Allow client access to samba share on a different machine

[sparomba]

I'm trying to follow this howto, to make LAN samba shares available to the clients connected over OpenVPN (routed, tun).
In the LAN, the OpenVPN Server and the samba file server are not on the same machine. Following the howto I have to "Include multiple machines on the server side when using a routed VPN (dev tun)", as described here.
This where i'm stuck. The description says "Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server (this is only necessary if the OpenVPN server and the LAN gateway are different machines)." I have no idea how to do this step. The gateway in the LAN is the modem, where I barely can configure anything at all.
Is there a way to route/port portward the samba specific traffic between the machines and subnets without tampering on the LAN gateway? Or do I have some misconception of what gateway in the above linked description means?
Also Iptables,routing,etc are new to me and still confusing. I could need a little help what commands I have to execute on which machine to make the Samba shares available for the OpenVPN clients.

Illustration of the setup:


client config:

Code: Select all

client
dev tun
proto udp
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ca /sdcard/cert/ca.crt
cert /sdcard/cert/my-client.crt
key /sdcard/cert/my-client.key
remote-cert-tls server
tls-auth /sdcard/cert/ta.key 1
cipher BF-CBC
comp-lzo
verb 3

server config:

Code: Select all

port 1194
proto udp
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/my-server.crt
key /etc/openvpn/my-server.key  # This file should be kept secret
dh /etc/openvpn/dh2048.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /tmp/ipp.txt
push "route 192.168.207.0 255.255.255.0"
keepalive 10 120
tls-auth /etc/openvpn/ta.key 0 # This file is secret
cipher BF-CBC        # Blowfish (default)
comp-lzo
user vpnuser
group vpnuser
persist-key
persist-tun
status /tmp/openvpn-status.log
verb 3

iptables:

Code: Select all

help on that one would be greatly appreciated

Thanks!

[sparomba]

After some more searching, trial and error I finally got it working.

Explanation for the specific configuration as shown in the image of post 1:

"Next, you must set up a route on the server-side LAN gateway to route the VPN client subnet (10.8.0.0/24) to the OpenVPN server" means:
Add a static route on the machine that's configured as the LAN's gateway(Modem, 192.168.207.1), this rule will route all traffic for 10.8.0.* to the LAN address of the OpenVPN Server (192.168.207.4)

Code: Select all

10.8.0.0 netmask 255.255.255.0 gw 192.168.207.4

"Make sure that you've enabled IP and TUN/TAP forwarding on the OpenVPN server machine." means:
enable IP forwarding between the virtual tun0 and the eth0 device on the OpenVPN server machine(192.168.207.4)

Code: Select all

sysctl -w net.ipv4.ip_forward=1

and add these two rules to the iptables firewall on the machine where the OpenVPN Server runs:

Code: Select all

# Allow TUN interface connections to OpenVPN server
iptables -A INPUT -i tun+ -j ACCEPT
# Allow TUN interface connections to be forwarded through other interfaces
iptables -A FORWARD -i tun+ -j ACCEPT

The official HowTo is very good and helped a lot, but imho this specific part could need a little update by adding the specific commands required.

[Traffic]

iptables:
Code:
help on that one would be greatly appreciated

Code: Select all

iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE

This will may solve your problem.

* Remember in tun mode Windows network browser will not work, you must use:

Code: Select all

net use x: //ip.add.smb.host/sharename