SAMBA over OpenVPN working partially
-
Have you disabled the Windows Firewall before testing?
-
Firewall rules are default too
WAN says
What does OpenVPN say - on both sides.
-
Windows Firewall are all disabled.
Derelict and divsys. Please direct me to a "how to" on how to dump what you want. I'm new to pfsense and freebsd. I have made extreme efforts to deal with some stuff but it will take me another light year to get what you are asking for. OpenVPN on the client side easily shows the log, but how do I pick up the log on the server side?
How do I dump the OpenVPN config to show it to you?
Thanks for following up.
(PS: Please remember the same OpenVPN config works on Android)
-
The easiest way for me to post anything from a pfSense configuration (Server or Client) is to bring it up in my browser and then take a screenshot, save the shot to a file and attach the file to your message (Click on "Attachments and other options" at the bottom of the "Post reply" screen).
That way we can see what you see when you work through pfSense and /or the logs.
My instincts still say this is probably a Windows and not a pfSense problem.
Usually by the time I can ping and/or VNC, SSH across the tunnel, I can ignore the OpenVPN setup as operational and troubleshoot the various devices in the setup.
For me OpenVPN mostly just works with little fanfare.Eg.
 -
This is the client text on OpenVPN
Mon Jun 01 13:33:54 2015 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 19 2015
Mon Jun 01 13:33:54 2015 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
Mon Jun 01 13:34:02 2015 Control Channel Authentication: using '<mykey>' as a OpenVPN static key file
Mon Jun 01 13:34:02 2015 UDPv4 link local (bound): [undef]
Mon Jun 01 13:34:02 2015 UDPv4 link remote: [AF_INET]<myserverip>:1194
Mon Jun 01 13:34:02 2015 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Mon Jun 01 13:34:05 2015 [<mycertificate>] Peer Connection Initiated with [AF_INET]<myserverip>:1194
Mon Jun 01 13:34:07 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jun 01 13:34:07 2015 open_tun, tt->ipv6=0
Mon Jun 01 13:34:07 2015 TAP-WIN32 device [Local Area Connection 2] opened: \.\Global{92CE4D7B-0919-4F17-A03C-A81F063F41FC}.tap
Mon Jun 01 13:34:07 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.0.6/255.255.255.252 on interface {92CE4D7B-0919-4F17-A03C-A81F063F41FC} [DHCP-serv: 10.0.0.5, lease-time: 31536000]
Mon Jun 01 13:34:07 2015 Successful ARP Flush on interface [26] {92CE4D7B-0919-4F17-A03C-A81F063F41FC}
Mon Jun 01 13:34:12 2015 Initialization Sequence CompletedAttached is the OpenVPN config.
</myserverip></mycertificate></myserverip></mykey>
-
That looks like what I'd expect to see in general.
You blacked out the "IPv4 Local Networks" entry, normally this should be the internal LAN subnet. What are you using for your LAN Addresses?
As long as this is in the private address range (it'd better be!) it's internal to your network and no one can access it, there's no need to black out that info.What do you have under Firewall->Rules for WAN, LAN, and OpenVPN?
-
LAN is 192.34.34.0/24
Rules:
No floating rules
WAN:
BLOCK Block private networks
BLOCK Block bogon networks
PASS IPv4 UDP * * WAN address <port_number>* none <empty>OpenVPN FromWAN wizardLAN
PASS * * * LAN Address 443 80 * * <empty>Anti-Lockout Rule
BLOCK IPv4+6* * * WIFI net * * none <empty>Block LAN to WIFI
BLOCK IPv4* Server * This Firewall * * none <empty>Block Server to Internet
PASS IPv4* LAN net * * * * none <empty>Default allow LAN to any ruleWIFI (OPT1)
BLOCK IPv4+6* * * LAN net * * none <empty>PASS IPv4+6* WIFI net * * * * none <empty>OpenVPN
PAS IPv4* * * * * * none <empty>OpenVPN FromWAN wizardNAT:
WAN 127.0.0.0/8 * * 500 WAN address * YES Autocreated rule for ISAKMP - localhost to WAN
WAN 127.0.0.0/8 * * * WAN address * NO Autocreated rule - localhost to WAN
WAN 192.168.2.0/24 * * 500 WAN address * YES Autocreated rule for ISAKMP - OPT1 to WAN
WAN 192.168.2.0/24 * * * WAN address * NO Autocreated rule - OPT1 to WAN
LAN 10.0.0.0/24 * * * LAN address * NOI guess that's about it.
It was OK when I did VPN with Kerio VPN (and a Kerio Control instead of pfSense)</empty></empty></empty></empty></empty></empty></empty></empty></port_number>
-
Ok, a couple of things:
LAN is 192.34.34.0/24
Really? your LAN address is assigned as a public address for "Converged Technology Group Inc." Do you work for them?
If not (and even if so) DO NOT USE A PUBLIC ADDRESS FOR YOUR INTERNAL LAN. This won't end well, just ask around.Most of your rules seem reasonable except for the ones that are (I hope) mistyped:
BLOCK IPv4* Server * This Firewall * * none <empty>Block Server to Internet</empty>
"Block IPv4 protocol from any address to the port alias "Server" destined for any address with a port alias "This Firewall" any gateway any queue no schedule"
I'm guessing this is meant to block traffic from some server on your LAN to the WAN, but what you wrote doesn't do that.
Can you just post the applicable screen shots and save us all the grief of dealing with typos?
The other thing that looks odd is the NAT line for LAN to 10.0.0.0/24. Are you trying to forward OpenVPN traffic to LAN? You shouldn't, that's not needed for a properly configured OpenVPN setup.
Again, without a proper post of all the rules, it's pretty hard to tell.
PS. Your previous screenshots worked just fine, I suggest you repeat that method for the WAN/LAN/WIFI/OpenVPN and NAT rules.
-
Yes. The LAN is a legacy address. I'll change that.
The server to wan blocking rule is intentional and wasn't there before.
Even without that rule the samba does not work. It wasn't there when I started the thread.
The NAT line for 10.0.0.0/24 is a question from another post
My SIP does not work from OpenVPN if that rule is not there.
A change in the local address space to 10.34.34.0/24 instead of 192 would be correct?
-
Well thanks for the help.
Changing the local IP address to 10.x.x.x made it work for the remote computer to get to the sambas behind the firewall through OpenVPN.
Strange was that Android could. It seems it changes how each host resolves and it seems that my home windows host was resolving on its own to the real 192.34.34.x. While when I had Kerio the route was forced otherwise.
The SIP still does not work without a NAT rule though.
-
Glad you got it going.
10.34.34.0/24 is a great choice for the subnet.
I was going to wait till a little later to mention that 10.0.0.0/24 is technically correct for a tunnel subnet, but by best practices it's considered a poor choice.
192.168.0.0/24,192.168.1.0/24 and 10.0.0.0/24 are often "default" subnets that get (over)used and can lead to hidden problems later on (or now).
It helps to isolate out your problems using unique subnets, something like 10.43.0.0/24 for the OpenVPN tunnel would be a better choice.I understand about stepping into "legacy" setups and trying to pick up the pieces.
When people ask questions on the Forum we invariably "ask for better/more information" not because we're trying to be picky or aggravating, but because we know that many (most) of the scenarios presented can be solved quite quickly with the right information.
It means that when you ask questions, you need to be prepared with a thick enough skin to handle the answer ;)
As to the SIP issue, start another thread and we can handle that - but I bet one of the first responses will be for a screen shot of your firewall/NAT rules :)
-
I can (and will) change the OpenVPN address following your recommendation. But what is so bad about 10.0.0.0?
-
10.0.0.0/24 is first subnet and common to use.. Same with the 192.168.0 and 192.168.1 they are the most common ones used. What does every soho router default too for its lan? What does pfsense for example default to for its lan.
Using the common networks can lead to issues when your trying to vpn from a network that has the same local network that your trying to vpn too..
if your 10.0.0.0/24 on your vpn server side and you happen to be in a location that uses 10.0.0.0/8 kind of hard to route down the vpn when your interface is locally in that network.
I rarely ever had any problems since I mostly just vpn in from work to home, my man lan was 192.168.1.0/24 – but on the wifi network they were using this.. so I changed my home lan to be 192.168.9.0/24 which is less commonly used.. so I have .2 and .3 and .4 and .5 along with my .9 segment.. you don't see .2 and above all that often in the 192.168 space.
-
Understood!!!
THANKS!
