Windows File Shares Unreachable via OpenVPN

[boblevy]

Hi, I've recently setup OpenVPN to replace my Windows PPTP VPN. All seems to be working except for accessing Windows File Shares (via Windows File Explorer e.g. \\UNC\C$ or \\ip_addr\C$)

As this had been working under PPTP, and works when the same laptop is connected locally, the only change has been the switch to OpenVPN so I suspect my config files may be in err. Any ideas / suggestions?

Server Config:

Code: Select all

port 443
proto tcp
dev tun
mode server
server 192.168.16.0 255.255.255.0
duplicate-cn
keepalive 10 120
push "route 192.168.15.0 255.255.255.0"
push "dhcp-option DNS 192.168.15.1"
persist-key
persist-tun
verb 3
cipher DES-EDE3-CBC
client-cert-not-required
username-as-common-name
auth-user-pass-verify "/mnt/auth.sh" via-env
script-security 2
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
(content omitted)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(content omitted)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
(content omitted)
-----END RSA PRIVATE KEY-----
</key>
<dh>
-----BEGIN DH PARAMETERS-----
(content omitted)
-----END DH PARAMETERS-----

Client Config:

Code: Select all

client
proto tcp
remote (IP Omitted)
port 443
dev tun
dev-type tun
ns-cert-type server
reneg-sec 86400
auth-user-pass
auth-retry interact
verb 3
cipher DES-EDE3-CBC
comp-lzo
<ca>
-----BEGIN CERTIFICATE-----
(content omitted)
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
(content omitted)
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN RSA PRIVATE KEY-----
(content omitted)
-----END RSA PRIVATE KEY-----
</key>
<dh>
-----BEGIN DH PARAMETERS-----
(content omitted)
-----END DH PARAMETERS-----
</dh>

[janjust]

seems like you're setting up a Linux/BSD based openvpn server ; which share do you want to access after the VPN is established? Is the VPN itself working, i.e. can you ping the VPN server IP? other hosts on the server-side LAN?
What is the IP address of the share you want to access? is it the VPN server itself? Is Samba running on that box?

[boblevy]

which share do you want to access after the VPN is established?

Shares on multiple Windows XP Pro machines e.g.

• \\machinename\c$

• \\machinename\sharename

Is the VPN itself working, i.e. can you ping the VPN server IP? other hosts on the server-side LAN?

Yes, machines ping by name and IP address. VPN server itself is a DD-WRT-based Belkin router (hence yes, it's Linux). I use the VPN regularly for Windows-based remote desktop use. Telnet works also. Only issues I can find are with accessing file shares.

What is the IP address of the share you want to access?

192.168.15.252 (and several other 192.168.15.x machines actually), which are all Windows XP Pro machines on that remote LAN.

is it the VPN server itself? Is Samba running on that box?

No, and no.

Much appreciate any suggestions.

Thanks,
Bob

[janjust]

could be an MTU issue: here's one method for troubleshooting that:

1) from the Windows client, verify that you can ping the Windows server using the IP address
ping <ip>

2) again, from the windows client, find the maximum MTU value:

Code: Select all

  ping -f -l 1472 <ip>

if these pings work , then you do not have an MTU issue; if these pings don't work (which I suspect), then lower the number 1472 to e.g. 1200 ; if that works, then increase it again until you find the optimal value. I'd use the following sequence for testing the MTU sizes:
1472 -> 1200 OK -> 1400 FAILS -> 1300 , 1400 OK -> 1440, 1300 OK -> 1340, 1300 FAILS > 1240

after you find the optimal MTU value, add the following lines to both client and server configs:

Code: Select all

fragment <value>+28
mssfix

where <value> is the optimal payload MTU size.

if course, if 'ping -f -l 1472' works then it's NOT an MTU issue and we need to look elsewhere

[boblevy]

Hmm, MTU appears fine:

Code: Select all

C:\Documents and Settings\bl>c:\windows\system32\ping.exe -f -l 1472 192.168.15.253

Pinging 192.168.15.253 with 1472 bytes of data:

Reply from 192.168.15.253: bytes=1472 time=33ms TTL=127
Reply from 192.168.15.253: bytes=1472 time=30ms TTL=127
Reply from 192.168.15.253: bytes=1472 time=30ms TTL=127
Reply from 192.168.15.253: bytes=1472 time=32ms TTL=127

Ping statistics for 192.168.15.253:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 30ms, Maximum = 33ms, Average = 31ms

Still, opening Windows File Explorer and navigating to \\192.168.15.253\c$ yields error (after a timeout).

Any ideas?

Thanks,
Bob

[Mimiko]

Hello

Firstly, I recommend using standart OpenVPN port 1194. Port nr. 443 is used by windows for the special connections with RPC.

Second. Check Windows XP's firewall setting. Try disable it completly. With firewall enable, systems can be pinged, but shares are not accessible. Plus there are different configurations for Windows XP's firewall, where shares are accessible only for local IPs of the local LAN.

Check router for configurations. Althoutgh router is linux based and OpenVPN is installed on this router, it can still block traffic for share access. Windows sharring uses several ports for opened shares access.

[maikcat]

hi there,

port 443 is reserved by IANA for https
port 445 is used by smb/cifs
port 111 is used by portmapper

changing port for openvpn doesnt cause *any* sideeffect

if 192.168.15.253 host is linux ,simply check samba logs..

if other tcp based services hosted on 192.168.15.253 work ok then
its not mtu issue.

also try for testing to disable firewall rules on devices on question (router,and pc with shares).

cheers,

Michael.