AD issue via openvpn on PFsense

Posted on 2009-02-18
Medium Priority
Last Modified: 2012-05-06
Greetings and salutations.

I set up OpenVPN on my pfsense firewall and (almost) everything works well.
my problem is when i try to access AD resources it prompts me for my full AD UID and pass.
even tho the workstation is on the domain and works fine when in (not VPN) the network.
typing in UID and pass fails, typing in domain\UID and password fails.
I have to type in FQDN\UID and pass... then everything works.
so i have to type in:
cause blat\johndoe doesn't work????

i assume this is an AD issue but it works fine in the network just not via openVPN on PFsense

So, here is my network setup: : main network behind pfSense : pfSense box 1.2.2 (LAN) : Server 2003 (active directory) (SP2) : Remote computer VPN  IP pool for VPN clients workstation connected via VPN

From the VPN'ed workstation I can ping everything and get to internal network resources (workstations, Servers).
again from local workstations there is no problem

VPN client config:
dev tun
proto udp
remote blat.dyndns.net 1194
ping 10
resolv-retry 2
ca ca.crt
cert openvpn1.crt
key openvpn1.key
ns-cert-type server
verb 1
Question by:vextor
  • 5

Accepted Solution

aces4all2008 earned 1000 total points
ID: 23677080
The short domain name is actually the NetBIOS name for the domain.  When you are connected at work you either resolve NetBIOS names by broadcast or you network adapter converts it to a DNS query by appending DNS suffixes (domain names) to the request.  The OpenVPN client does not support doing either leaving you with 2 options:

1.  Use FQDN for everything (Recommended).
2.  Enable WINS on your domain.

Author Comment

ID: 23736072
what do you mean by "everything"??
I tried to log into the workstation as FQDN\username
 that doesn't work. :-(
I log into the system with blat.local\johndoe
VPN into the office and i still cant use my network shares without having to login.

i'm trying to avoid my users from having to type in the FQDN\username after they are logged in.
this is not an issue when using the cisco vpn system (just dont have 3k-5k to run it right now)


Author Comment

ID: 23787301
noone has any other ideas??
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.


Author Comment

ID: 23930368
I enabled WINS on my domain but i am still seeing the main problem of having to type in
domain-name\UID each time the users access the server.

so it's alittle better that i dont need to type domain.local\UID
but when logged into the system as a domain user i still have to type domain\UID


Author Comment

ID: 24345601
/me is sad there is no fix for this, thanks aces4all2008 for trying.

Author Closing Comment

ID: 31548550
thanks for the info

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question