AD issue via openvpn on PFsense

Posted on 2009-02-18
Last Modified: 2012-05-06
Greetings and salutations.

I set up OpenVPN on my pfsense firewall and (almost) everything works well.
my problem is when i try to access AD resources it prompts me for my full AD UID and pass.
even tho the workstation is on the domain and works fine when in (not VPN) the network.
typing in UID and pass fails, typing in domain\UID and password fails.
I have to type in FQDN\UID and pass... then everything works.
so i have to type in:\johndoe
cause blat\johndoe doesn't work????

i assume this is an AD issue but it works fine in the network just not via openVPN on PFsense

So, here is my network setup: : main network behind pfSense : pfSense box 1.2.2 (LAN) : Server 2003 (active directory) (SP2) : Remote computer VPN  IP pool for VPN clients workstation connected via VPN

From the VPN'ed workstation I can ping everything and get to internal network resources (workstations, Servers).
again from local workstations there is no problem

VPN client config:
dev tun
proto udp
remote 1194
ping 10
resolv-retry 2
ca ca.crt
cert openvpn1.crt
key openvpn1.key
ns-cert-type server
verb 1
Question by:vextor
    LVL 6

    Accepted Solution

    The short domain name is actually the NetBIOS name for the domain.  When you are connected at work you either resolve NetBIOS names by broadcast or you network adapter converts it to a DNS query by appending DNS suffixes (domain names) to the request.  The OpenVPN client does not support doing either leaving you with 2 options:

    1.  Use FQDN for everything (Recommended).
    2.  Enable WINS on your domain.

    Author Comment

    what do you mean by "everything"??
    I tried to log into the workstation as FQDN\username
     that doesn't work. :-(
    I log into the system with blat.local\johndoe
    VPN into the office and i still cant use my network shares without having to login.

    i'm trying to avoid my users from having to type in the FQDN\username after they are logged in.
    this is not an issue when using the cisco vpn system (just dont have 3k-5k to run it right now)


    Author Comment

    noone has any other ideas??

    Author Comment

    I enabled WINS on my domain but i am still seeing the main problem of having to type in
    domain-name\UID each time the users access the server.

    so it's alittle better that i dont need to type domain.local\UID
    but when logged into the system as a domain user i still have to type domain\UID


    Author Comment

    /me is sad there is no fix for this, thanks aces4all2008 for trying.

    Author Closing Comment

    thanks for the info

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now