OpenVPN Server: no access to NAS and LAN clients

TheHellSite · March 15, 2019, 10:43pm

I can connect to my routers OpenVPN server, access its web page and ping its IP.
I can't access the SMB server running on my router.
I also can't access or ping any other lan clients.

config openvpn 'OpenVPN_Server'
	option dev_type 'tun'
	option dev 'tun_server'
	option proto 'udp'
	option port '1194'
	option tun_mtu '1500'
	option server '10.6.0.0 255.255.255.0'
	option topology 'subnet'
       	list push 'route 192.168.1.0 255.255.255.0'
	option ca '/etc/openvpn/server/ca.crt'
	option dh '/etc/openvpn/server/dh.pem'
	option tls_crypt '/etc/openvpn/server/tc.pem'
	option cert '/etc/openvpn/server/vpnserver.crt'
	option key '/etc/openvpn/server/vpnserver.key'
	option cipher 'AES-256-CBC'
	option auth 'SHA512'
	option tls_server '1'
	option tls_version_min '1.2'
	option tls_cipher 'TLS-DHE-RSA-WITH-AES-256-GCM-SHA384:TLS-DHE-RSA-WITH-AES-256-CBC-SHA256'
	option reneg_sec '1800'
	option reneg_bytes '64000000'
	option remote_cert_tls 'client'
	option log '/tmp/openvpn.log'
	option verb '3'
	option keepalive '10 60'
	option script_security '1'
	option persist_key '1'
	option persist_tun '1'
	option user 'nobody'
	option group 'nogroup'
	option enabled '1'

client
dev tun
proto udp
remote host 1194
resolv-retry infinite
nobind
persist-tun
persist-key
auth-nocache
remote-cert-tls server
cipher AES-256-CBC
auth SHA512
certs and stuff

config interface 'ovpn_server'
	option proto 'none'
	option ifname 'tun_server'

config rule
	option name 'Allow-OpenVPN-Server'
	option src 'wan'
	option target 'ACCEPT'
	option proto 'udp'
	option dest_port '1194'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'lan ovpn_server'

config forwarding
	option dest 'wan'
	option src 'lan'

sunnymonday · March 15, 2019, 10:48pm

Maybe my earlier post will help

vgaetera · March 15, 2019, 10:49pm

Verify that destination host firewall does not limit access to local subnet only.

[Solved] Accessing SMB share via WWAN

sunnymonday · March 15, 2019, 10:53pm

Yes, it is a layer 2 thingy. No matter what firewall settings you tweak, will get you connected to your NAS.

psherman · March 16, 2019, 2:22am

In the other thread (linked in @sunnymonday's initial reply in this thread), I commented that this is absolutely not true. In most cases it is recommended to use TUN, and that you just need a push directive to add the route to your remote devices (via the openvpn server push) so they know how to get back to your main network.

TheHellSite · March 16, 2019, 1:16pm

My firwall config is posted above. I don't think it does limit access to it.

Acccording to this I would only have to add my "tun_server" interface to the list and restart samba.
Doing this still doesn't allow my vpn clients to access my routers smb share.

vgaetera · March 16, 2019, 1:33pm

Your OpenWrt firewall configuration looks fine.
Destination host firewall often limits access to local subnet only.
Also verify that destination host uses OpenWrt as default gateway.

You should try to remove interface binding completely.
OpenVPN service doesn't interact properly with network service, so procd trigger for Samba may fail.

TheHellSite · March 16, 2019, 3:43pm

I am testing this with my iPhone. Which gives me almost no options.
But I guess it is not a firewall issue but rather something with the routes not being pushed properly.

Wouldn't this mean that my SMB share is available to wan?

psherman · March 16, 2019, 3:50pm

It should go without saying, but be sure you're using the cellular connection or testing from outside your network. Perform a trace route from your iPhone to various destinations. My order of testing is usually:

Network gateway on the VPN side (192.168.1.1 in your case)
An IP address on your LAN (something on 192.168.1.0/24)
An IP address on the internet (maybe 8.8.8.8)
A domain name on the internet (say google.com).

If you don't already have a trace route app on your iPhone, check the app store -- there are a bunch of good network utility apps there.

vgaetera · March 16, 2019, 3:56pm

Use tcpdump for troubleshooting.
Follow this thread as an example:
[Solved] Some traffic not being forwarded even though ports are open

No, because you don't plan to allow Samba in firewall WAN-zone.

Interface binding negatively affects fault tolerance.
Dropbear and uhttpd don't use interface binding by default.
Guess why.

TheHellSite · March 16, 2019, 10:52pm

Thank you all for the input and suggestions.
It has nothing to do with my server config, firewall or client config.
The problem is the openvpn client software for ios ..... I created a hotspot for my android tablet and now I can finally access all my other LAN clients.
I can also access my windows PCs smb share fine, of course only after allowing my vpn ip range in windows firewall.

One last thing that needs to be sorted out now.
I don't have access to my OpenVPN servers (192.168.1.1) SMB share.
I can open \\192.168.1.1\ with my android file browser, even tried it with a remote PC, but I just get a blank folder.
The problem also persists even after setting "bind interfaces only = no" in the smb config.

vgaetera · March 16, 2019, 11:04pm

netstat -l -n -p | grep -e smbd -e nmbd
cat /etc/samba/smb.conf

TheHellSite · March 16, 2019, 11:06pm

root@OPENWRT-ROUTER:~# netstat -l -n -p | grep -e smbd -e nmbd
tcp        0      0 127.0.0.1:139           0.0.0.0:*               LISTEN      2593/smbd
tcp        0      0 192.168.1.1:139         0.0.0.0:*               LISTEN      2593/smbd
tcp        0      0 127.0.0.1:445           0.0.0.0:*               LISTEN      2593/smbd
tcp        0      0 192.168.1.1:445         0.0.0.0:*               LISTEN      2593/smbd
tcp        0      0 fe80::2e0:67ff:fe12:fa6:139 :::*                    LISTEN      2593/smbd
tcp        0      0 ::1:139                 :::*                    LISTEN      2593/smbd
tcp        0      0 fe80::2e0:67ff:fe12:fa6:445 :::*                    LISTEN      2593/smbd
tcp        0      0 ::1:445                 :::*                    LISTEN      2593/smbd
udp        0      0 192.168.1.255:137       0.0.0.0:*                           2594/nmbd
udp        0      0 192.168.1.1:137         0.0.0.0:*                           2594/nmbd
udp        0      0 0.0.0.0:137             0.0.0.0:*                           2594/nmbd
udp        0      0 192.168.1.255:138       0.0.0.0:*                           2594/nmbd
udp        0      0 192.168.1.1:138         0.0.0.0:*                           2594/nmbd
udp        0      0 0.0.0.0:138             0.0.0.0:*                           2594/nmbd
unix  2      [ ACC ]     STREAM     LISTENING     790746 2594/nmbd           /var/nmbd/unexpected

root@OPENWRT-ROUTER:~# cat /etc/samba/smb.conf
[global]
        netbios name = OPENWRT-ROUTER
        display charset = UTF-8
        interfaces = lo br-lan  tun_server
        server string = OpenWrt
        unix charset = UTF-8
        workgroup = WORKGROUP
        bind interfaces only = yes
        deadtime = 30
        enable core files = no
        invalid users = root
        local master = no
        map to guest = Never
        min protocol = SMB2
        max protocol = SMB2
        min receivefile size = 16384
        null passwords = yes
        passdb backend = smbpasswd
        security = user
        smb passwd file = /etc/samba/smbpasswd
        use sendfile = yes
[nas]
        path = /mnt/ext_hdd
        valid users = nobody
        read only = no
        guest ok = no
        browseable = no

I changed the vpn server subnet to "192.168.173.0".

vgaetera · March 16, 2019, 11:10pm

It is still bound to the interfaces, disable it properly:
[Solved] Accessing SMB share via WWAN

TheHellSite · March 16, 2019, 11:13pm

I reenabled it, because it had no effect.

But here you go.

root@OPENWRT-ROUTER:~# netstat -l -n -p | grep -e smbd -e nmbd
tcp        0      0 0.0.0.0:139             0.0.0.0:*               LISTEN      4897/smbd
tcp        0      0 0.0.0.0:445             0.0.0.0:*               LISTEN      4897/smbd
tcp        0      0 :::139                  :::*                    LISTEN      4897/smbd
tcp        0      0 :::445                  :::*                    LISTEN      4897/smbd
udp        0      0 192.168.0.255:137       0.0.0.0:*                           4898/nmbd
udp        0      0 192.168.0.2:137         0.0.0.0:*                           4898/nmbd
udp        0      0 192.168.1.255:137       0.0.0.0:*                           4898/nmbd
udp        0      0 192.168.1.1:137         0.0.0.0:*                           4898/nmbd
udp        0      0 0.0.0.0:137             0.0.0.0:*                           4898/nmbd
udp        0      0 192.168.0.255:138       0.0.0.0:*                           4898/nmbd
udp        0      0 192.168.0.2:138         0.0.0.0:*                           4898/nmbd
udp        0      0 192.168.1.255:138       0.0.0.0:*                           4898/nmbd
udp        0      0 192.168.1.1:138         0.0.0.0:*                           4898/nmbd
udp        0      0 0.0.0.0:138             0.0.0.0:*                           4898/nmbd
unix  2      [ ACC ]     STREAM     LISTENING     793141 4898/nmbd           /var/nmbd/unexpected
root@OPENWRT-ROUTER:~# cat /etc/samba/smb.conf
[global]
        netbios name = OPENWRT-ROUTER
        display charset = UTF-8
#       interfaces = lo br-lan
        server string = OpenWrt
        unix charset = UTF-8
        workgroup = WORKGROUP
#       bind interfaces only = yes
        deadtime = 30
        enable core files = no
        invalid users = root
        local master = no
        map to guest = Never
        min protocol = SMB2
        max protocol = SMB2
        min receivefile size = 16384
        null passwords = yes
        passdb backend = smbpasswd
        security = user
        smb passwd file = /etc/samba/smbpasswd
        use sendfile = yes
[nas]
        path = /mnt/ext_hdd
        valid users = nobody
        read only = no
        guest ok = no
        browseable = no

It is not listening to my vpn subnet 192.168.173.0
With interface binding disabled clients that aren't connected trough vpnserver can still access my smb share.

psherman · March 16, 2019, 11:18pm

Chances are that it will work if you change to a tun interface instead of tap. IOS and Android don’t support tap interfaces with OpenVPN.

TheHellSite · March 16, 2019, 11:19pm

Never changed it to tap.
It has always been tun in my vpn config.

vgaetera · March 16, 2019, 11:20pm

No need, because it is listening on 0.0.0.0 which answers all interfaces if firewall allows.
I guess, you have some Samba-specific or client-server compatibility issue.

psherman · March 16, 2019, 11:21pm

My bad! Getting confused across a few different threads!

TheHellSite · March 16, 2019, 11:57pm

I figured it out!!!!!! so happy now!!!

[nas]
	path = /mnt/ext_hdd
	valid users = nobody
	read only = no
	guest ok = no
	browseable = yes

I read trough some openvpn guides and found the solution!
To be able to reach an smb share that is running on the openvpn server itself, one has to set "browseable = yes" in /etc/samba/smb.conf for every share.

Or, if you don't want to do the above:
At the smb client. You can still access "smb:\HOSTNAME_or_IP", but this will result in a blank folder, if you haven't done the above.
But you can still access the shares by using the direct link, like so: "smb:\\HOSTNAME_or_IP\sharename"
So in my config this would be: "smb:\\OPENWRT-ROUTER_or_192.168.1.1_or_192.168.173.1\nas"

I hope this will help others!
Thanks again to everyone helping me out.