Remote Access of KSMBD and Authentication Error

Hi everyone! So previously, I was using DDNS and SSH to access my AVM FritzBox 7530 router running OpenWrt v25.12.0-rc4 (just updated). However, I decided to setup Wireguard Server to access all of the resources that were connected to my router such as my HDD, my ISP router (in bridge mode), my Torrent application, etc. This way I did not need to setup many port forwards and just access everything just like I was connected to my network at home.

Anyway, long story short, I am currently able to connect to the WG server and also access my router and my Torrent application on my Android phone. However, when I try to access the SMB server through VLC it asks for my login credentials for the network shares (that’s normal) but refuses to go beyond that. Every time, it refuses to accept those credentials which I have previously used to access my SMB server.

As I am sitting in a remote location (I am not able to use my laptop for WG server connection), I asked my wife to turn on the laptop at home and I connected to it through Anydesk and I was able to see that the laptop was able to access those SMB shares normally and no error for username or password.

So I am wondering why the VLC won’t connect to the remote SMB share when I am connected to the WG server. Any ideas?

I am sharing my configs below:

cat /etc/config/ksmbd

config globals
option workgroup 'WORKGROUP'
option description 'Ksmbd on OpenWrt'
option interface 'lan'

config share
option name 'Openwrt File Server'
option path '/mnt/sda1'
option read_only 'no'
option guest_ok 'yes'
option create_mask '0666'
option dir_mask '0777'

config share
option name 'Data'
option path '/mnt/sda2'
option read_only 'no'
option guest_ok 'no'
option create_mask '0666'
option dir_mask '0777'
option users 'root'

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '0'
        option dhcp_default_duid '000498ce20052b454090827451b5460b4b0b'

config atm-bridge 'atm'
        option vpi '0'
        option vci '103'
        option encaps 'llc'
        option payload 'bridged'
        option nameprefix 'dsl'

config dsl 'dsl'
        option annex 'a'
        option ds_snr_offset '0'

config device
        option name 'br-lan'
        option type 'bridge'
        option stp '1'
        option ipv6 '0'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'lan1.20'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.1.1'

config device
        option name 'dsl0'

config interface 'wan'
        option device 'br-wan'
        option proto 'pppoe'
        option username 'XXXX'
        option password 'XXXX'
        option ipv6 '1'
        option peerdns '0'
        option metric '1024'
        option keepalive '3 10'
        list dns '8.8.8.8'
        list dns '8.8.4.4'

config interface 'ptcl'
        option proto 'dhcp'
        option device 'lan1'
        option defaultroute '0'

config device
        option type 'bridge'
        option name 'br-wan'
        list ports 'lan1.10'
        list ports 'dsl0.10'

config device
        option type 'bridge'
        option name 'br-guest'
        option bridge_empty '1'
        list ports 'dsl0.20'
        list ports 'lan1.20'
        option igmp_snooping '1'

config interface 'wgvpn0'
        option proto 'wireguard'
        option private_key 'XXXXX'
        list dns '10.2.0.1'
        list addresses '10.2.0.3/32'

config wireguard_wgvpn0
        option description 'Imported peer configuration'
        option public_key 'XXXX'
        list allowed_ips '0.0.0.0/0'
        list allowed_ips '::/0'
        option endpoint_host '185.177.125.4'
        option endpoint_port '51820'

config interface 'wg0'
        option proto 'wireguard'
        option private_key 'XXXXX'
        option listen_port '51820'
        list addresses '10.0.0.1/24'

config wireguard_wg0
        option description 'My Peer 1'
        option public_key 'XXXX'
        option private_key 'XXXX'
        list allowed_ips '10.0.0.10/32'
        option endpoint_port '51820'
        option persistent_keepalive '25'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'

config zone 'lan'
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone 'wan'
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'ptcl'
        list network 'wan'
        list network 'wgvpn0'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Remote Access Router'
        option family 'ipv4'
        option src 'wan'
        option src_dport '65501'
        option dest_ip '192.168.1.1'
        option dest_port '22'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Remote Access AP254'
        option family 'ipv4'
        option src 'wan'
        option src_dport '65502'
        option dest_ip '192.168.1.254'
        option dest_port '22'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Remote Access AP253'
        option family 'ipv4'
        option src 'wan'
        option src_dport '65503'
        option dest_ip '192.168.1.253'
        option dest_port '22'

config redirect
        option dest 'wan'
        option target 'DNAT'
        option name 'Remote Access ISP Router'
        option src 'wan'
        option src_dport '65504'
        option dest_ip '192.168.10.1'
        option dest_port '80'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Remote Access Router Torrent'
        option family 'ipv4'
        option src 'wan'
        option src_dport '65512'
        option dest_ip '192.168.1.1'
        option dest_port '65512'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Ahmar Laptop Torrent'
        option src 'wan'
        option src_dport '65511'
        option dest_ip '192.168.1.135'
        option dest_port '65511'

config forwarding
        option src 'lan'
        option dest 'wan'

config include 'pbr'
        option fw4_compatible '1'
        option type 'script'
        option path '/usr/share/pbr/firewall.include'

config zone
        option name 'vpn'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'wg0'

config forwarding
        option src 'vpn'
        option dest 'lan'

config forwarding
        option src 'vpn'
        option dest 'wan'

config forwarding
        option src 'lan'
        option dest 'vpn'

config rule
        option src 'wan'
        option name 'Wireguard Incoming'
        list proto 'udp'
        option dest_port '51820'
        option target 'ACCEPT'

If you guys need any logs and such, please let me know. Thanks in advance.
EDIT: A little cleanup of the config already pasted.

From the description i'd say you need to enable mss fixup (checkbox} in wg firewall zone.
Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/dhcp
cat /etc/config/firewall

The wg servers subnet from which your phone connects is of course different from your home subnet.
On your nas or other appliance on your home network you are connecting to you have to tweak the firewall to allow the wg servers subnet.
Alternatively enable masquerading on the lan zone, you can do that selectively for the wg servers subnet

I have already pasted the output of cat /etc/config/firewall and /cat etc/config/network. The wg0 is the wireguard server config that I have added today in order to connect to my home network and vpn is the firewall zone for the same. As per the instructions from the OpenWrt wiki, I have correctly set up the network and I am able to connect to it and also can ping / see various services such as Transmission Torrent client, ping the router, change its config at its internal IP of 192.168.1.1, etc.

I already explained that when I try to access the SMB server it does connect to it but just not able to authenticate the username and password through VLC. I think the problem may be related to ksmbd. However, locally in my home, my laptop is able to connect to the server without any issue with the same username and password.

Anyhow, here is the output of ubus call system board:

root@MainRouter:~# ubus call system board
{
        "kernel": "6.12.66",
        "hostname": "MainRouter",
        "system": "ARMv7 Processor rev 5 (v7l)",
        "model": "AVM FRITZ!Box 7530",
        "board_name": "avm,fritzbox-7530",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.0-rc4",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32534-12374d88b9",
                "target": "ipq40xx/generic",
                "description": "OpenWrt 25.12.0-rc4 r32534-12374d88b9",
                "builddate": "1769726182"
        }
}

cat /etc/config/dhcp

root@MainRouter:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        list addnmount '/var/run/pbr.dnsmasq'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option force '1'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/odhcpd.leases'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'
        option piodir '/tmp/odhcpd-piodir'
        option hostsdir '/tmp/hosts'

config host
        option name 'AhmarAftab-RA'
        option ip '192.168.1.181'
        option leasetime 'infinite'
        list match_tag 'known'
        option instance 'cfg01411c

wg has to be in a different zone than wan or lan to get connections back.

Yes, wg0 has been assigned the zone vpn. It is different from LAN and WAN.