3

I've configured a Strongswan server on CentOS 7 for roadwarrior situations and it works perfectly.

But I want the Windows 10 clients get the domain with suffix DNS and I didn't find any way to do it. I've tried with the WINS server, but it doesn't do wwhat I want. For example, when I try "nslookup my-server", I would like the connection add the suffix to get the right results. In the actual situation, the nslookup fails. Furthermore, the DNS used is not the DNS transferred by IPsec.

ipsec.conf : 

    conn %default
            mobike=yes
            keyexchange=ikev2
            forceencaps=yes
            auto=add

    conn IKEv2-eap
            esp=aes256-sha1-modp1024!
            ike=aes256-sha384-modp1024!
            leftauth=pubkey
            leftfirewall=yes
            leftcert=gwCert.pem
            leftsubnet=0.0.0.0/0
            right=%any
            rightsourceip=10.3.0.1-10.3.0.50
            rightauth=eap-mschapv2
            eap_identity=%identity

strongswan.conf : 

charon {
    load_modular = yes
            plugins {
                    include strongswan.d/charon/*.conf
                    attr {
                            dns = 134.158.128.2, 134.158.128.6
                            nbns = 134.158.130.183, 134.158.130.156
                    }
            }
    }

I have OpenVPN and the domain is "transfer" through the VPN and my nslookup works perfectly. I would like to do the same with Strongswan.

DSX
  • 385
  • 1
  • 4
  • 18

2 Answers2

2

There is no IKEv2 configuration attribute to assign a set of default DNS suffixes.

While there is a new extension (RFC 8598) that allows configuring split-DNS (using the VPN-assigned DNS servers only for specified domains) it doesn't say anything specifically about DNS suffixes (I guess it's up to the clients whether they also configure the domains as such).

Anyway, that extension won't help you because Windows currently doesn't support it.

However, it's possible to manually set a single DNS suffix on the client via Set-VpnConnection PowerShell cmdlet:

Set-VpnConnection -Name "ConnectionName" -DnsSuffix example.com

The problem that VPN-provided DNS servers are not used might be a general issue in Windows 10 (no idea if dependent on the version), see e.g. this question on superuser.com, or search for "Windows 10 VPN DNS leak" or similar.

Community
  • 1
ecdsa
  • 3,973
  • 15
  • 29
  • If there is no ikev2 configuration attribute to assign DNS suffix, how is RRAS-based VPN server able to hand out Connection-specific DNS Suffix on Windows VPN clients? – fjch1997 Dec 10 '22 at 10:22
  • well, I figured this out and posted another answer – fjch1997 Dec 11 '22 at 22:08
0

While there is no possibility in the IKEv2 Configuration Payload (CP) to specify a DNS suffix, Windows VPN clients send a DHCP request upon successful connection to obtain various DHCP options. One of these options is Option 15 Domain Name.

To configure a DNS suffix with a DHCP server by dnsmasq

You may install dnsmasq on the same server running strongSwan.

  1. apt install dnsmasq

  2. Create a config file at /etc/dnsmasq.d/dnsmasq.conf

    port=0 # Disables DNS server
domain=example.com

Note: The dhcp-range configuration is not necessary if you are using strongSwan to assign IP addresses. The DHCP server can respond with Options only.

fjch1997
  • 101
  • 3