What's new

ASUS RT-AC66U OpenVPN & SMB

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

burgarwulf

New Around Here
So I setup the OpenVPN server on the router the other day and was immediately able to connect no issues. It seems I can even use the SFTP/SSH settings on my phone to connect "locally" without any changes.

But it's hung up on samba. No amount of discovery or manual addresses can find them.

The samba server is on a Debian Jessie box hard wired to the Asus Router.

Upon a bit of googling I saw advice to setup samba as a WINS server, and I've put the known address of the box in Windows 7 to no avail. But then I started wondering if it had to be the VPN ip or standard local ip?

Any help is greatly appreciated, seems to be a lack of documentation when it comes to the server side of vpn on these routers.

Server configure page and client config below

228d759bbd9216c15c6089c2d134b0d2.jpg

d60199be1c0c6c5f13736a6081b10814.jpg


Sent from my SM-G920V using Tapatalk
 
Last edited:
Samba over openvpn has a number of documented problems. The root issue is that when you use the tun interface, your openvpn configuration has to advertise all routes to other devices. There are generally two ways to get SMB over openvpn working.

If you want to use the tun interface then the first way is to configure a WINS server that resolves requests for netbios names and push the ip-address of the WINS server to clients so that they can use the WINS server to find the SMB server. Some additional configuration may be required.

The easier way (in my opinion) is to use a tap interface instead of a tun interface. This basically has openvpn act as a layer 2 bridge that merges the client into the home network at the link layer. Once you have a working setup using the tap interface, SMB will work without any additional configuration. There are some documented performance issues when using the tap interface at scale, but on SOHO networks, the performance is equivalent.
 
Thanks for the reply :)

Yeah I had read that TUN will provide better performance but there seems to be some disagreement on the internet over that topic.

I've followed a simple guide to get WINS via the Samba daemon on the debian box, but tbh I have no idea if its working (I suppose not as I can't connect to those shares remotely haha).

I'm wondering if I need to adjust known hosts or whatever on the debian box. Thats really the only computer I'm looking to access remotely.

At this rate I'll likely give TAP a try as it's easy enough to reconfigure the router's settings. Just a little challenge to get TUN working (and apparently networking challenges are my thing now).
 
So I setup the OpenVPN server on the router the other day and was immediately able to connect no issues. It seems I can even use the SFTP/SSH settings on my phone to connect "locally" without any changes.

But it's hung up on samba. No amount of discovery or manual addresses can find them.

Why are you sharing SMB over OpenVPN?

Seems like a security issue here... there's a reason why Samba is very restrictive as to who can access it..
 
Mostly just to try it, as I've got other means of connecting.

Practice safe-hex - only needed services need to be available on the WAN - limit your exposure, borrowing a phrase from "Mad Men"...
 
So with that in mind, would it be better to channel my remote access through the VPN exclusively? Versus having specific ports open?

Sent from my SM-G920V using Tapatalk
 
So with that in mind, would it be better to channel my remote access through the VPN exclusively? Versus having specific ports open?

Sent from my SM-G920V using Tapatalk

Once the oVPN connection is up, then you can login to the Samba box - and there's a fair amount of latitude with acceptance IP ranges there - but that's a Samba setup question... key thing is don't forward those ports to the public internet...
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top