Troubles with SMB/Samba

thompson · Post by **thompson** » Tue Mar 22, 2016 9:12 pm

Currently running OpenVPN on an ASUS RT-AC66U and while I am able to SSH to a Linux box via the VPN, I cannot access SMB Network Shares. At one point I was able to ping the box but I currently am unable to.

At one point I was pleasantly surprised to come into work and actually have samba access, which was lost upon restart and hasn't be obtained since.

SMB on the linux box is configured as a WINS server, and I've added a few lines in effort to get this working.

I'm not looking to redirect any internet traffic over the VPN.

Server-Side-Lan: 192.168.192.0/24

Not entirely sure how to get the OpenVPN Server config from the Asus:

Routing table on Asus

Client file on remote Windows 7 machine (minus CA info):

Code: Select all

client
dev tun
proto udp
remote *.*.*.* 1194
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server
resolv-retry infinite
nobind

smb.conf from the Linux Box:

Code: Select all

workgroup = WORKGROUP
server string = %h server
wins support = yes
dns proxy = yes
name resolve order = wins lmhosts host bcast
hosts allow = 192.168.192.0/24 10.10.0.0/24 127.0.0.1
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user

A snippet from the Asus Log:

Code: Select all

Mar 22 13:28:20 rc_service: watchdog 261:notify_rc start_httpd
Mar 22 12:28:20 RT-AC66U: start httpd - SSL
Mar 22 13:28:49 openvpn[14783]: MULTI: multi_create_instance called
Mar 22 13:28:49 openvpn[14783]: 108.160.41.13:21374 Re-using SSL/TLS context
Mar 22 13:28:49 openvpn[14783]: 108.160.41.13:21374 LZO compression initialized
Mar 22 13:28:49 openvpn[14783]: 108.160.41.13:21374 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ]
Mar 22 13:28:49 openvpn[14783]: 108.160.41.13:21374 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ]
Mar 22 13:28:49 openvpn[14783]: 108.160.41.13:21374 Local Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-server'
Mar 22 13:28:49 openvpn[14783]: 108.160.41.13:21374 Expected Remote Options String: 'V4,dev-type tun,link-mtu 1542,tun-mtu 1500,proto UDPv4,comp-lzo,cipher BF-CBC,auth SHA1,keysize 128,key-method 2,tls-client'
Mar 22 13:28:49 openvpn[14783]: 108.160.41.13:21374 Local Options hash (VER=V4): '530fdded'
Mar 22 13:28:49 openvpn[14783]: 108.160.41.13:21374 Expected Remote Options hash (VER=V4): '41690919'
Mar 22 13:28:49 openvpn[14783]: 108.160.41.13:21374 TLS: Initial packet from [AF_INET]108.160.41.13:21374, sid=a868af5e dbee481d
Mar 22 13:28:51 openvpn[14783]: 108.160.41.13:21374 VERIFY OK: depth=1, C=TW, ST=TW, L=Taipei, O=ASUS, CN=RT-AC66U, emailAddress=me@myhost.mydomain
Mar 22 13:28:51 openvpn[14783]: 108.160.41.13:21374 VERIFY OK: depth=0, C=TW, ST=TW, L=Taipei, O=ASUS, CN=client, emailAddress=me@myhost.mydomain
Mar 22 13:28:52 watchdog: restart httpd
Mar 22 13:28:52 rc_service: watchdog 261:notify_rc start_httpd
Mar 22 12:28:53 RT-AC66U: start httpd - SSL
Mar 22 13:28:53 openvpn[14783]: 108.160.41.13:21374 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Mar 22 13:28:53 openvpn[14783]: 108.160.41.13:21374 TLS: Username/Password authentication succeeded for username 'kelsey' 
Mar 22 13:28:53 openvpn[14783]: 108.160.41.13:21374 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mar 22 13:28:53 openvpn[14783]: 108.160.41.13:21374 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 22 13:28:53 openvpn[14783]: 108.160.41.13:21374 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Mar 22 13:28:53 openvpn[14783]: 108.160.41.13:21374 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Mar 22 13:28:53 openvpn[14783]: 108.160.41.13:21374 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
Mar 22 13:28:53 openvpn[14783]: 108.160.41.13:21374 [client] Peer Connection Initiated with [AF_INET]108.160.41.13:21374
Mar 22 13:28:53 openvpn[14783]: client/108.160.41.13:21374 MULTI_sva: pool returned IPv4=10.10.0.6, IPv6=(Not enabled)
Mar 22 13:28:53 openvpn[14783]: client/108.160.41.13:21374 MULTI: Learn: 10.10.0.6 -> client/108.160.41.13:21374
Mar 22 13:28:53 openvpn[14783]: client/108.160.41.13:21374 MULTI: primary virtual IP for client/108.160.41.13:21374: 10.10.0.6
Mar 22 13:28:55 openvpn[14783]: client/108.160.41.13:21374 PUSH: Received control message: 'PUSH_REQUEST'
Mar 22 13:28:55 openvpn[14783]: client/108.160.41.13:21374 send_push_reply(): safe_cap=940
Mar 22 13:28:55 openvpn[14783]: client/108.160.41.13:21374 SENT CONTROL [client]: 'PUSH_REPLY,route 192.168.192.0 255.255.255.0,dhcp-option DNS 192.168.192.2,dhcp-option WINS 192.168.192.100,route 192.168.192.0 255.255.255.0,route 10.10.0.1,topology net30,ping 15,ping-restart 60,ifconfig 10.10.0.6 10.10.0.5' (status=1)
Mar 22 13:28:55 openvpn[14783]: client/108.160.41.13:21374 MULTI: bad source address from client [fe80::b929:c7dc:db5f:319f], packet dropped
Mar 22 13:28:55 openvpn[14783]: client/108.160.41.13:21374 MULTI: bad source address from client [fe80::b929:c7dc:db5f:319f], packet dropped

It errors on that MULTI: bad source a lot but figured it wasn't relevant (not using IPV6) so cut a large amount of them out.

Hope this is all in order, any help is crazy appreciated as I've been unsuccessfully working on this for awhile now. If I've missed anything I'll try and get it up asap.

Traffic · Post by **Traffic** » Tue Mar 22, 2016 9:33 pm

thompson wrote:It errors on that MULTI: bad source a lot but figured it wasn't relevant (not using IPV6)

You can ignore this.

Re: Troubles with SMB/Samba ..
Did you setup iptables NAT on the vpn server ?

thompson · Post by **thompson** » Tue Mar 22, 2016 9:51 pm

I've seen mention of it browsing topics on here, but I'm clueless as how to do that. I'm guessing I need to telnet into the router to change those kind of settings or is it an OpenVPN setting?

Traffic · Post by **Traffic** » Tue Mar 22, 2016 9:55 pm

You will find the OpenVPN HOWTO helpful:
HOWTO: For OpenVPN Community Edition

thompson · Post by **thompson** » Tue Mar 22, 2016 10:52 pm

Been pouring over it for ages and while I consider myself savvy with this kind of thing a lot of it is going right over

Just tried adding these via Telnet, and I can see the iptables listed under ACCEPT, but still no luck when trying to access the SMB shares (via HOSTNAME or IP)

Code: Select all

echo 1 > /proc/sys/net/ipv4/ip_forward

Code: Select all

iptables -A FORWARD -i tun21 -s 10.10.0.0/24 -d 192.168.192.0/24 -j ACCEPT

Traffic · Post by **Traffic** » Tue Mar 22, 2016 11:15 pm

thompson wrote:still no luck when trying to access the SMB shares (via HOSTNAME or IP)

Can you ping the host ?

thompson · Post by **thompson** » Tue Mar 22, 2016 11:39 pm

I'm starting to think its the damned Win7 firewall.

Connected to the OpenVPN server using my android phone, go to ES File Explorer and I can connect to the Host via IP address no issue.

Went in and manually opened 1194 on In/Out-bound traffic and sure as hell I can map it as a network drive.

Thanks for the help Traffic

I'll restart the router to double check if I need to make those iptable rules persistent

thompson · Post by **thompson** » Thu Mar 24, 2016 6:22 pm

Well today hasn't been too encouraging in the VPN world

Came to work expecting the tunnel to still function exactly the same but it has other plans.

Back to being able to SSH into the network via VPN, but no SMB response (from either Win7 or Android approaches).

Just incase I rebooted the router, checked iptables and reapplied the above commands but they didn't have any effect.

I can't ping the linux box from the remote Win7/Android, but I can ping it from the ASUS running OpenVPN (via either Telnet or the WGUI).

Openvpn on Win7 was giving me some "Waiting for TAP/TUN..." so I uninstalled the TAP and reinstalled it (seemed to at least fix the Waiting issue).

I had also read that setting the VPN DHCP as the Gateway in Windows 7 allows you to set it as a Private network, so did that, but again no effect.

thompson · Post by **thompson** » Fri Mar 25, 2016 7:29 pm

So would i be better rubning my own server on the cubox or my spare rasp-pi?

Personally much more comfortable with a debian terminal than this telnet into Asus.

Ive been wanting to play with DNS and a few other network services

Sent from my SM-G920V using Tapatalk

thompson · Post by **thompson** » Sat Mar 26, 2016 7:38 am

Sorry to keep digging this up but I suppose fingers crossed someone will randomly have an idea.

And another sorry if this is too off topic for this forum, but I figure its still relevant information.

I can ping other devices and actually access the SMB of a different machine via the VPN connection. But the rascal debian box refuses to play nice and that leaves the most likely culprit as these bloody iptables.

I've tried every combination I can come up with mixing source destination FORWARD INPUT OUTPUT none of it seems to have any effect when trying to reach out from a remote connection (thank God for smart phones).

thompson · Post by **thompson** » Sat Mar 26, 2016 8:35 am

Finally figured it out.

Was a combination of routing, iptables and me being an idiot.

I hadn't entirely forgotten I have a different VPN running on that debian machine. It was being assigned 10.10.0.0/24 IP and I have no control over that.

Once I got that sussed out, simple cases of changing ip pool on the ASUS, then on the debian machine:

Code: Select all

iptables -A INPUT -s 10.14.0.0 -j ACCEPT
route add -net 10.14.0.0 netmask 255.255.255.0 gw 192.168.192.2

Made sure to make a backup of iptables and added the route bit to interfaces with a post-up/pre-down addition.

Not entirely sure I like having all traffic from VPN accepted, but its also 1 am and I'm full up on dealing with this tonight.

Can close/delete/shame the topic as fit

Traffic · Post by **Traffic** » Sat Mar 26, 2016 1:12 pm

thompson wrote:I hadn't entirely forgotten I have a different VPN running on that debian machine. It was being assigned 10.10.0.0/24 IP and I have no control over that.

Is it an internet VPN service ?

Anyway, Thanks for letting us know your solution

TeHashX · Post by **TeHashX** » Sat Apr 23, 2016 9:51 am

Trying the same thing with Asus RT-AC68U ip 192.168.1.1 running openvpn and a samba share running on Odroid C2 with ip 192.168.1.234 and connecting from android app.
Can you please share which values I need to input in smb.conf and openvpn custom configuration?
Thanks!

TeHashX · Post by **TeHashX** » Fri Dec 02, 2016 7:58 am

I tried to search samba share while I was connected through openvpn but didn't find any samba share, then I input ip address of samba share 192.168.1.234 and I connected successfully, so this is the right way, not to search, thanks.