OpenVPN to Network Shares..Question…



  • I have a customer that I would like to install pfsense 2.1 and OpenVPN on his network. They currently have a Windows 2008 server with multiple shares.
    When the VPN is connected, does the VPN connection show all shares? Or, is there a way to have only specific shares available to the client?

    Thank you
    Kell



  • I had a think about this a while ago and couldn't see how to do it. Once you open up access between the client/s on the VPN and the Windows Server ports for file sharing, then the client can see all the file shares. In principle to do it would require either:
    a) Fancy L7 filtering that can inspect the packets back and forth to see which ones are for what shares.
    or
    b) Features on Windows Server that would allow the admin to make a file share that was only shared to particular IP subnet/s.

    I didn't find either  :(

    But if someone else has a trick to do this, I would also be interested.



  • Hi Phil,

    Seems like there would be a little easier way to do this… Hoping for a solution or thoughts from others on this topic.... It would make my life a little easier!!

    Kell



  • The VPN gives the user basic IP connectivity to whatever subnet you give them access to… just as if they were in the office.  So, if they are trusted with all the shares in the office, why aren't they trusted with them over VPN?  Can you elaborate on why you (or the client) want things restricted this way?

    Access to the shares is configured via share permissions on the server, so the user either has access to the share or they don't regardless of how they connect (LAN or VPN).  i.e. once the user connects to the server, they will be presented with the shares they are permitted to see.  The VPN is not involved here.

    I do not think windows server has the ability to restrict access to shares by IP, so you couldn't control it that way.  There are a couple things that could be done... but will probably over complicate things:

    • Put the shares on a linux or NAS box that can be restricted by IP

    • Block your VPN subnet from the server except for port 22, setup SFTP and restrict access on a per user basis.

    • If there is a SAN, move the data to a SAN volume and present the volume to a 2nd server, configure a 2nd set of shares only for VPN users and instruct users to go to that 2nd server when they are on VPN.  Obviously the 2nd half of this would be to block the VPN subnet to the main server.



  • Thank you for the reply Marvosa,

    I am utilizing the permissions from the Windows server. Just a little confusion on my part and probably a lack of sleep that made me over think the VPN connectivity to the server.
    Just an FYI … the pfsense / openvpn works really well and I am COMPLETELY happy with the performance!!!

    Thank you again for the help!
    Sincerely,
    Kell



  • Now I remember my reason for not wanting some shares to work across the VPN. We have a backup share where laptops automatically do backup at lunchtime (if they are turned on and on the LAN). The backup share is accessed by an automatic job on the client laptop. There are also other shares on the server that the ordinary user uses.
    When they go to another office, they need to use the user shares remotely across the VPN. But when the backup job starts up at lunchtime, I don't want it to succeed - and saturate the VPN with a backup to their home site.
    I don't think there is going to be a way to fix this with firewall rules or Windows server settings. Might have to think some more about making an DNS alias name for the server, making that alias only resolve at the home site, and making the backup job use that alias. Then it should fail when the laptop is away from its "home site".
    Anyway - not a pfSense issue, but may be doable with a DNS Forwarder Host Override (extra name) at the home site.


Log in to reply