No announcement yet.

Authentication via OpenVPN

  • Filter
  • Time
  • Show
Clear All
new posts

  • Authentication via OpenVPN


    We have roughly 30 clients connecting in via OpenVPN to a windows 2003 AD domain. On our side of the network there is the following equipment:

    Server 2003 PDC (x64)
    Exchange 2007 (running on Server 2003 x64)

    All clients are laptops running the following:

    Windows XP Pro
    Office 2007 Standard
    OpenVPN GUI Client (


    When a user attempts to connect to our AD domain via VPN the following may occour:

    connection to remote resources fails (e.g network shares)
    connection to the exchange server fails

    After further investigation the issue seems to lie with remote clients not resolving machine names (Although pinging the IP address works ok). On the second (virtual) adaptor (which OpenVPN creates) we have specified the active directory DNS servers. Windows XP seems to be using the DNS server addresses on the physical network connection instead of the servers specified on the virtual network adaptor. However an NSlookup will report that it is using the dns servers specified on the second adaptor.

    If the machine is left ~30 minutes it seems to revert to using the DNS servers specified on the virtual adaptor - and hence resolving names works & connection to remote resources works.

    How does windows XP behave when you have two "active" network connections, both with different DNS servers specified (via DHCP on one adaptor and manually on the second)?

    We spent time building a WINS server and specifying this on the second network adaptor to no avail.

    Can anyone suggest anything else?

    Much appreciated.

  • #2
    Re: Authentication via OpenVPN

    Our company uses OpenVPN as well and we've been experiencing the exact same issues ever since we upgraded from NT4 to 2003 AD. If you come up with any solutions, I'd really like to know what you found.

    I would like to note though that we installed a RRAS and every single user that was having an issue with OpenVPN is working flawlessly with the new server. As soon as they revert back to the OpenVPN solution though their problems pop back up.

    Last edited by phrancie; 7th September 2007, 17:55.


    • #3
      Re: Authentication via OpenVPN

      Hi Phrancie,

      After digging a little further with netmon we discovered it was using the DNS servers on LAN 1 for both netbios and dns lookups, after a lapse of time it would revert to using the dns servers on the virtual interface.

      To resolve this issue we did the following:

      1) Tied DNS / WINS together on our DC
      2) On the LAN1 adaptor specified our LAN dns server address as primary and opendns's addresses as secondary
      3) On LAN2 specified our internal addresses for DNS / WINS

      The issue seems to be resolved - I will report back if we find anything else out.

      I hope this helps some people!


      • #4
        Re: Authentication via OpenVPN

        Thanks for posting back!
        Technical Consultant

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"


        • #5
          Re: Authentication via OpenVPN


          Edit: I made the post below but then started to wonder, were all your changes on the server side or the client side? All the changes I made were on the client side.


          That's exactly what we're seeing and your suggestion fixed the issue. But, it doesn't help us out much since most of our users take their notebooks home, get a DNS table from their DHCP router/ISP and can't manually add the internal DNS server entry.

          In doing some additional research to previous releases of OpenVPN, 2.0.7 to 2.0.9 was an update to the TAP-Win32 driver. 2.0.9 is the first release where this started to behave like this. Any of our users that have 2.0.7 installed don't see this DNS issue. I've even tried going as far ahead as 2.1-rc4 but that still has the issue.

          Is there a command-line script that can add a DNS entry to the list of addresses received via DHCP without blowing away the list DHCP has given out? If so, I'll just add that to the OpenVPN connection script.

          Last edited by phrancie; 27th September 2007, 19:45.