OpenVPN and Samba over internet

mgnome · August 9, 2010, 7:37pm

Hi! Hope you are doing fine.

My set up on a OpenSUSE 11.3 64 bit box is

**Samba server **
which within local LAN goes pretty well.:good:
OpenVPN
[UDP, TUN, TLSAuth] and it goes well from the net.:good:

From the internet I can ssh to the ip address of the openvpn server [10.1.18.1].

However I can’t access samba shares at \10.1.18.1 from nowhere [neither locally nor over internet].>:( can you guys give me advice? Thanks a lot!

My firewall log says this:

Aug  9 01:04:04 mgnome kernel: [1609415.319729] 
SFW2-INext-DROP-DEFLT 
IN=tun0 
OUT= 
MAC= 
SRC=10.1.18.6 
DST=10.1.18.1 
LEN=52 
TOS=0x00 
PREC=0x00 
TTL=128 
ID=722 
DF PROTO=TCP 
SPT=50959 
DPT=139 
WINDOW=8192 
RES=0x00 
SYN 
URGP=0 
OPT (020405580103030201010402)

… with DPT=139 and DPT=445. Please note that the syn packet is drop.

Here’s my smb.conf

[global]
        workgroup = mgnomehome
        passdb backend = tdbsam
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = Yes
        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
        domain logons = No
        domain master = No
        security = domain
        wins support = No
        usershare max shares = 100
        hosts allow = 192.168.8.0/27 10.1.18.0/24 127.0.0.1
        interfaces = 192.168.8.0/27 10.1.18.0/24
[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

[public]
        comment = Data
        path = /home/public
        force user = sofia
        force group = users
        read only = No

lccts1 · August 10, 2010, 4:48pm

Hello. Assuming you trust the VPN interface you could try moving the tun interface into the “internal” zone in the firewall config. You may have to create a custom string to match the tun0 device and then associate that string with “internal”, and also make sure firewall is not configured to protect the internal zone. (the default).

I’ve used OpenVPN extensively for years, with SAMBA and just about anything else you can imagine, so come back if you have questions and I’m sure I can help you work it out.

Peace

mgnome · August 10, 2010, 5:27pm

I’d like to point out that I’ve done this:
HOWTO

Turning off SuseFirewall I can perfectly access shares over internet, so I’ll dig into my iptables rules, and let you know in case anyone has the same problem.

However if you find a useful set of iptables rules that help, I appreciate you can advice me.

Thank you

mgnome · August 10, 2010, 5:38pm

Dear llcts1, thanks!
I will try what you suggested first and if no success move on to iptables.
I did not find how to do it so far with YaST, and does not like edit sysconfig/susefirewall by hand as it is overwritten by the former.
Also I’m unable to unprotect the server from the internal zone as it’s being accessed locally by regular users.

Thanks again!

lccts1 · August 10, 2010, 6:01pm

In yast firewall config, look for allowed services and add “Samba client” from the preconfigured list of options. This should allow the appropriate samba ports through the firewall which is dropping your packets. Be aware that you are enabling this for a “zone”, not just for a particular interface. You can configure samba to only bind to the tun0 interface (and whatever other interfaces you want it to bind to) which would effectively protect it even if it and other interfaces were in an opened zone.

Hope that’s helpful, let me know. Personaly, I find the SUSE firewall harder to work with than just setting up the iptables rules myself but I was telling you the “suse way” since your log message indicates a SUSE firewall descriptor. If you’re willing and capable of doing iptables yourself then, yeah, let’s do it. That’d be about as easy as adding “iptables -I INPUT -i tun0 -j ACCEPT”

mgnome · August 10, 2010, 11:23pm

You gave two simple solutions to solve my problem, and I’m happy and thankful to tell you that it worked fine

I’ve already set Samba as an allowed service for Internal Zone, so what did the trick was just add tun0 to internal zone (for others: Interfaces section, click on Custom button and write tun0 or whatever your tunnel device is named in the Internal Zone field).

Thank you!