OpenVPN Support Forum

Ok, so for the past couple of years I have been successfully using OpenVPN to access SMB shares on my Freenas server. I have OpenVPN server installed on my DD-WRT router.

I now want to remotely access a number of shares I have set up on a Windows 10 machine. I have no problems accessing the shares within my LAN, however I am unable to access them remotely through OpenVPN, unless I turn off Windows firewall on the Windows 10 machine that contains the shares.

Could someone shed some light on what the problem might be?

Cheers



CLIENT CONFIG:

client
dev tun
proto udp
remote craftyclown.ddns.net 1196
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert laptop.crt
key laptop.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4
float


SERVER CONFIG:

push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
server 10.8.0.0 255.255.255.0
dev tun2
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001
verb 5

So I've discovered that allowing the netlogon service through the Windows firewall on the destination machine, allows me to see my shares remotely.

Is this a massive security risk?

Still unsure exactly why I'm having this problem. As previously explained, all my Freenas CIF shares work flawlessly, it's just these Windows 10 shares that need a workaround

Still trying to troubleshoot this myself, but having absolutely no joy

This particular Windows 10 machine with the shares I need to access, can't even be pinged via OpenVPN

Local network connections work fine, as does the aforementioned allowing of the netlogon service through the windows 10 machines firewall

I'm totally baffled here and would really appreciate some pointers to help get to the bottom of it.

Cheers

CraftyClown wrote:appreciate some pointers

CraftyClown wrote:I have no problems accessing the shares within my LAN, however I am unable to access them remotely through OpenVPN, unless I turn off Windows firewall on the Windows 10 machine that contains the shares

You want to learn about windows 10 firewall ?

int3nt wrote:

CraftyClown wrote:appreciate some pointers

CraftyClown wrote:I have no problems accessing the shares within my LAN, however I am unable to access them remotely through OpenVPN, unless I turn off Windows firewall on the Windows 10 machine that contains the shares

You want to learn about windows 10 firewall ?

Well I'm glad my ignorance has entertained you

I just want to understand why this Firewall issue is only present when accessing the shares via OpenVPN and whether there is an adjustment I can maybe make server side to prevent it?

As I mentioned before, my setup has worked fine for the past couple of years when my shares were on a Freenas box, but now I need to access a Windows box I'm struggling.

Who said "ignorance" ..

You have pointed out exactly where the problem is .. Windows 10 Firewall ..

Just allow the packets from your VPN in your firewall .. or use NAT at your vpn server.

int3nt wrote:Who said "ignorance" ..

You have pointed out exactly where the problem is .. Windows 10 Firewall ..

Just allow the packets from your VPN in your firewall .. or use NAT at your vpn server.

Ha ha, I said ignorance, because when it comes to this vpn business I'm a bit clueless

Could you explain what you mean by "Just allow the packets from your VPN in your firewall .. or use NAT at your vpn server"?

Thanks for your time

CraftyClown wrote:I just want to understand why this Firewall issue is only present when accessing the shares via OpenVPN

This is due to the source IP of packets from the VPN not being in the same subnet as the Windows machine.

Probably like this:

• Windows 10 IP subnet : 192.168.0.0/24
• VPN subnet : 10.8.0.0/24

So, Windows firewall blocks these packets .. unless you add a rule to the firewall to allow them.

CraftyClown wrote:and whether there is an adjustment I can maybe make server side to prevent it?

You can also use iptables NAT on the server .. documented here:
HOWTO: Routing all client traffic (including web-traffic) through the VPN

TinCanTech wrote:

CraftyClown wrote:I just want to understand why this Firewall issue is only present when accessing the shares via OpenVPN

This is due to the source IP of packets from the VPN not being in the same subnet as the Windows machine.

Probably like this:

• Windows 10 IP subnet : 192.168.0.0/24
• VPN subnet : 10.8.0.0/24

So, Windows firewall blocks these packets .. unless you add a rule to the firewall to allow them.

CraftyClown wrote:and whether there is an adjustment I can maybe make server side to prevent it?

You can also use iptables NAT on the server .. documented here:
HOWTO: Routing all client traffic (including web-traffic) through the VPN

Thanks TinCanTech,

That certainly makes sense.

I looked at the link you provided and added this line to the OpenVPN config: push "redirect-gateway def1"

Not sure if I understood that right though, as it has made no difference

Alternatively, what would I need to do to the Windows Firewall, to allow the packets that way?

Apologies if these are stupid questions

Thanks again

Rich

Ok, scratch that, worked it out via Windows Firewall.

To help anyone else who is as clueless as I and comes across this thread then the solution was to do the following.

1. Control panel
2. Windows Firewall
3. Advanced settings
4. Inbound rules
5. File and Printer sharing (SMB in)
6. Scope
7. Remote IP address (add)
8. Add subnet to the top box (which was in my case: 10.8.0.0/24)

Thanks for the help Int3nt and especially TinCanTech

Thanks for sharing your solution

TinCanTech wrote:Thanks for sharing your solution

No problem. I hope it helps someone else out.

Just out of interest, do you know where I was going wrong at the OpenVPN side? I tried: push "redirect-gateway def1"

You were not doing anything wrong with openvpn ..

That link to the HOWTO shows howto use iptables nat on your server.
--redirect-gateway will send all your client data over the VPN, which you need to decide if you need or not.

Hi,
and sorry not to be able to contribute to the discussion but only recently I set up my pfsense router and my OpenVPN connection.

CraftyClown wrote:Ok, so for the past couple of years I have been successfully using OpenVPN to access SMB shares on my Freenas server.

And unlike the OP I have problem access my SMB shares. Without hijacking your thread could you please point me to a direction to find some help as googling gets me nowhere? [lie - I have found this by googling]

Thanks

robag wrote:could you please point me to a direction to find some help

Please see:
viewtopic.php?f=30&t=22603