Thanks for your extremely detailed response; it's taken me a while to get 
through it and I hope that I've understood what you are saying properly.

BTW.  I've learned quite a bit :-)

See my responses below.

On Sunday, 17 April 2022 15:17:04 BST Patrick Wigmore wrote:
> If I understand you correctly, I think you are saying that each device
> on the WMT Network is allocated an address in the range.
> This does not make sense. Why would the WMT Network devices need
> addresses, in addition to their ones?

I'm not sure where the information came from regarding the 
address range; probably in one of my many conversations with the author of 
pistrong.  It looks like I misunderstood him.

> This also means that the VPN clients will not be getting told about
> the DNS server via DHCP, so they won't automatically use
> it. This means their traffic won't get forwarded to the web server
> automatically. If you wanted them to know about that DNS server, you
> would need to configure the VPN server to tell them about it. They
> won't discover it automatically via DHCP like an on-site network
> client would.

According to the author of pistrong they are.  Here is a part of the Query/
Response session that pistrong generates during installation and configuration 
of the server:

DNS Server for connected VPN clients:,

The bit before the : is the Query and the rest is my response.  You can see 
that the system has the information and should provide it to the client during 
negotiation.  However, there appears to be no path to from the 
client in use and so (I assume) the client drops it and only remains.  
(However see below.)

Early in the development process the author of pistrong suggested that I add 
the to that response so that the client could still access the 
Internet while connected to the WMT Network via the VPN Server.

> Be aware that VPN clients will sometimes use a VPN-provided DNS server
> for EVERYTHING, which could have the effect of intercepting DNS
> queries for traffic that has nothing to do with the VPN, which might
> break networking for things that are running on the same machine as
> the VPN client, and could cause a privacy issue. If possible, it may
> be better to configure the VPN clients so that the WMT DNS server is
> only used to query domain names that are part of the WMT network.

The WMT DNS Server does only provide IP Addresses for the hosts on the WMT 
Network.  Putting together your comment about privacy and my old IT Manager's 
reaction when someone at work 'bridged' the network, I see that this wasn't a 
particularly good idea.

> So, when you said:
> > The VPN Server doesn't know the IP Address of the
> > Webserver, but it doesn't need to because all traffic should be
> > forwarded to it.
> The second part of the statement was untrue. The VPN server DOES need
> to know the IP address of the Webserver (assuming you want it to tell
> its clients), because the automatic forwarding to the Webserver only
> works for DHCP clients in the local network.

I think there may be a misconception here.  When I said forwarding, I meant 
that any queries in the subnet should be forwarded to all the 
devices in that subnet.  That would include the Webserver on  
However for that to happen the VPN Client clearly needs to know that that IP 
Address provides a DNS Server and for some reason it either doesn't or it does 
and it can't get there (see below)

> Do you mean that it does not work automatically, or do you mean that
> clients logged in via the VPN cannot query this server at all. What
> happens if you say explicitly which server to query, by doing:
>     $ dig @ [webserver domain name]
> or
>     $ nslookup [webserver domain name]
> on a device that is connected via the VPN?

This is where I took one or two steps forward.  Below is the console output 
during a VPN session.  I've interspersed a few comments:

terry@OptiPlex:~/Useful$ systemd-resolve --status 
      Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported 
resolv.conf mode: foreign 

Link 2 (eno1) 
   Current Scopes: DNS 
        Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/
Current DNS Server: 
      DNS Servers:

This is the response immediately after I've connected from the client (my 
desktop machine).  The client only knows about my local router which provides 
the DNS Service for machines logging on to my home network.

I then logged on to VPN Server (I've obfuscated the username for security 
purposes because this is a public forum):

terry@OptiPlex:~/Useful$ ssh ****@ 
****@'s password:  
Linux VPN-Server 5.15.32-v7l+ #1538 SMP Thu Mar 31 19:39:41 BST 2022 armv7l 

I then tried to run 'systemd-resolve --status' but this isn't supported so I 
****@VPN-Server:~ $ cat /etc/resolv.conf 
# Generated by resolvconf 

So the information that I set up in dhcpcd.conf on the VPN Server is clearly 
doing its stuff.

I then exited from the VPN Server and did:

****@VPN-Server:~ $ exit 
Connection to closed. 
terry@OptiPlex:~/Useful$ systemd-resolve --status 
        Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported 
 resolv.conf mode: foreign 
Current DNS Server: 
      DNS Servers: 

Link 2 (eno1) 
   Current Scopes: DNS 
        Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/
Current DNS Server: 
      DNS Servers:

So the client now knows about and it also knows about  
When I showed this to the pistrong author he said that the Global data on DNS 
Servers was the wrong way round because the client would try first and 
never try because it got a connection on the first one.  That was 
news to me because I always thought that clients would keep trying DNS Servers 
in the order that they appeared until they either did or did not find the 
device name they wanted.  In any case, I never entered them in that order (see 
above) so I'm not sure what is changing them around.

> Based on all of the above, I would expect that VPN clients cannot
> access the Webserver using its domain name, but they can do using its
> IP address. Is this true, or is it inaccessible even by IP address?
> If the Webserver is inaccessible even by IP address, what happens if
> you try to ping it?

It doesn't work, which is why I thought there might be a problem with routing.

> When a VPN client connects to the Web Server, in theory the web server
> would see that connection coming in from a address, not a
> one. So, it is a given that the Webserver has to be
> configured to accept connections from clients.

So how would I do that?  I always assumed that the VPN Server included a 
router that would sort all that out.  The iptables output would indicate that 
it does.


                Terry Coles

  Next meeting: Online, Jitsi, Tuesday, 2022-05-03 20:00
  Check to whom you are replying
  Meetings, mailing list, IRC, ...
  New thread, don't hijack:

Reply via email to