I can connect to my routers OpenVPN server, access its web page and ping its IP.
I can't access the SMB server running on my router.
I also can't access or ping any other lan clients.
client
dev tun
proto udp
remote host 1194
resolv-retry infinite
nobind
persist-tun
persist-key
auth-nocache
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
certs and stuff
config interface 'ovpn_server'
option proto 'none'
option ifname 'tun_server'
config rule
option name 'Allow-OpenVPN-Server'
option src 'wan'
option target 'ACCEPT'
option proto 'udp'
option dest_port '1194'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'lan ovpn_server'
config forwarding
option dest 'wan'
option src 'lan'
In the other thread (linked in @sunnymonday's initial reply in this thread), I commented that this is absolutely not true. In most cases it is recommended to use TUN, and that you just need a push directive to add the route to your remote devices (via the openvpn server push) so they know how to get back to your main network.
My firwall config is posted above. I don't think it does limit access to it.
Acccording to this I would only have to add my "tun_server" interface to the list and restart samba.
Doing this still doesn't allow my vpn clients to access my routers smb share.
Your OpenWrt firewall configuration looks fine.
Destination host firewall often limits access to local subnet only.
Also verify that destination host uses OpenWrt as default gateway.
You should try to remove interface binding completely.
OpenVPN service doesn't interact properly with network service, so procd trigger for Samba may fail.
I am testing this with my iPhone. Which gives me almost no options.
But I guess it is not a firewall issue but rather something with the routes not being pushed properly.
Wouldn't this mean that my SMB share is available to wan?
It should go without saying, but be sure you're using the cellular connection or testing from outside your network. Perform a trace route from your iPhone to various destinations. My order of testing is usually:
Network gateway on the VPN side (192.168.1.1 in your case)
An IP address on your LAN (something on 192.168.1.0/24)
Thank you all for the input and suggestions.
It has nothing to do with my server config, firewall or client config. The problem is the openvpn client software for ios ..... I created a hotspot for my android tablet and now I can finally access all my other LAN clients.
I can also access my windows PCs smb share fine, of course only after allowing my vpn ip range in windows firewall.
One last thing that needs to be sorted out now. I don't have access to my OpenVPN servers (192.168.1.1) SMB share.
I can open \\192.168.1.1\ with my android file browser, even tried it with a remote PC, but I just get a blank folder.
The problem also persists even after setting "bind interfaces only = no" in the smb config.
It is not listening to my vpn subnet 192.168.173.0
With interface binding disabled clients that aren't connected trough vpnserver can still access my smb share.
No need, because it is listening on 0.0.0.0 which answers all interfaces if firewall allows.
I guess, you have some Samba-specific or client-server compatibility issue.
[nas]
path = /mnt/ext_hdd
valid users = nobody
read only = no
guest ok = no
browseable = yes
I read trough some openvpn guides and found the solution!
To be able to reach an smb share that is running on the openvpn server itself, one has to set "browseable = yes" in /etc/samba/smb.conf for every share.
Or, if you don't want to do the above:
At the smb client. You can still access "smb:\HOSTNAME_or_IP", but this will result in a blank folder, if you haven't done the above.
But you can still access the shares by using the direct link, like so: "smb:\\HOSTNAME_or_IP\sharename"
So in my config this would be: "smb:\\OPENWRT-ROUTER_or_192.168.1.1_or_192.168.173.1\nas"
I hope this will help others!
Thanks again to everyone helping me out.