OpenVPN - Home Network - Cannot access network shares

[richhenn]

Hi everyone,

Firstly apologies - whilst I am a fairly experienced user of networking products, I have very little knowledge of network protocols/principals. Also, I know from looking at various sites, this issue isn't unusual but I'm a little unsure exactly where my problem lies.

I have an Asus RT-N66U at home which has the facility of a VPN server, namely PPTP or OpenVPN. Due to the PPTP server being quite flaky and the OpenVPN system offering greater security, OpenVPN is the protocol I've gone with. I'd like to use the VPN to access my home network when away from home, just as if I was sat in my lounge.

I've setup the VPN server and can make a connection from my own laptop (Win 7), work laptop (Win 7) and my Android devices. What I have so far noticed:

1 - On the Win 7 devices, I am assigned an IP address from the range as stated in the server setup (192.168.2.0 onwards) but the subnet mask shows as 255.255.255.252, not 255.255.255.0 as displayed in the server setup screen.
2 - When running the ipconfig command, the default gateway is blank.

Once connected, I am able to view webpages etc. and access things like the setup pages for my NAS drive by entering its internal IP address into a web browser (just like I could if at home). However, I cannot see any network shares, other computers or access mapped drives. Despite its flakiness, I was able to do this quite easily when I had the PPTP setup (when it actually connected!).

In terms of longs, I have the following to show:

Server

Oct 5 18:12:55 openvpn[916]: 213.205.251.241:64225 TLS: Initial packet from [AF_INET]213.205.251.241:64225, sid=970fe078 d6ebc894
Oct 5 18:12:56 openvpn[916]: 213.205.251.241:64225 PLUGIN_CALL: POST /usr/lib/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=0
Oct 5 18:12:56 openvpn[916]: 213.205.251.241:64225 TLS: Username/Password authentication succeeded for username 'Richard' [CN SET]
Oct 5 18:12:56 openvpn[916]: 213.205.251.241:64225 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Oct 5 18:12:56 openvpn[916]: 213.205.251.241:64225 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 5 18:12:56 openvpn[916]: 213.205.251.241:64225 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Oct 5 18:12:56 openvpn[916]: 213.205.251.241:64225 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Oct 5 18:12:56 openvpn[916]: 213.205.251.241:64225 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA
Oct 5 18:12:56 openvpn[916]: 213.205.251.241:64225 [Richard] Peer Connection Initiated with [AF_INET]213.205.251.241:64225
Oct 5 18:12:56 openvpn[916]: Richard/213.205.251.241:64225 MULTI_sva: pool returned IPv4=192.168.2.10, IPv6=(Not enabled)
Oct 5 18:12:56 openvpn[916]: Richard/213.205.251.241:64225 MULTI: Learn: 192.168.2.10 -> Richard/213.205.251.241:64225
Oct 5 18:12:56 openvpn[916]: Richard/213.205.251.241:64225 MULTI: primary virtual IP for Richard/213.205.251.241:64225: 192.168.2.10
Oct 5 18:12:58 openvpn[916]: Richard/213.205.251.241:64225 PUSH: Received control message: 'PUSH_REQUEST'
Oct 5 18:12:58 openvpn[916]: Richard/213.205.251.241:64225 send_push_reply(): safe_cap=940
Oct 5 18:12:58 openvpn[916]: Richard/213.205.251.241:64225 SENT CONTROL [Richard]: 'PUSH_REPLY,route 192.168.1.0 255.255.255.0,route 192.168.2.1,topology net30,ping 15,ping-restart 60,ifconfig 192.168.2.10 192.168.2.9' (status=1)

Client

Sun Oct 05 18:11:32 2014 OpenVPN 2.3.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Aug 7 2014
Sun Oct 05 18:11:32 2014 library versions: OpenSSL 1.0.1i 6 Aug 2014, LZO 2.05
Enter Management Password:
Sun Oct 05 18:11:37 2014 UDPv4 link local: [undef]
Sun Oct 05 18:11:37 2014 UDPv4 link remote: [AF_INET]212.105.162.70:1194
Sun Oct 05 18:11:37 2014 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Sun Oct 05 18:11:38 2014 [RT-N66U] Peer Connection Initiated with [AF_INET]212.***.***.70:1194
Sun Oct 05 18:11:40 2014 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Sun Oct 05 18:11:40 2014 open_tun, tt->ipv6=0
Sun Oct 05 18:11:40 2014 TAP-WIN32 device [Local Area Connection 8] opened: \\.\Global\{D8721A91-4DE0-4A9E-9A6D-AD27080A1D26}.tap
Sun Oct 05 18:11:40 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.2.6/255.255.255.252 on interface {D8721A91-4DE0-4A9E-9A6D-AD27080A1D26} [DHCP-serv: 192.168.2.5, lease-time: 31536000]
Sun Oct 05 18:11:40 2014 Successful ARP Flush on interface [31] {D8721A91-4DE0-4A9E-9A6D-AD27080A1D26}
Sun Oct 05 18:11:45 2014 Initialization Sequence Completed

Can anyone offer any guidance as to where I might be going wrong? Does the different subnet mask/no default gateway play a part?

Also, can anyone recommend a good place to start learning the basics of networking and what how it all interacts?!

Thanks for your time,
Rich

[Traffic]

Please post your config files.

Does the different subnet mask/no default gateway play a part?

See --topology in The Manual v23x

can anyone recommend a good place to start learning the basics of

If you want to learn about OpenVPN see the documentation: OpenVPN Community Edition Documentation

[richhenn]

Thanks for taking a look at my request traffic.

I've copied this from the client config file

client
dev tun
proto udp
remote 212.***.***.70 1194
float
comp-lzo adaptive
keepalive 15 60
auth-user-pass
ns-cert-type server

With regards to the server config file, that's a little more difficult as I don't know where the RT-N66u stores that file. I've typed out below each setting that I can make as unfortunately I can't attach a screen shot here.

Interface Type - TUN
Protocol - UDP
Server Port - 1194
Firewall - Auto
Authorization Mode - TLS
Username/Password auth. only - Yes
Extra HMAC Authorization - Disable
VPN Subnet/Netmask - 192.168.2.0 255.255.255.0
Poll Interval (0 to disable) - 0
Push LAN to clients - Yes
Direct clients to redirect internet traffic - No
Respond to DNS - No
Encryption cipher - Default
Compression - Adaptive
TLS Renegotiation Time (-1 for default) - -1
Manage Client Specific Options - No
Custom Configuration - Blank

Many thanks,
Rich

[Traffic]

This line in your client log:

Sun Oct 05 18:11:40 2014 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.2.6/255.255.255.252 on interface {D8721A91-4DE0-4A9E-9A6D-AD27080A1D26} [DHCP-serv: 192.168.2.5, lease-time: 31536000]

indicates that openvpn has connected and that your server has directed your client and that your client has acted.

I note in your server config this:

Direct clients to redirect internet traffic - No

Which probably means your clients will not redirect their gateways and will not use the VPN for web browsing ..

But i don't use your hardware so am not really sure.

[richhenn]

Hi Traffic,

I'm happy that the OpenVPN is now connecting OK. I've also changed the 'Direct clients to redirect internet traffic' option to 'Yes'. When I use a site like www.whatsmyip.net, I get the static IP address at home which my router/VPN server is connected to.

Should I be able to see my home LAN in this configuration? I can successfully ping the IP address of my NAS drive but cannot see the shares in file/network explorer. Plus, if I enter the address of my router/VPN server (192.168.1.1) into Internet Explorer on client machine, it cannot access the setup page yet I can ping via a command prompt.

Many thanks,
Rich

[richhenn]

Hi Traffic,

Thanks again for your time.

I'm happy with the connection being made. Once connected, I am able to ping machines on my home LAN. However, I am not able to access them by entering their IP address into a browser nor am I able to see any network machines, shares or connect to mapped drives.

Additionally, I've changed that mentioned setting so that the VPN is now used for web browsing too

Any suggestions?

Best Regards,
Rich

[Traffic]

I've also changed the 'Direct clients to redirect internet traffic' option to 'Yes'. When I use a site like http://www.whatsmyip.net, I get the static IP address at home which my router/VPN server is conne

Good .. that means your VPN is working.

Should I be able to see my home LAN in this configuration?

You must push the route of your LAN to the clients:
HOWTO: Expanding the scope of the VPN to include additional machines

I can successfully ping the IP address of my NAS drive

Are you sure that it is the NAS drive and not a device on the client LAN ?

but cannot see the shares in file/network explorer

To use windows networking "browser" requires network broadcasts .. so you need a TAP (OSI Layer 2) tunnel or a WINS/Samba Server ..

am able to ping machines on my home LAN. However, I am not able to access them by entering their IP address into a browser

Are you sure (again) that you are pinging devices on the server LAN and not devices on the client LAN .. ?

Simply putting an ip address of a pc into your browser is not a suitable test ..

[richhenn]

Hi Traffic,

Again, thanks for your time - I appreciate it. Apologies for the double post, wasn't sure if the first one sent!

Just to confirm, I am sure that the device I am pinging exists on the server side. For instance, my NAS is found on the server-side LAN at 192.168.1.50. If I connect to the VPN from an external network, I can ping the NAS using the 192.168.1.50 address. Also, my apologies, I can confirm that if put that address into a browser, I am able to access the admin. setup page of that NAS device. So, that side of things works well.

With regards to seeing the home/server-side LAN, I can confirm that I have followed that guide and have inserted the command "push "route 192.168.1.0 255.255.255.0"" into the server configuration. I don't think I need to do anything further there as the OpenVPN and LAN gateway are on the same machine?

Finally, the main issue! Whilst setting up a TAP-based VPN would be great, I'm afraid that as an Android user, it isn't an ideal option. However, my NAS device (QNAP unit) appears to offer a SMB/WINS server. Could this be utilised?

Best Regards,
Rich

[Traffic]

I can ping the NAS using the 192.168.1.50 address. Also, my apologies, I can confirm that if put that address into a browser, I am able to access the admin. setup page of that NAS device. So, that side of things works well.

Good .. sounds ok.

my NAS device (QNAP unit) appears to offer a SMB/WINS server. Could this be utilised?

Sounds like a good plan.

Whilst setting up a TAP-based VPN would be great, I'm afraid that as an Android user, it isn't an ideal option

--dev tun is ok .. You can still use windows network share:

Code: Select all

C:\WINDOWS>net use x: \\192.168.1.50\shared

[richhenn]

I think I'm just about there!

By changing the WINS address to that on my NAS drive (as opposed to the router), I am now able to connect to shares by name. That's really great!

The only thing that isn't working that I'd really like would be to see computers/shares in the file/network explorer (i.e. ones that aren't already mapped as network drives) - is that the part that isn't possible because of the TUN-based setup? I'm being picky I know!

Thank you ever so much for your help, I hope I can repay the favour

[Traffic]

to see computers/shares in the file/network explorer (i.e. ones that aren't already mapped as network drives) - is that the part that isn't possible because of the TUN-based setup

Either that or your WINS server is not working properly.

Thank you ever so much for your help, I hope I can repay the favour

You can make a small donation to my paypal account if you like

[richhenn]

Well, tell me where I should send it!

[Traffic]

Please check your PMs ..

And thanks