Hi all, I have a Vigor 2860 router and use the L2TP over IPSec VPN feature when I am away from home.

On my Windows 10 Pro laptop using the standard builtin windows VPN client, even though I specify the IP of my local Windows Server DNS server in the VPN options and have tried specifying the DNS suffix of addc.local (My AD domain at home) in the general IPv4 DNS settings, when connected to the VPN I can't access my local DNS and thus things like group policy upgare (gpupdate /force) fail.

Have tried using the hosts file as a work around and while that works for general SMB/CIFS file shares, it does not work for ad related components like AD Users and Computers or GPUpdate!

And of course the IP of my Windows Server (Active Directory & DNS server) is set as the primary DNS server for the LAN on my Vigor 2860.

How can I resolve these issues when using the VPN to remote into my local network?

Regards: Elliott.

Active Directory requires a working DNS server, so presumably, somewhere in your domain you have one ? (re-reading your post, you seem to be saying you have).

I think the reason things are not quite working, is because you're telling the VPN client to use the 2860 as the DNS server and relying on it to forward requests to your 'real' one. Either by accident or design, it doesn't do that ... it just forwards lookups to whatever DNS servers your ISP has configured. EDIT: Maybe Applications >> LAN DNS / DNS Forwarding can be coerced into doing this, but I've not investigated that functionality.

What you need, is for the DHCP server (be it on the 2860, or on a Windows m/c) to pass your DNS server address to LAN clients, along with their allocated IP address. (I set my 2860 to use these same DNS servers for its own purpose as well; but it's purely a client.)

The DNS suffix can (and probably should) be automatically configured, using Group Policy.

Perhaps set your internal DNS server(s) to use OpenDNS or QUAD 9 as 'forwarders' and the job, as they say, should be a good 'un :wink:

BTW, is the 2860 running the latest firmware? I recall a bug that was only fixed very recently, where the 2860's DHCP server would hand out the ISP's DNS server addresses - even though (in my case), they weren't configured, or intended to be used, anywhere.

But even when I do:

nslookup windows-server.addc.local 192.168.2.11

From my laptop whilst connect to the VPN, I get DNS timeouts; Yet I can still ping 192.168.2.11 and get reply's of around 50ms do "telnet 192.168.2.11 53" from cmd and it connects whilst connected to the VPN.

If I RDP onto my Home Theater PC and do

nslookup windows-server.addc.local 192.168.2.11

I get the response of all the IP's of Windows-Server as expected.

What is going on here? I think wire shark may be my next step.

My first guess, was that the client was using the wrong DNS server(s), but now it sounds like DNS traffic is being blocked by a firewall - though that does seem unlikely...
...if the VPN is very slow, I suppose it really could be simply "timing out".

You could temporarily disable the firewalls on both client and server to see?

I always found it more beneficial, in a Windows domain environment, to setup one or more of my servers with the Routing & Remote Access role and to setup pass-through on the Draytek. It can be a little fiddly to setup for the first time but the seamless integration with your DHCP and DNS servers is a real advantage. I have two RRAS servers offering L2TP and SSTP VPN connections, SSTP is very flexible and, like a SSL VPN, connects over port 443 and so gets around most firewalls, you just need to make sure you have a valid certificate.

Fixed it, it was two part;

1st I had this in my Draytek Vigor 2860. Once I disabled rule 3, I could do nslookup to "windows-server" while connected to the VPN.



2nd I had the below in my hosts file on my laptop what I had to comment out! Then gpupdate would succeeded and not fail.




Regards: Elliott.