WinXP OpenVPN client connects but is unable to access share

bobodod · Jul 22, 2011, 2:44 PM

Should I move this to a different subforum?

bobodod · Jul 22, 2011, 7:20 PM

Actually, I think that's probably as far as I can get in a forum setting. There's just on-site troubleshooting to be done now.

CMB, thanks much for your time and for confirming my OpenVPN config.

johnpoz · Jul 22, 2011, 7:59 PM

Ok going to have to look up this bug #125 in 2.2.1 because I am using it just fine.

So here at work, on XP box - and connected via openvpn road warrior into my pfsense box (2.1-DEVELOPMENT (i386))

I don't have any issues accessing the pfsense webui through the vpn, nor do I have any access with shares on boxes on the other side of my vpn. Now you will have to auth to them, which you might have an issue if you say just run \ipaddress

So you can see in attached, pinging - then net view says access denied, so I auth and then good can view and access the share just fine via unc, or can map a drive letter, etc. etc.

Now I have not used 1.2.3 in quite some time, is there some reason you don't/cant run the 2.0? But as I recall I never had a problem with doing this on 1.2.3 either.

Can you post what happens via doing the same sort of thing I did in the attached image?

For completeness I just checked the version of openvpn on my pfsense box
[2.1-DEVELOPMENT][admin@pfsense.local.lan]/root(10): openvpn –version
OpenVPN 2.2.0 i386-portbld-freebsd8.1 [SSL] [LZO2] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Jul 6 2011
Originally developed by James Yonan
Copyright (C) 2002-2010 OpenVPN Technologies, Inc. sales@openvpn.netBTW how would that bug come into play?? Is the 125 your talking about? https://community.openvpn.net/openvpn/ticket/125
Build CA is broken in Windows on version 2.2 release

/sales@openvpn.net

bobodod · Jul 22, 2011, 8:05 PM

Thanks, John. I'll try those things and reply.

No, there's no reason I'm using 1.2.3 over 2.0, except that I'm a newbie and the book covers 1.2.3. I'm comfortable enough now that I could upgrade it.

That's right about bug 125 stopping me because I ran easy-rsa on the client and couldn't run "build-ca.bat". Now, though, I would run it on the pfSense box. So I could upgrade that, too.

johnpoz · Jul 22, 2011, 8:15 PM

I would just move to the 2.0 line, I think its not far from being released. As you can see I moved to the 2.1 development they moved the IPv6 stuff there. I would highly recommend that if you want to play with ipv6.

Man its been awhile since I was on 1.2.3, I think I moved over to 2 on one of the early betas, I know it was well before the RCs – to be honest is been pretty freaking solid, couple of hickups with commits that caused some issues now and then -- but overall I have been very very pleased with it!!

If you move over to the 2.0 stuff I can be of more help in getting your openvpn working, I use it daily from work to my home network - solid as a rock.. Even using it over a http proxy currently and still rock solid performance.

rkleivel · Aug 30, 2011, 11:23 AM

Hi!
Apparently I have much of the same problem…
My goal is to have my Road Warriors getting the same experience as if they were inside the firewall.

System: pfsense 2.0 RC3
Client config:

dev tun
persist-tun
persist-key
proto tcp
cipher BF-CBC
tls-client
client
resolv-retry infinite
remote xx.xxx.xx.xxx 1194
tls-remote yyyyyyyyyy
auth-user-pass
ca pfSense-tcp-1194-ca.crt
tls-auth pfSense-tcp-1194-tls.key 1

OpenVPN connects fine both from windows (with OpenVPN client) and osx (tunnelblick client)
I am able to ping servers (with IP-address) on my LAN from Road Warrior
I am able to open web-addresses on my LAN from Road Warrior (e.g. the pfsense configurator)
I'm however not able to map a network drive from windows, nor from osx with smb
Ping on hostname does not work (UPDATE: solved with DNS-settings)
mstsc to LAN with IP works (UPDATE: also works after editing DNS-settings)

Example:
I have a XP-computer with some shares on my lan, 192.168.8.100:

C:\Users\Roald>net view \\192.168.8.100
Systemfeil 53 har oppstått. (System error 53)

Nettverksbanen ble ikke funnet. (Path not found)

C:\Users\Roald>ping 192.168.8.100

Pinger 192.168.8.100 med 32 byte data:
Svar fra 192.168.8.100: byte=32 tid=142ms TTL=127
Svar fra 192.168.8.100: byte=32 tid=160ms TTL=127
Svar fra 192.168.8.100: byte=32 tid=148ms TTL=127
Svar fra 192.168.8.100: byte=32 tid=87ms TTL=127

Until recently I used the Endian Community firewall, and there this worked fine. I abandoned Endian for other reasons though.

Thankful for any hint :)

rkleivel · Sep 3, 2011, 6:46 AM

No idea? Anybody?

Cry Havok · Sep 3, 2011, 8:31 AM

Try using tap (bridge) instead of tun (routing).

MoBO · Sep 13, 2011, 9:02 AM

Hi,

I get a similar problem but only related to the name resolution.

@rkleivel : what did you set on the DNS settings to make the name resolution to work ?

@Cry Havok : I tried to set "tap" instead of "tun" but I'm NOT able to connect at all !

Thanks

Cry Havok · Sep 13, 2011, 10:22 AM

Do you get an IP address from the LAN DHCP server?

Are you in the same IP range? Can you connect from another computer on the LAN?

MoBO · Sep 14, 2011, 5:24 PM

@Cry : Not sure these questions are for me but…

1. Using "tun" I'm able to connect without problem
2. Once "in"...
2.1 I'm able to ping everything on every LAN
2.2 I.m able to access resources from the file manager with \ipadress_share_

Actually, what I'm NOT able to do and cause me trouble is accessing resource with the "netbios" name.
Let's imagine I do have the following machine ;

Name : server
IP : 192.168.1.100
Share : datas

Using : \192.168.1.100\datas -> Works !
Using : \server\datas -> Don't Work !

Looks like a simple issue but give me a lot of problems.
According rkleivel it can be solved with the DNS !

Actually, my networks are setup like this ;

Local LAN : 192.168.1.0/24
Remote VPN : 10.0.8.0/24
Remote LAN : 192.168.0.0/24

I added a picture of the remote VPN configuration of the network.
As you will see, I added both DNS server (VPN & RemoteLAN) but still not working.

johnpoz · Sep 14, 2011, 5:34 PM

well it would make sense that you would not resolve netbios via broadcast methods over a vpn. Your traffic is routed, not bridged so broadcast traffic would never get from your remote network to your segment on the other side of the vpn.

Yes dns would be a way of resolving name, or a wins server or host/lmhost file on your clients, etc.

so example, connected currently to my home network via openvpn from work. my popcorn box, I can not view it by netbios name pch. 53 = can not find.

If I use dns, then it works pch.local.lan and I get error 5 access denied. So I auth and then I can view, etc..


D:\>net view \\pch
System error 53 has occurred.

The network path was not found.

D:\>net view \\pch.local.lan
System error 5 has occurred.

Access is denied.

D:\>net view \\192.168.1.99
System error 5 has occurred.

Access is denied.

D:\>net use \\pch.local.lan\ipc$ /u:pch\nmt 1234
The command completed successfully.

D:\>net view \\pch.local.lan
Shared resources at \\pch.local.lan

SMP8634 Share

Share name  Type  Used as  Comment

------------------------------------------------------
share       Disk
The command completed successfully.