OpenVPN and Samba over internet

Hi! Hope you are doing fine.

My set up on a OpenSUSE 11.3 64 bit box is

  • **Samba server **
    which within local LAN goes pretty well.:good:
  • OpenVPN
    [UDP, TUN, TLSAuth] and it goes well from the net.:good:

From the internet I can ssh to the ip address of the openvpn server [].:slight_smile:

However I can’t access samba shares at \ from nowhere [neither locally nor over internet].>:( can you guys give me advice? Thanks a lot!

My firewall log says this:

Aug  9 01:04:04 mgnome kernel: [1609415.319729] 
OPT (020405580103030201010402)

… with DPT=139 and DPT=445. Please note that the syn packet is drop.

Here’s my smb.conf

        workgroup = mgnomehome
        passdb backend = tdbsam
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = Yes
        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
        domain logons = No
        domain master = No
        security = domain
        wins support = No
        usershare max shares = 100
        hosts allow =
        interfaces =
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes

        comment = Data
        path = /home/public
        force user = sofia
        force group = users
        read only = No

Hello. Assuming you trust the VPN interface you could try moving the tun interface into the “internal” zone in the firewall config. You may have to create a custom string to match the tun0 device and then associate that string with “internal”, and also make sure firewall is not configured to protect the internal zone. (the default).

I’ve used OpenVPN extensively for years, with SAMBA and just about anything else you can imagine, so come back if you have questions and I’m sure I can help you work it out.


I’d like to point out that I’ve done this:

Turning off SuseFirewall I can perfectly access shares over internet, so I’ll dig into my iptables rules, and let you know in case anyone has the same problem.

However if you find a useful set of iptables rules that help, I appreciate you can advice me.

Thank you

Dear llcts1, thanks!
I will try what you suggested first and if no success move on to iptables.
I did not find how to do it so far with YaST, and does not like edit sysconfig/susefirewall by hand as it is overwritten by the former.
Also I’m unable to unprotect the server from the internal zone as it’s being accessed locally by regular users.

Thanks again!

In yast firewall config, look for allowed services and add “Samba client” from the preconfigured list of options. This should allow the appropriate samba ports through the firewall which is dropping your packets. Be aware that you are enabling this for a “zone”, not just for a particular interface. You can configure samba to only bind to the tun0 interface (and whatever other interfaces you want it to bind to) which would effectively protect it even if it and other interfaces were in an opened zone.

Hope that’s helpful, let me know. Personaly, I find the SUSE firewall harder to work with than just setting up the iptables rules myself but I was telling you the “suse way” since your log message indicates a SUSE firewall descriptor. :slight_smile: If you’re willing and capable of doing iptables yourself then, yeah, let’s do it. That’d be about as easy as adding “iptables -I INPUT -i tun0 -j ACCEPT”

You gave two simple solutions to solve my problem, and I’m happy and thankful to tell you that it worked fine :slight_smile:

I’ve already set Samba as an allowed service for Internal Zone, so what did the trick was just add tun0 to internal zone (for others: Interfaces section, click on Custom button and write tun0 or whatever your tunnel device is named in the Internal Zone field).

Thank you!