Topic: OpenVPN Samba Problem

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

hexdump

9 Jul 2007, 05:55

Hey all,

I've got bit of a long question that I've been struggling with today. Hopefully some samba/openvpn expert here can spot the problem.

I've split the wireless and wired bridge on my router to give out 192.168.10.x IP's to wired hosts and 192.168.20.x IP's to wireless hosts. After setting up the firewall to work with this setup, I realized that windows file sharing wouldn't work without the router as a WINS server. So I set that up and it worked fine. Wired and wireless hosts can see each other on the workgroup browser.

Now...I've set up openvpn on the router as well. It's running in routing mode with certificates and handing out 192.168.30.x/30 IP's to hosts. The VPN works perfectly fine. The problems are with cross-vpn file sharing:

-> Hosts in the wired/wireless subnets only see each other in the workgroup browser, not the hosts in the VPN.
-> Hosts in the VPN subnet only see each other in the workgroup browser, not the wired/wireless hosts.
-> Hosts in the VPN can access all directly hosts by name (i.e. \\computername) but hosts in the wired/wireless subnet can only access hosts in the VPN subnet by IP (i.e. \\192.168.30.6)

Firewalls are disabled on all hosts for testing purposes. All hosts have the same workgroup set.

/etc/openvpn/server.conf:

# network
port 1194
proto udp
dev tun
server 192.168.30.0 255.255.255.0
push "route 192.168.10.0 255.255.255.0"
push "route 192.168.20.0 255.255.255.0"
push "redirect-gateway"
push "dhcp-option WINS 192.168.10.1"

# certificate and keyfiles
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh.pem
tls-auth /etc/openvpn/shared.key

#misc
keepalive 10 120
status /tmp/openvpn.status

/etc/samba/smb.conf:

[global]
 syslog = 0
 syslog only = yes
 workgroup = WORKGROUP
 server string = OpenWrt Samba Server
 security = share
 encrypt passwords = yes
 guest account = nobody
 domain master = yes
 local master = yes
 preferred master = yes
 wins support = yes
 name resolve order = wins lmhosts hosts bcast
 browse list = yes
 remote browse sync = 192.168.10.255 192.168.20.255 192.168.30.255
 remote announce = 192.168.10.255/WORKGROUP 192.168.20.255/WORKGROUP 192.168.30.255/WORKGROUP
 os level = 250

/etc/firewall.user:

#!/bin/sh
# Copyright (C) 2006 OpenWrt.org

WIFI=`uci get network.wifi.ifname`
WAN=`uci get network.wan.ifname`
LAN=`uci get network.lan.ifname`
VPN=tun0

iptables -F input_rule
iptables -F output_rule
iptables -F forwarding_rule
iptables -t nat -F prerouting_rule
iptables -t nat -F postrouting_rule

# The following chains are for traffic directed at the IP of the
# WAN interface

iptables -F input_wan
iptables -F forwarding_wan
iptables -t nat -F prerouting_wan

# Allow WIFI to access WAN
iptables -A FORWARD -i $WIFI -o $WAN -j ACCEPT

# Allow communicantion between LAN AND WIFI
iptables -A FORWARD -i $WIFI -o $LAN -j ACCEPT
iptables -A FORWARD -i $LAN -o $WIFI -j ACCEPT

# Allow communicantion between LAN AND VPN
iptables -A FORWARD -i $VPN -o $LAN -j ACCEPT
iptables -A FORWARD -i $LAN -o $VPN -j ACCEPT

# Allow communicantion between WIFI AND VPN
iptables -A FORWARD -i $VPN -o $WIFI -j ACCEPT
iptables -A FORWARD -i $WIFI -o $VPN -j ACCEPT

# Allow outside access to VPN
iptables -t nat -A prerouting_wan -p udp --dport 1194 -j ACCEPT
iptables        -A input_wan      -p udp --dport 1194 -j ACCEPT

# Forwarding for VPN
iptables -A INPUT   -i tun+ -j ACCEPT
iptables -A FORWARD -i tun+ -j ACCEPT

# Allow outside access to dropbear
iptables -t nat -A prerouting_wan -p tcp --dport 22 -j ACCEPT
iptables        -A input_wan      -p tcp --dport 22 -j ACCEPT

Thanks! Any help is appreciated.

Post #2

exobyte

10 Jul 2007, 00:46

By default, the Windows XP SP2 firewall only allows packets from the same subnet to access the SMB/CIFS server.

Are they Windows hosts?

So if the VPN works perfectly fine, all the expected pings go through?

Is it in bridged or routed mode? iptables -A FORWARD -i $WIFI -o $WAN -j ACCEPT suggests routed.

Post #3

hexdump

10 Jul 2007, 01:50

exobyte wrote:

By default, the Windows XP SP2 firewall only allows packets from the same subnet to access the SMB/CIFS server.

Firewalls on all computers are disabled.

exobyte wrote:

Are they Windows hosts?

Yes, all computers are running Windows.

exobyte wrote:

So if the VPN works perfectly fine, all the expected pings go through?

Yes, all computers can ping each other.

exobyte wrote:

Is it in bridged or routed mode?

The VPN is in routed mode.

Perhaps I wasn't very clear. The LAN/WIFI subnets can see and access each other flawlessly (cross-subnet file-sharing works fine). The problems are that:

-> LAN/WIFI hosts cannot see VPN hosts in the workgroup browser (Network Places -> Entire Network -> MS Windows Network -> Workgroup)
-> VPN hosts cannot see LAN/WIFI hosts in the workgroup browser
-> VPN hosts can access LAN/WIFI hosts directly by name but LAN/WIFI hosts can only access VPN hosts by IP.

(Last edited by hexdump on 10 Jul 2007, 04:22)

Post #4

exobyte

10 Jul 2007, 19:19

This shouldn't make a difference, but have you tried getting this to work with Samba under a full linux distro? You'll probably have better luck getting help from a Samba forum/mailing list/IRC channel.

I have a feeling you might have problems with SMB and interface binding. Look at interfaces (G) in man smb.conf.

In my config, I have

eth0      Link encap:Ethernet  HWaddr 00:...:66
          inet addr:10.10.0.1  Bcast:10.15.255.255  Mask:255.240.0.0
          UP BROADCAST RUNNING PROMISC MULTICAST  MTU:1500  Metric:1
          RX packets:1879925 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2205440 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:421163595 (401.6 MiB)  TX bytes:1537955424 (1.4 GiB)
          Base address:0x2800

and

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.16.0.1  P-t-P:10.16.0.2  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:55993 errors:0 dropped:0 overruns:0 frame:0
          TX packets:55797 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:4831060 (4.6 MiB)  TX bytes:3184243 (3.0 MiB)

By default, samba binds to broadcastable interfaces. tun0 is not broadcastable.

-> LAN/WIFI hosts cannot see VPN hosts in the workgroup browser (Network Places -> Entire Network -> MS Windows Network -> Workgroup)

That would be explained. The hosts never register with the server.

-> VPN hosts cannot see LAN/WIFI hosts in the workgroup browser

That's explained- Windows might do a broadcast to find other hosts in the subnet, so LAN/WIFI hosts can't be seen

-> VPN hosts can access LAN/WIFI hosts directly by name but LAN/WIFI hosts can only access VPN hosts by IP.

VPN hosts have a NetBIOS name server they can query. It knows the names of LAN/WIFI hosts. It, however, doesn't know the names of VPN hosts, so LAN/WIFI have to do it by IP.

(Last edited by exobyte on 10 Jul 2007, 19:22)

Post #5

hexdump

15 Jul 2007, 10:08

I think my issue would be solved by the "topology subnet" feature in OpenVPN.

It's available in the 2.1_rc4 release of OpenVPN and also as a patch to the 2.0.9 release.

Any chance this could be included in the next version of OpenWRT?

Post #6

exobyte

17 Jul 2007, 07:24

Oops- I forgot about this.

I doubt it, and I'm still 90% sure that the problem is with what interfaces Samba is listening on. Does forcing Samba to listen on tun0 work?

Post #7

gulikoza

17 Jul 2007, 08:17

How are VPN clients set up, do they have their own WINS server? Perhaps you'd need to sync browse lists if you have 2 WINS servers...

Post #8

hexdump

17 Jul 2007, 09:24

exobyte wrote:

Oops- I forgot about this.
I doubt it, and I'm still 90% sure that the problem is with what interfaces Samba is listening on. Does forcing Samba to listen on tun0 work?

Well, like you said tun0 is not broadcastable so I don't think I can force samba to listen on it...can I (I'll try tomorrow and see)? The thing is, with "topology subnet" each VPN client gets it's own IP and tun0 becomes broadcastable.

gulikoza wrote:

How are VPN clients set up, do they have their own WINS server? Perhaps you'd need to sync browse lists if you have 2 WINS servers...

One WINS server: the OpenWRT router.

Post #9

hexdump

21 Jul 2007, 05:08

Made no difference when I tried to force samba to listen on tun0.

Any other ideas?

Post #10

exobyte

22 Jul 2007, 18:59

Visit the Samba forums, IRC channels, and mailing lists.

Switching from routed to bridged VPN will also work, but bridged networks can slow things down.

Post #11

hexdump

23 Jul 2007, 02:52

I already posted to the Samba mailing list and the OpenVPN mailing list. No replies.

How hard would it be to cross-compile OpenVPN-2.1_rc4 (which includes the "topology subnet" patch) to test out my theory?

Post #12

exobyte

23 Jul 2007, 02:57

The easiest way would be to apply the 2.0.x patch to the openwrt code, but crosscompiling, once you get a cross compiler, is pretty easy. The biggest pain is making sure gcc isn't called, but instead the cc version.

Post #13

mipfr

7 Aug 2007, 14:21

Hi Hexdump,

You could try this to samba binding more than one @IP interface (bind interfaces only = Yes)

Example 4.1. Server: MASSIVE (PDC), File: /etc/samba/smb.conf
( http://us4.samba.org/samba/docs/man/Sam … users.html )
# Global parameters
[global]
workgroup = MEGANET
netbios name = MASSIVE
interfaces = eth1, br0 , tun0
bind interfaces only = Yes
passdb backend = tdbsam
smb ports = 139
~~~
preferred master = Yes
wins support = Yes
~~~

The discussion might have continued from here.

Page 1 of 1