=128

    Reply from 127.0.0.200: bytes=32 time<1ms TTL=128

    Reply from 127.0.0.200: bytes=32 time<1ms TTL=128

    Reply from 127.0.0.200: bytes=32 time<1ms TTL=128


    nslookup test.domain.local 192.168.200.1

    DNS request timed out.

       timeout was 2 seconds.

    Server: UnKnown

    Address: 192.168.200.1


    What the heck.. (

  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary

    Ok! Figured it out. It seems I have dns leak from provider where I connect VPN_SSL.


    Used dnscrypt and then connected with VPN_SSL ( first setup with 2 dns 192.168.0.36 and 192.168.0.237)

    works good now.


    Last problem is.

    If I go http://test.domain.local ( full name) all good

    but I cant go http://test without full name . What can I do with this?

    using full name for shares not good..

    Need prefix of domain.local in my ssl_vpn connection

  • sk8erbender
    sk8erbender Posts: 74  Ally Member
    First Comment Friend Collector Second Anniversary

    So how to configure prefix domain.local for vpn_ssl ? Dont see any option in GUI maybe there is something in terminal ?

Security Highlight