[Solved] How to access windows shares via OpenVPN

Scripts with setup, destroy, and modify routing tables and firewall rulesets for client connections.
Locked
CraftyClown
OpenVPN User
Posts: 43
Joined: Sat Nov 01, 2014 9:55 am

[Solved] How to access windows shares via OpenVPN

Post by CraftyClown » Sun Jun 12, 2016 2:35 am

Ok, so for the past couple of years I have been successfully using OpenVPN to access SMB shares on my Freenas server. I have OpenVPN server installed on my DD-WRT router.

I now want to remotely access a number of shares I have set up on a Windows 10 machine. I have no problems accessing the shares within my LAN, however I am unable to access them remotely through OpenVPN, unless I turn off Windows firewall on the Windows 10 machine that contains the shares.

Could someone shed some light on what the problem might be?

Cheers



CLIENT CONFIG:

client
dev tun
proto udp
remote craftyclown.ddns.net 1196
resolv-retry infinite
nobind
persist-key
persist-tun

ca ca.crt
cert laptop.crt
key laptop.key
ns-cert-type server
cipher AES-128-CBC
comp-lzo
verb 4
float


SERVER CONFIG:

push "route 192.168.1.0 255.255.255.0"
push "dhcp-option DNS 8.8.8.8"
server 10.8.0.0 255.255.255.0
dev tun2
proto udp
keepalive 10 120
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001
verb 5

CraftyClown
OpenVPN User
Posts: 43
Joined: Sat Nov 01, 2014 9:55 am

Re: How to access windows shares via OpenVPN

Post by CraftyClown » Sun Jun 12, 2016 2:14 pm

So I've discovered that allowing the netlogon service through the Windows firewall on the destination machine, allows me to see my shares remotely.

Is this a massive security risk?

Still unsure exactly why I'm having this problem. As previously explained, all my Freenas CIF shares work flawlessly, it's just these Windows 10 shares that need a workaround

CraftyClown
OpenVPN User
Posts: 43
Joined: Sat Nov 01, 2014 9:55 am

Re: How to access windows shares via OpenVPN

Post by CraftyClown » Mon Jun 13, 2016 8:11 pm

Still trying to troubleshoot this myself, but having absolutely no joy :(

This particular Windows 10 machine with the shares I need to access, can't even be pinged via OpenVPN

Local network connections work fine, as does the aforementioned allowing of the netlogon service through the windows 10 machines firewall

I'm totally baffled here and would really appreciate some pointers to help get to the bottom of it.

Cheers

int3nt
OpenVpn Newbie
Posts: 7
Joined: Fri Sep 05, 2014 4:02 pm

Re: How to access windows shares via OpenVPN

Post by int3nt » Mon Jun 13, 2016 9:16 pm

CraftyClown wrote:appreciate some pointers
:arrow:
CraftyClown wrote:I have no problems accessing the shares within my LAN, however I am unable to access them remotely through OpenVPN, unless I turn off Windows firewall on the Windows 10 machine that contains the shares
You want to learn about windows 10 firewall ?

CraftyClown
OpenVPN User
Posts: 43
Joined: Sat Nov 01, 2014 9:55 am

Re: How to access windows shares via OpenVPN

Post by CraftyClown » Mon Jun 13, 2016 9:30 pm

int3nt wrote:
CraftyClown wrote:appreciate some pointers
:arrow:
CraftyClown wrote:I have no problems accessing the shares within my LAN, however I am unable to access them remotely through OpenVPN, unless I turn off Windows firewall on the Windows 10 machine that contains the shares
You want to learn about windows 10 firewall ?
Well I'm glad my ignorance has entertained you ;)

I just want to understand why this Firewall issue is only present when accessing the shares via OpenVPN and whether there is an adjustment I can maybe make server side to prevent it?

As I mentioned before, my setup has worked fine for the past couple of years when my shares were on a Freenas box, but now I need to access a Windows box I'm struggling.

int3nt
OpenVpn Newbie
Posts: 7
Joined: Fri Sep 05, 2014 4:02 pm

Re: How to access windows shares via OpenVPN

Post by int3nt » Mon Jun 13, 2016 10:21 pm

Who said "ignorance" ..

You have pointed out exactly where the problem is .. Windows 10 Firewall ..

Just allow the packets from your VPN in your firewall .. or use NAT at your vpn server.

CraftyClown
OpenVPN User
Posts: 43
Joined: Sat Nov 01, 2014 9:55 am

Re: How to access windows shares via OpenVPN

Post by CraftyClown » Mon Jun 13, 2016 11:15 pm

int3nt wrote:Who said "ignorance" ..

You have pointed out exactly where the problem is .. Windows 10 Firewall ..

Just allow the packets from your VPN in your firewall .. or use NAT at your vpn server.

Ha ha, I said ignorance, because when it comes to this vpn business I'm a bit clueless :)

Could you explain what you mean by "Just allow the packets from your VPN in your firewall .. or use NAT at your vpn server"?

Thanks for your time

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5095
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to access windows shares via OpenVPN

Post by TinCanTech » Tue Jun 14, 2016 1:35 pm

CraftyClown wrote:I just want to understand why this Firewall issue is only present when accessing the shares via OpenVPN
This is due to the source IP of packets from the VPN not being in the same subnet as the Windows machine.

Probably like this:
  • Windows 10 IP subnet : 192.168.0.0/24
  • VPN subnet : 10.8.0.0/24
So, Windows firewall blocks these packets .. unless you add a rule to the firewall to allow them.
CraftyClown wrote:and whether there is an adjustment I can maybe make server side to prevent it?
You can also use iptables NAT on the server .. documented here:
HOWTO: Routing all client traffic (including web-traffic) through the VPN

CraftyClown
OpenVPN User
Posts: 43
Joined: Sat Nov 01, 2014 9:55 am

Re: How to access windows shares via OpenVPN

Post by CraftyClown » Tue Jun 14, 2016 2:47 pm

TinCanTech wrote:
CraftyClown wrote:I just want to understand why this Firewall issue is only present when accessing the shares via OpenVPN
This is due to the source IP of packets from the VPN not being in the same subnet as the Windows machine.

Probably like this:
  • Windows 10 IP subnet : 192.168.0.0/24
  • VPN subnet : 10.8.0.0/24
So, Windows firewall blocks these packets .. unless you add a rule to the firewall to allow them.
CraftyClown wrote:and whether there is an adjustment I can maybe make server side to prevent it?
You can also use iptables NAT on the server .. documented here:
HOWTO: Routing all client traffic (including web-traffic) through the VPN
Thanks TinCanTech,

That certainly makes sense.

I looked at the link you provided and added this line to the OpenVPN config: push "redirect-gateway def1"

Not sure if I understood that right though, as it has made no difference

Alternatively, what would I need to do to the Windows Firewall, to allow the packets that way?

Apologies if these are stupid questions

Thanks again

Rich

CraftyClown
OpenVPN User
Posts: 43
Joined: Sat Nov 01, 2014 9:55 am

Re: How to access windows shares via OpenVPN

Post by CraftyClown » Tue Jun 14, 2016 3:43 pm

Ok, scratch that, worked it out via Windows Firewall.

To help anyone else who is as clueless as I and comes across this thread then the solution was to do the following.

1. Control panel
2. Windows Firewall
3. Advanced settings
4. Inbound rules
5. File and Printer sharing (SMB in)
6. Scope
7. Remote IP address (add)
8. Add subnet to the top box (which was in my case: 10.8.0.0/24)

Thanks for the help Int3nt and especially TinCanTech

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5095
Joined: Fri Jun 03, 2016 1:17 pm

Re: How to access windows shares via OpenVPN

Post by TinCanTech » Tue Jun 14, 2016 3:47 pm

Thanks for sharing your solution 8-)

CraftyClown
OpenVPN User
Posts: 43
Joined: Sat Nov 01, 2014 9:55 am

Re: How to access windows shares via OpenVPN

Post by CraftyClown » Tue Jun 14, 2016 4:00 pm

TinCanTech wrote:Thanks for sharing your solution 8-)
No problem. I hope it helps someone else out.

Just out of interest, do you know where I was going wrong at the OpenVPN side? I tried: push "redirect-gateway def1"

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5095
Joined: Fri Jun 03, 2016 1:17 pm

Re: [Solved] How to access windows shares via OpenVPN

Post by TinCanTech » Tue Jun 14, 2016 4:39 pm

You were not doing anything wrong with openvpn ..

That link to the HOWTO shows howto use iptables nat on your server.
--redirect-gateway will send all your client data over the VPN, which you need to decide if you need or not.

robag
OpenVpn Newbie
Posts: 1
Joined: Tue Oct 11, 2016 7:39 am

Re: [Solved] How to access windows shares via OpenVPN

Post by robag » Tue Oct 11, 2016 7:47 am

Hi,
and sorry not to be able to contribute to the discussion but only recently I set up my pfsense router and my OpenVPN connection.
CraftyClown wrote:Ok, so for the past couple of years I have been successfully using OpenVPN to access SMB shares on my Freenas server.
And unlike the OP I have problem access my SMB shares. Without hijacking your thread could you please point me to a direction to find some help as googling gets me nowhere? [lie - I have found this by googling]

Thanks :)

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 5095
Joined: Fri Jun 03, 2016 1:17 pm

Re: [Solved] How to access windows shares via OpenVPN

Post by TinCanTech » Tue Oct 11, 2016 2:49 pm

robag wrote:could you please point me to a direction to find some help
Please see:
viewtopic.php?f=30&t=22603

Locked