Can't Access Shared Windows Printer over OpenVPN

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
cbarthmann_m
OpenVpn Newbie
Posts: 1
Joined: Tue Apr 19, 2011 8:15 pm

Can't Access Shared Windows Printer over OpenVPN

Post by cbarthmann_m » Tue Apr 19, 2011 8:51 pm

Hi Everyone!

I have the following set-up:

Web Server--OpenVPN server--Firewall--Internet--WRTG54 Router--Client++Printer

The WRT54G router is running the latest version of TomatoVPN.
The web server and the OpenVPN server are on the same network.
The web server runs W2K3.
The Firewall allows all traffic between the OpenVPN server and the WRTG54 Router.
The web server has a static route pointing back to the Client's network.
The client runs XP Pro.
The client is using Windows Printer Sharing to share the connected printer.

I am successfully able to bring up a VPN tunnel between the remote router and the OpenVPN server. From the client, I am able to use both Remote Desktop and HTTP to access the Web server.

I need the web server to connect to the shared printer via Windows Printer Sharing, but am encountering an error which reads: "There are currently no logon servers to service the logon request." I have included some rules in the iptables configuration on the OpenVPN server to allow TCP/UDP ports 139 and 445 to travel across the tunnel.

When I put the client on the same network as the web server, everything works as expected. There are a few changes on the client machine's Local Security Policy that allow guest/anonymous users to print to the printer, which have been given to us by our software vendor, and have worked in the past.

Using Wireshark when the client is on the same network as the web server shows that the connection takes place very quickly, without any errors, right after packets for NTLMSSP negotiation; receiving a NTLMSSP challenge (Error: STATUS_MORE_PROCESSING_REQUIRED); and NTLMSSP authentication are sent across the wire. When the client is behind the OpenVPN tunnel, immediately after the NTLMSSP authentication packet, I receive an Error: STATUS_NO_LOGON_SERVERS.

I have also tried using a client machine that is known to work on the "local" network at the remote site, without success.

Here is a sanitized copy of the OpenVPN server.conf file:
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key # This file should be kept secret
dh dh1024.pem
server 10.60.60.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.60.0 255.255.255.0"
client-config-dir ccd
route 192.168.10.0 255.255.255.0
keepalive 10 120
cipher AES-128-CBC # AES
comp-lzo
persist-key
persist-tun
status openvpn-status.log
log-append /var/log/openvpn.log
verb 4
mssfix 1436


And here is a snippet of the firewall.sh script:

iptables -A FORWARD -p tcp --sport 139 -j ACCEPT
iptables -A FORWARD -p udp --sport 139 -j ACCEPT
iptables -A FORWARD -p tcp --sport 445 -j ACCEPT
iptables -A FORWARD -p udp --sport 445 -j ACCEPT
iptables -A FORWARD -p tcp --dport 139 -j ACCEPT
iptables -A FORWARD -p udp --dport 139 -j ACCEPT
iptables -A FORWARD -p tcp --dport 445 -j ACCEPT
iptables -A FORWARD -p udp --dport 445 -j ACCEPT


Any help in solving this problem is greatly appreciated.

CB

User avatar
janjust
Forum Team
Posts: 2703
Joined: Fri Aug 20, 2010 2:57 pm
Location: Amsterdam
Contact:

Re: Can't Access Shared Windows Printer over OpenVPN

Post by janjust » Wed Apr 20, 2011 6:28 am

sounds more like a windows networking issue to me :)

Try forwarding tcp port 135 and udp ports 137 and 138 as well, they might be needed in a Windows domain.

For debugging purposes: try forwarding *everything* and then test it: if that works then you know that it's a firewalling issue. If it still does not work then you need to look elsewhere.

Post Reply