Hello OPNsense community,
I am currently using an OpenVPN server on OPNsense in tun mode on the WAN interface. For DNS, I am using a local AD Windows Server 2019 with DNS service enabled, where dynamic updates for secure/unsecure zones are allowed. However, I am encountering issues with this setup, and I need some assistance.
The problem I am facing is that no DNS records of clients are made on the DNS server.
Here is a summary of my current configuration:
OPNsense OpenVPN server in tun mode on WAN interface with local DNS IP of Win server
Local AD Windows Server 2019 with DNS service enabled.
Dynamic updates for secure/unsecure zones are allowed on the Windows DNS server.
Could you please provide guidance on how to troubleshoot and resolve this issue? Any suggestions, advice, or steps to follow would be greatly appreciated.
Thank you in advance for your help.
Best regards,
Martin
So I'm back to close this node.
I was able to fix this issue wit client-connect function added to advanced config of OpenVPN server, this function is calling script and this one connects ssh to AD controller and running another ps1 script. Power-shell dynamically updates DNS records on AD. Everything os working now.
Sounds like a complete security nightmare in the making.
rsa_id make the thing, at the end was easy. Well, i can say now :)
Thought would be fine to share the powershell code with you guys, so here it is, the czech notes is the only thing you need to translate in case you wont understand :)
param (
[string]$AssignedUserName,
[string]$ClientIP
)
$ProgressPreference = "SilentlyContinue"
# Nastavení názvu zóny DNS
$DNSZoneName = "domain.name"
# Zjištění správné reverzní zóny
$thirdOctet = $ClientIP.Split('.')[2]
$ReverseDNSZoneName = if ($thirdOctet -in 0..79) { "$thirdOctet.16.172.in-addr.arpa" }
elseif ($thirdOctet -in 80..126) { "$thirdOctet.17.172.in-addr.arpa" }
else { "Unknown" }
if ($ReverseDNSZoneName -eq "Unknown") {
Write-Host "Neplatná IP adresa pro existující reverzní zóny."
return
}
# Získání hostname počítače přiřazeného k uživateli
function Get-AssignedComputerName {
param ([string]$UserName)
$user = Get-ADUser -Filter { SamAccountName -eq $UserName } -ErrorAction SilentlyContinue
if ($user) {
$computer = Get-ADComputer -Filter { ManagedBy -eq $user.DistinguishedName } -ErrorAction SilentlyContinue
return $computer.Name
}
return $null
}
$assignedComputerName = Get-AssignedComputerName -UserName $AssignedUserName
if (-not $assignedComputerName) {
Write-Host "A a PTR záznamy nebudou přidány kvůli nepřítomnosti přiřazeného počítače."
return
}
$hostname = $assignedComputerName -replace "\..*$", ""
# Aktualizace A záznamu
$existingARecord = Get-DnsServerResourceRecord -ZoneName $DNSZoneName -Name $hostname -RRType "A" -ErrorAction SilentlyContinue
if ($existingARecord) {
$newRecord = $existingARecord.Clone()
$newRecord.RecordData.IPv4Address = [System.Net.IPAddress]::Parse($ClientIP)
Set-DnsServerResourceRecord -ZoneName $DNSZoneName -OldInputObject $existingARecord -NewInputObject $newRecord
} else {
Add-DnsServerResourceRecordA -Name $hostname -ZoneName $DNSZoneName -IPv4Address $ClientIP -AgeRecord
}
# Aktualizace PTR záznamu
$reversedIPParts = $ClientIP.Split('.')
[array]::Reverse($reversedIPParts)
$reversedIP = $reversedIPParts[0]
Add-DnsServerResourceRecordPtr -Name $reversedIP -ZoneName $ReverseDNSZoneName -PtrDomainName "$hostname.$DNSZoneName" -AgeRecord -ErrorAction SilentlyContinue
here in the sh script for client-connect function
#!/bin/sh
# Získání hodnot z proměnných OpenVPN
client_name=$common_name
client_ip=$ifconfig_pool_remote_ip
# Spuštění PowerShell skriptu na Windows serveru s těmito hodnotami
# Upravte názvy parametrů podle vašeho PowerShell skriptu
ssh username@your.dc.hostname "powershell -File C:\\Path\\to\\script.ps1 -AssignedUserName \"$client_name\" -ClientIP \"$client_ip\""