VPN and DNS configuration

I'm trying to set up a PPTP VPN from a user's Windows XP machine to a Windows 2003 server. We already have the VPN connection set up in Routing and Remote Access and the user can log in, but the user is having trouble connecting to some services on the server through the VPN. I suspect the problem is a combination of DNS and firewall SNAFUs.

The server is colo'd behind a firewall and has a public web service and a private ftp service. There are a few other services, but I'm using ftp as an example. Since the owners don't want anyone else using the ftp, they've had us close off ftp access on the firewall to everyone except a whitelist of their office's static IP netblock.

Now the owners want to be able to ftp in from random dial-up accounts. Hence the VPN. They also want to use their dial-up internet service while they are logged in, so we had them turn off the "use default gateway on remote network" option. Other than that, everything is pretty much the default setup.

What's happening is this: When the user is logged in over VPN, their DNS requests for the server go through their ISP's DNS server. This gives them the server's public IP address, sending their traffic through the ISP's network until it bounces off the firewall because they're not in the whitelist.

To get around the firewall, the user's machine needs to direct packets meant for the server through the VPN tunnel. The VPN uses addresses in the link-local 169.254.x.x range, which nothing in the ISP's DNS is going to resolve to. So in short, we need a way to make the user's machine resolve servername.com to the link-local address on the other side of the tunnel.

Merely opening a VPN connection doesn't magically do this. It's not clear to me how the destination server could send across the information. It is not running a DNS server and probably doesn't even know its own FQDN. Its DNS is handled by another system.

I doubt that editing the hosts file is the way to go. The IP address the server gives itself may be random (I'm not sure on this) and in any case, the user is not computer literate enough to edit a hosts file without giving us trouble. Also, when they turn off the VPN, they might still want to access the server by its regular IP address (as a regular web user), and if the hosts file still points to the VPN, that would be a problem. The VPN client configuration contains an option to add DNS suffixes for creating server aliases, but if the server's link-local address is random, this won't help since DNS is configured statically.

I'm new to VPNs and I don't know what goes on during the handshake or what they can or can't do, so I'm stuck. There has to be some way to configure the VPN server to send dns/routing information to the client during the handshake. Otherwise, a VPN would just be a useless route to a meaningless IP. However, I can't find anything useful in the server's Routing and Remote Access menu.

Any help on this would be appreciated.

Post #272,107 by tangaroa 11/3/06 5:50:58 PM Reply	VPN and DNS configuration I'm trying to set up a PPTP VPN from a user's Windows XP machine to a Windows 2003 server. We already have the VPN connection set up in Routing and Remote Access and the user can log in, but the user is having trouble connecting to some services on the server through the VPN. I suspect the problem is a combination of DNS and firewall SNAFUs. The server is colo'd behind a firewall and has a public web service and a private ftp service. There are a few other services, but I'm using ftp as an example. Since the owners don't want anyone else using the ftp, they've had us close off ftp access on the firewall to everyone except a whitelist of their office's static IP netblock. Now the owners want to be able to ftp in from random dial-up accounts. Hence the VPN. They also want to use their dial-up internet service while they are logged in, so we had them turn off the "use default gateway on remote network" option. Other than that, everything is pretty much the default setup. What's happening is this: When the user is logged in over VPN, their DNS requests for the server go through their ISP's DNS server. This gives them the server's public IP address, sending their traffic through the ISP's network until it bounces off the firewall because they're not in the whitelist. To get around the firewall, the user's machine needs to direct packets meant for the server through the VPN tunnel. The VPN uses addresses in the link-local 169.254.x.x range, which nothing in the ISP's DNS is going to resolve to. So in short, we need a way to make the user's machine resolve servername.com to the link-local address on the other side of the tunnel. Merely opening a VPN connection doesn't magically do this. It's not clear to me how the destination server could send across the information. It is not running a DNS server and probably doesn't even know its own FQDN. Its DNS is handled by another system. I doubt that editing the hosts file is the way to go. The IP address the server gives itself may be random (I'm not sure on this) and in any case, the user is not computer literate enough to edit a hosts file without giving us trouble. Also, when they turn off the VPN, they might still want to access the server by its regular IP address (as a regular web user), and if the hosts file still points to the VPN, that would be a problem. The VPN client configuration contains an option to add DNS suffixes for creating server aliases, but if the server's link-local address is random, this won't help since DNS is configured statically. I'm new to VPNs and I don't know what goes on during the handshake or what they can or can't do, so I'm stuck. There has to be some way to configure the VPN server to send dns/routing information to the client during the handshake. Otherwise, a VPN would just be a useless route to a meaningless IP. However, I can't find anything useful in the server's Routing and Remote Access menu. Any help on this would be appreciated.
Post #272,126 by Silverlock 11/3/06 7:43:12 PM Reply	The VPN server is behind the firewall? That sounds wrong to me but I only have a working knowledge of Cisco VPN server/client setups. ----------------------------------------- Draft Obama [link\|http://www.draftobama.org/\|now].
Post #272,219 by tangaroa 11/5/06 1:01:37 AM Reply	Yes The VPN server is running on the Windows server that they need FTP access to. It's intended to be a direct link that they can use to bypass the firewall and get the same kind of access they have on their static IP block that we let through the firewall. Hmm. Thought I'd answered this this morning, but I must have forgotten to take it out of preview.
Post #276,593 by tangaroa 12/24/06 12:00:07 PM Reply	For the record, the solution... I had to add a static route for the server's public IP in the server's Routing and Remote Access configuration. Didn't have to do anything for the link-local address, the server automatically advertises the route through it. Still not sure on the method used to advertise the route, whether it's a standard or whatnot, but I could probably sniff my own connection if I wanted to find out.

Welcome to IWETHEY!