Fix IdM DNS over VPN

[ikke-t]

IdM doesn't allow DNS queries forwarding for VPN clients, which makes it hard to connect to lab. Loosen the DNS config to allow VPN queries.

[ikke-t]

This was rather troublesome feature to get the DNS working for VPN clients. It required proper settings for laptop, OPNSense and IdM.

I didn't automate this :(. Here are the steps:

1. Allow DNS to recurse and forward for VPN clients

for both idms add to files: /etc/named/ipa-options-ext.conf

acl "trusted_network" {
  10.254.253.0/24;
  localnets;
  localhost;

/etc/named/ipa-options-ext.conf

allow-query { "trusted_network"; };
allow-query-cache { "trusted_network"; };
allow-recursion { "trusted_network"; };

and restart the services:

ipactl restart

Now the IdM works for remote queries and allows forwarding. This is important to find the vmware etc. which are known by arrow dns server.

2. Change OPNSense DNS to point to IdM

Done in /vpn_openvpn_server.php?act=edit&id=0 -> DNS Servers

3. Client config

On F35, I changed to use systemd.resolved

You can tell resolved to use different DNS for different domains: /etc/systemd/resolved.conf

DNS=10.128.1.10#cool.lab 10.128.1.10#app.ocpmgt.cool.lab 10.128.1.10#ocpmgt.cool.lab
DNS=10.1.102.5#arrowdemo.se

and restart resolved:

sudo systemctl restart systemd-resolved

and make name resolution to point to resolved by changing the /etc/nsswitch.conf

# hosts:      files myhostname mdns4_minimal [NOTFOUND=return] resolve [!UNAVAIL=return] dns
hosts:      resolve [!UNAVAIL=return] files myhostname mdns4_minimal [NOTFOUND=return] dns

and fix /etc/resolv.conf

sudo rm /etc/resolv.conf
sudo ln -s  /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Now when you take VPN to cool-lab, it should resolve fine all addresses. Also without resolved, as it should point and forward all queries through IdM.