SAMBA over OpenVPN working partially

iampowerslave

This is the client text on OpenVPN

Mon Jun 01 13:33:54 2015 OpenVPN 2.3.6 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [PKCS11] [IPv6] built on Mar 19 2015
Mon Jun 01 13:33:54 2015 library versions: OpenSSL 1.0.1m 19 Mar 2015, LZO 2.08
Mon Jun 01 13:34:02 2015 Control Channel Authentication: using '<mykey>' as a OpenVPN static key file
Mon Jun 01 13:34:02 2015 UDPv4 link local (bound): [undef]
Mon Jun 01 13:34:02 2015 UDPv4 link remote: [AF_INET]<myserverip>:1194
Mon Jun 01 13:34:02 2015 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Mon Jun 01 13:34:05 2015 [<mycertificate>] Peer Connection Initiated with [AF_INET]<myserverip>:1194
Mon Jun 01 13:34:07 2015 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0
Mon Jun 01 13:34:07 2015 open_tun, tt->ipv6=0
Mon Jun 01 13:34:07 2015 TAP-WIN32 device [Local Area Connection 2] opened: \.\Global{92CE4D7B-0919-4F17-A03C-A81F063F41FC}.tap
Mon Jun 01 13:34:07 2015 Notified TAP-Windows driver to set a DHCP IP/netmask of 10.0.0.6/255.255.255.252 on interface {92CE4D7B-0919-4F17-A03C-A81F063F41FC} [DHCP-serv: 10.0.0.5, lease-time: 31536000]
Mon Jun 01 13:34:07 2015 Successful ARP Flush on interface [26] {92CE4D7B-0919-4F17-A03C-A81F063F41FC}
Mon Jun 01 13:34:12 2015 Initialization Sequence Completed

Attached is the OpenVPN config.

</myserverip></mycertificate></myserverip></mykey>

divsys

That looks like what I'd expect to see in general.

You blacked out the "IPv4 Local Networks" entry, normally this should be the internal LAN subnet.  What are you using for your LAN Addresses?
As long as this is in the private address range (it'd better be!) it's internal to your network and no one can access it, there's no need to black out that info.

What do you have under Firewall->Rules for WAN, LAN, and OpenVPN?

iampowerslave

LAN is 192.34.34.0/24

Rules:

No floating rules

WAN:
BLOCK Block private networks
BLOCK Block bogon networks
PASS IPv4 UDP * * WAN address <port_number>* none <empty>OpenVPN FromWAN wizard

LAN
PASS * * * LAN Address 443 80 * * <empty>Anti-Lockout Rule
BLOCK IPv4+6* * * WIFI net * * none <empty>Block LAN to WIFI
BLOCK IPv4* Server * This Firewall * * none <empty>Block Server to Internet
PASS IPv4* LAN net * * * * none <empty>Default allow LAN to any rule

WIFI (OPT1)
BLOCK IPv4+6* * * LAN net * * none <empty>PASS IPv4+6* WIFI net * * * * none <empty>OpenVPN
PAS IPv4* * * * * * none <empty>OpenVPN FromWAN wizard

NAT:
WAN 127.0.0.0/8 * * 500 WAN address * YES Autocreated rule for ISAKMP - localhost to WAN
WAN 127.0.0.0/8 * * * WAN address * NO Autocreated rule - localhost to WAN
WAN 192.168.2.0/24 * * 500 WAN address * YES Autocreated rule for ISAKMP - OPT1 to WAN
WAN 192.168.2.0/24 * * * WAN address * NO Autocreated rule - OPT1 to WAN
LAN 10.0.0.0/24 * * * LAN address * NO

I guess that's about it.

It was OK when I did VPN with Kerio VPN (and a Kerio Control instead of pfSense)</empty></empty></empty></empty></empty></empty></empty></empty></port_number>

divsys

Ok, a couple of things:

LAN is 192.34.34.0/24

Really? your LAN address is assigned as a public address for "Converged Technology Group Inc." Do you work for them?
If not (and even if so) DO NOT USE A PUBLIC ADDRESS FOR YOUR INTERNAL LAN.  This won't end well, just ask around.

Most of your rules seem reasonable except for the ones that are (I hope) mistyped:

BLOCK IPv4* Server * This Firewall * * none <empty>Block Server to Internet</empty>

"Block IPv4 protocol from any address to the port alias "Server" destined for any address with a port alias "This Firewall" any gateway any queue no schedule"

I'm guessing this is meant to block traffic from some server on your LAN to the WAN, but what you wrote doesn't do that.

Can you just post the applicable screen shots and save us all the grief of dealing with typos?

The other thing that looks odd is the NAT line for LAN to 10.0.0.0/24.  Are you trying to forward OpenVPN traffic to LAN?  You shouldn't, that's not needed for a properly configured OpenVPN setup.

Again, without a proper post of all the rules, it's pretty hard to tell.

PS. Your previous screenshots worked just fine, I suggest you repeat that method for the WAN/LAN/WIFI/OpenVPN and NAT rules.

iampowerslave

Yes. The LAN is a legacy address. I'll change that.

The server to wan blocking rule is intentional and wasn't there before.

Even without that rule the samba does not work. It wasn't there when I started the thread.

The NAT line for 10.0.0.0/24 is a question from another post

My SIP does not work from OpenVPN if that rule is not there.

A change in the local address space to 10.34.34.0/24 instead of 192 would be correct?

iampowerslave

Well thanks for the help.

Changing the local IP address to 10.x.x.x made it work for the remote computer to get to the sambas behind the firewall through OpenVPN.

Strange was that Android could. It seems it changes how each host resolves and it seems  that my home windows host was resolving on its own to the real 192.34.34.x. While when I had Kerio the route was forced otherwise.

The SIP still does not work without a NAT rule though.

divsys

Glad you got it going.

10.34.34.0/24 is a great choice for the subnet.
I was going to wait till a little later to mention that 10.0.0.0/24 is technically correct for a tunnel subnet, but by best practices it's considered a poor choice.
192.168.0.0/24,192.168.1.0/24 and 10.0.0.0/24 are often "default" subnets that get (over)used and can lead to hidden problems later on (or now).
It helps to isolate out your problems using unique subnets, something like 10.43.0.0/24 for the OpenVPN tunnel would be a better choice.

I understand about stepping into "legacy" setups and trying to pick up the pieces.

When people ask questions on the Forum we invariably "ask for better/more information" not because we're trying to be picky or aggravating, but because we know that many (most) of the scenarios presented can be solved quite quickly with the right information.

It means that when you ask questions, you need to be prepared with a thick enough skin to handle the answer  ;)

As to the SIP issue, start another thread and we can handle that - but I bet one of the first responses will be for a screen shot of your firewall/NAT rules  :)

iampowerslave

I can (and will) change the OpenVPN address following your recommendation. But what is so bad about 10.0.0.0?

johnpoz

10.0.0.0/24 is first subnet and common to use.. Same with the 192.168.0 and 192.168.1  they are the most common ones used.  What does every soho router default too for its lan?  What does pfsense for example default to for its lan.

Using the common networks can lead to issues when your trying to vpn from a network that has the same local network that your trying to vpn too..

if your 10.0.0.0/24 on your vpn server side and you happen to be in a location that uses 10.0.0.0/8 kind of hard to route down the vpn when your interface is locally in that network.

I rarely ever had any problems since I mostly just vpn in from work to home, my man lan was 192.168.1.0/24 – but on the wifi network they were using this..  so I changed my home lan to be 192.168.9.0/24 which is less commonly used.. so I have .2 and .3 and .4 and .5 along with my .9 segment.. you don't see .2 and above all that often in the 192.168 space.

iampowerslave

Understood!!!

THANKS!