Author Topic: Samba shares over VPN  (Read 14249 times)

Barrydocks

  • Zen Warrior
  • ***
  • Posts: 145
  • Karma: +4/-0
    • View Profile
Samba shares over VPN
« on: January 09, 2011, 09:39:32 pm »
Having difficulty accessing samba shares via a VPN.  The Windows client connects OK to VPN and obtains the appropriate IP but I cannot browse the samba shares.  I can access the zentyal dashboard via the browser on the VPN IP address. 

I have opened the inward VPN port on the fire wall and the outward port is enabled as "any service" to "any port".  I have tried disabling the windows firewall which made no difference.  
I have PAM enabled to give real local user accounts.

The documentation here http://doc.zentyal.org/en/vpn.html?highlight=vpn says:
Quote
Also, to browse shared files from the VPN [3] you must explicitly allow the broadcast traffic of the Samba server.
 but I am not sure how to do this?

Also do I need to open any other ports either on the firewall or the router other than for the VPN?
Does the zentyal server need to be a PDC?
Does the remote windows PC need to be in the same workgroup or domain as the zentyal VPN server?

The remote PC is connecting through a HTTP proxy, will this make a difference?

Grateful for any help, I think I'm very close to making it work!
Thanks

« Last Edit: January 10, 2011, 11:57:19 am by Barrydocks »

Josep

  • Zen Samurai
  • ****
  • Posts: 255
  • Karma: +6/-0
    • View Profile
Re: Samba shares over VPN
« Reply #1 on: January 10, 2011, 01:08:50 pm »
After connecting via VPN, can you browse the shares in the server by name or IP?
Say that your server is named EBOX and its IP is 10.0.0.5, can you browse \\EBOX? Can you browse \\10.0.0.5?
Give it a try and post back your results.
If you can browse with the latter, then it's a DNS issue, otherwise there is some routing issue.

Sam Graf

  • Guest
Re: Samba shares over VPN
« Reply #2 on: January 10, 2011, 05:57:37 pm »
Also do I need to open any other ports either on the firewall or the router other than for the VPN?
Does the zentyal server need to be a PDC?
Does the remote windows PC need to be in the same workgroup or domain as the zentyal VPN server?

The remote PC is connecting through a HTTP proxy, will this make a difference
In my use of Zentyal VPN I don't manually open any VPN ports in the firewall, I don't use a PDC, but the boxes more or less naturally use the same workgroup name. I don't think that's required, though.

I'm not sure what "broadcast traffic" the documentation is referring to, unless that's a reference to the "Advertised networks" feature of the VPN server. That should refer to the LAN any shared devices are on.

After connecting via VPN, can you browse the shares in the server by name or IP?
Say that your server is named EBOX and its IP is 10.0.0.5, can you browse \\EBOX? Can you browse \\10.0.0.5?
Give it a try and post back your results.
If you can browse with the latter, then it's a DNS issue, otherwise there is some routing issue.
To my knowledge, Zentyal doesn't implement any OpenVPN features that allow browsing by name. In an "out-of-the-box" configuration, all remote access has to be by IP address. This is true of both road warrior and Zentyal-to-Zentyal VPN.

Barrydocks

  • Zen Warrior
  • ***
  • Posts: 145
  • Karma: +4/-0
    • View Profile
Re: Samba shares over VPN
« Reply #3 on: January 10, 2011, 09:48:12 pm »
After connecting via VPN, can you browse the shares in the server by name or IP?
Say that your server is named EBOX and its IP is 10.0.0.5, can you browse \\EBOX? Can you browse \\10.0.0.5?
No neither? I have tried via the VPN connection from a PC on the local LAN that I can already browse the shares on - but I may be doing it wrong:
1. the local LAN IP address is 10.0.0.0/24; samba is on server64 at 10.0.0.1
2. the VPN IP address is 10.0.1.0/24;  I have the advertised network as 10.0.0.0/24 (not sure this is correct?

Via the VPN connection I can:
1. browse the web server from http://10.0.1.1
2. access zentyal dashboard from https://10.0.1.1:443
but nothing shows up in the neighbourhood network and I can't browse any shares either by:
\\10.0.1.1\photos
\\server64\photos

Will also check the logs

Barrydocks

  • Zen Warrior
  • ***
  • Posts: 145
  • Karma: +4/-0
    • View Profile
Re: Samba shares over VPN
« Reply #4 on: January 19, 2011, 10:52:49 am »
If I connect directly to the internet (not via a http proxy) and change the workgroup of the remote machine to match the workgroup of the zentyal server I can see the workgroup in the neighbourhood network but can't browse it.

Any suggestions?
Thanks

Josep

  • Zen Samurai
  • ****
  • Posts: 255
  • Karma: +6/-0
    • View Profile
Re: Samba shares over VPN
« Reply #5 on: January 19, 2011, 11:29:41 am »
It might have to do with permissions.
Are you using the same computer at work and at home?
The reason is that you are probably using a Windows client, which has a username and password defined. When you connect to the server it uses those credentials to authenticate itself.
If they are not valid, it should ask for new credentials. But if, for instance, the username exists on teh server although with a different password, it may just fail with no additional indication.
You could try to figure this out by opening a command prompt in the client and using the command "net use" (run "net use /?" for the list of options)

Barrydocks

  • Zen Warrior
  • ***
  • Posts: 145
  • Karma: +4/-0
    • View Profile
Re: Samba shares over VPN
« Reply #6 on: January 19, 2011, 11:44:00 am »
It might have to do with permissions.
Are you using the same computer at work and at home?
no, but interestingly I cannot browse the samba shares via the VPN from a pc on my local LAN (it works without a problem when not using the VPN ???)
Quote from: josep
The reason is that you are probably using a Windows client, which has a username and password defined. When you connect to the server it uses those credentials to authenticate itself.
If they are not valid, it should ask for new credentials. But if, for instance, the username exists on teh server although with a different password, it may just fail with no additional indication.
You could try to figure this out by opening a command prompt in the client and using the command "net use" (run "net use /?" for the list of options)
Thanks, I will try this.

Josep

  • Zen Samurai
  • ****
  • Posts: 255
  • Karma: +6/-0
    • View Profile
Re: Samba shares over VPN
« Reply #7 on: January 19, 2011, 12:29:04 pm »
As for the browsing when using a VPN, it may help you to add the following lines at the end of the file "openvpn.conf.mas":
Code: [Select]
# Redirect al traffic though VPN server
push "redirect-gateway"
# Set some configuration values for the client
push "dhcp-option DNS <your DNS>"
push "dhcp-option WINS <your WINS>"
push "dhcp-option DOMAIN <your local domain>"
Also, I am using the DNS in Zentyal to define the names for the servers in my network. This way I don't need the IP when browsing the Samba workgroups.
 

Barrydocks

  • Zen Warrior
  • ***
  • Posts: 145
  • Karma: +4/-0
    • View Profile
Re: Samba shares over VPN
« Reply #8 on: January 19, 2011, 08:41:47 pm »
OK, borrowed a friends machine connected directly to the internet (via a router), I changed the workgroup name on the zentyal server to match the local PC and (hey-presto) the zentyal server showed up in the neighbourhood network by name and I was able to browse the shares after entering a username and password.

Still can't get a machine on the local LAN to browse the shares via a VPN ???  possibly due to the http cache on the LAN???
« Last Edit: January 19, 2011, 08:43:41 pm by Barrydocks »

cl0s

  • Zen Apprentice
  • *
  • Posts: 18
  • Karma: +0/-0
    • View Profile
Re: Samba shares over VPN
« Reply #9 on: January 19, 2011, 10:30:22 pm »
I don't get it though. If the computer is on the LAN, why would it need to VPN?

If you want to use the same machine locally and remote (ie. laptop that you take home) you would have to disconnect from the VPN when at work and reconnect when at home.

Or am I missing something?

Barrydocks

  • Zen Warrior
  • ***
  • Posts: 145
  • Karma: +4/-0
    • View Profile
Re: Samba shares over VPN
« Reply #10 on: January 24, 2011, 04:19:57 pm »
I don't get it though. If the computer is on the LAN, why would it need to VPN?

If you want to use the same machine locally and remote (ie. laptop that you take home) you would have to disconnect from the VPN when at work and reconnect when at home.

Or am I missing something?

This was just an exercise to see if I could get it to work in an controlled environment