VPN server issue with LAN and win 10 Firewall

[yorgi]

I setup a VPN server with my ASUS router using Merlin latest firmware.
All is working well with the exception of a windows 10 PC firewall problem.

I enabled "Push LAN to clients" On VPN server and when I connect to the VPN server
I can Ping the router and access the routers Hard Drive Samba Shares,
When I try to ping my windows PC its firewall blocks the ping.
I can't access network shares because its firewall is blocking my VPN client from accessing the files. When I disable the windows firewall everything works perfect.
The only firewall rule that worked is to allow protocol ICMPv4 then I can ping and access that PC.
Are there any predefined rules I can use or perhaps another method to fix this problem?
Is this a security problem by allowing protocol ICMPv4 on the windows firewall?
If this helps I am using TCP protocol and not TAP as many others have suggested in the forum.
Maybe this is a factor?

any feedback will be appreciated
thanks

 

[yorgi]

***Corrected****
For those of you who would like the fix here it is.
Go to advanced firewall rules and,
create an inbound rule for all programs, protocol TCP, Scope these IP addresses "put the ip address of the PC you want to connect to"
and in "remote IP address" put 10.8.0.0/24 providing that is the subnet you are using for your VPN server.
that's it. I can now ping the windows 10 PC and share its files and folders.
Remote desktop worked regardless of the firewall rule I created.

 

[L&LD]

yorgi, what VPN service are you using here?

I tried this for a customer with OpenVPN and it doesn't seem to be working for them. But, as you state, Remote Desktop Connection works for them.

Is it possible to flesh this thread out with screen shots? Ty.

 

[yorgi]

yorgi, what VPN service are you using here?

I tried this for a customer with OpenVPN and it doesn't seem to be working for them. But, as you state, Remote Desktop Connection works for them.

Is it possible to flesh this thread out with screen shots? Ty.

For sure
I will be putting an article on how to connect to VPN server and will put all the data that I have collected
to make things simple. I see many people having similar questions so I figured adding the server end of the vpn in a how to guide
would be a great addition to the VPN section. And remote desktop in my opinion is really important for VPN server.
Give me a couple of days and I will put it up.

 

[sfx2000]

yorgi, what VPN service are you using here?

I tried this for a customer with OpenVPN and it doesn't seem to be working for them. But, as you state, Remote Desktop Connection works for them.

Is it possible to flesh this thread out with screen shots? Ty.

Had something with a self-hosted VPN server behind my router - tunnel was fine, but was LAN access blocked internally - adding the ruleset on that host* similar to what yorgi mentions above solved the issue...

* host in my case was linux, and running a local firewall (iptables with ufw as a front end)

Many OpenVPN setups default to the 10.8.0.0/24 subnet, but basically whatever the VPN subnet is should be the one that's added. If one is running OpenVPN on the router itself, be wary of potential conflicts within the iptables chain, as inserting the updated ruleset in the wrong place may cause a potential bypass the firewall if not careful.

Always test things first before committing it to long term production use..

 

[yorgi]

yorgi, what VPN service are you using here?

I tried this for a customer with OpenVPN and it doesn't seem to be working for them. But, as you state, Remote Desktop Connection works for them.

Is it possible to flesh this thread out with screen shots? Ty.

I am using OpenVPN from ASUS router client 1

 

[yorgi]

yorgi, what VPN service are you using here?

I tried this for a customer with OpenVPN and it doesn't seem to be working for them. But, as you state, Remote Desktop Connection works for them.

Is it possible to flesh this thread out with screen shots? Ty.

***CORRECTED***

Ok I will give you the screen shots and then I will make a guide for VPN server.
In Windows 10 go to advanced firewall settings
Create a new inbound rule type Program, All programs, Allow the connection, enable for Domain Private and Public
then create the name for it.
After you created the rule double click on the rule
in general it should be allow the connection,
In programs and services enable all programs that meet the speicfied conditions.
Protocol and port type put TCP
and finally in the scope tab
Local IP address these IP address, put the IP address of the windows PC that you want to have file sharing access and
for remote port put these IP addresses 10.8.0.0/24
take a look at the VPN server and see what subnet it uses, it may not be the same as mine
This rule allows you to ping the windows pc and share its files and remote desktop of course
I attached a jpg so you can see clearly what I did.
If you have any other questions let me know

 

[L&LD]

Ok I will give you the screen shots and then I will make a guide for VPN server.
In Windows 10 go to advanced firewall settings
Create a new inbound rule type Program, All programs, Allow the connection, enable for Domain Private and Public
then create the name for it.
After you created the rule double click on the rule
in general it should be allow the connection,
In programs and services enable all programs that meet the speicfied conditions.
Protocol and port type put ICMPv4
and finally in the scope tab
Local IP address these IP address, put the IP address of the windows PC that you want to have file sharing access and
for remote port put these IP addresses 10.8.0.0/24
take a look at the VPN server and see what subnet it uses, it may not be the same as mine
This rule allows you to ping the windows pc and share its files and remote desktop of course
I attached a jpg so you can see clearly what I did.
If you have any other questions let me know

yorgi, thank you very much for your efforts. I must be missing something though.

Is this done on the computer you want access from, or the computer you want access to? I have tried both ways and it doesn't seem to make a difference.

Is a reboot needed for these settings to take effect for you? (I also rebooted all systems as a test).

There must be some other setting I am overlooking? (Possibly in the OpenVPN configuration).

 

[yorgi]

yorgi, thank you very much for your efforts. I must be missing something though.

Is this done on the computer you want access from, or the computer you want access to? I have tried both ways and it doesn't seem to make a difference.

Is a reboot needed for these settings to take effect for you? (I also rebooted all systems as a test).

There must be some other setting I am overlooking? (Possibly in the OpenVPN configuration).

Hi the firewall rule has to be on the PC that you are trying to access.
You need to use the windows firewall of that PC
Lets Try disabling the firewall of the PC you are trying to access and see if you can ping it.
If you do that and you can ping it then its the firewall rule. If not then it could be in your VPN server setup.
Let me know and we take it from there

 

[yorgi]

Here is my VPNserver configurations maybe that can be of help as well
Also take a look at the VPN subnet mask and make sure your is not different. if it is then you have to make sure you put the subnets numbers of the vpnserver on that rule. my numbers are 10.8.0.0
server 2 is 10.16.0.0 so maybe that is something you overlooked.
regardless let me know if any of this helps

 

[L&LD]

Here is my VPNserver configurations maybe that can be of help as well
Also take a look at the VPN subnet mask and make sure your is not different. if it is then you have to make sure you put the subnets numbers of the vpnserver on that rule. my numbers are 10.8.0.0
server 2 is 10.16.0.0 so maybe that is something you overlooked.
regardless let me know if any of this helps

I do have some differences compared to your VPN Server configuration, but I did get this to work for now.

If I temporarily disable Windows Firewall on the PC I want to access, I have access to the shares.

In Windows Firewall on the PC I want to access, if I edit all the File and Printer Sharing (SMB-In) entries to allow all profiles (Domain, Private, Public) and to change the Scope of the Remote IP address to 'Any IP address', I also have access. Is this a concern?

I will setup the VPN Server as yours is and see if following your previous instructions work (I have a feeling they will).

Thanks for your help and for pointing me in the right direction.

 

[yorgi]

I do have some differences compared to your VPN Server configuration, but I did get this to work for now.

If I temporarily disable Windows Firewall on the PC I want to access, I have access to the shares.

In Windows Firewall on the PC I want to access, if I edit all the File and Printer Sharing (SMB-In) entries to allow all profiles (Domain, Private, Public) and to change the Scope of the Remote IP address to 'Any IP address', I also have access. Is this a concern?

I will setup the VPN Server as yours is and see if following your previous instructions work (I have a feeling they will).

Thanks for your help and for pointing me in the right direction.

If it worked when you disabled the firewall, you have to only create a rule on each windows PC to allow protocol ICMPv4 and in the scope area
you need to put Local IP address the windows PC that you are trying to connect to IP address and then for remote IP address put the subnet of the VPN server. Once you do that you can do anything you want, including print sharing etc.
you have to allow protocol ICMPv4. That is why when you disabled the firewall it worked.
If you still have a problem let me know maybe we can do a team view

 

[RMerlin]

ICMPv4 is basically ping. You need TCP and UDP for actual SMB access.

 

[yorgi]

ICMPv4 is basically ping. You need TCP and UDP for actual SMB access.

The man is right!
I goofed. When i created that rule it fixed the ping, I didn't realize that it didn't fix the network share.
Ok so now this is the fix.
I changed the protocol from icmpv4 to TCP for all ports, kept everything else as in the jpg and that worked perfect
So if someone wants to PING the pc they need to set a Rule for ICMPv4 and to network on the win10 pc you need to set a rule for TCP

sorry about that
good call Meriln

 

[sfx2000]

ICMPv4 is basically ping. You need TCP and UDP for actual SMB access.

For Samba/CIFS support - here's the protocols/ports that need to be opened

TCP 139, 445
UDP 137, 138

Windows Firewall may have these as presets - File and Printer Sharing (NB-Session-In) and File and Printer Sharing (SMB-In) - you can find them under Windows Firewall/Advanced - and then enable these two rules...

 

[yorgi]

For Samba/CIFS support - here's the protocols/ports that need to be opened

TCP 139, 445
UDP 137, 138

Windows Firewall may have these as presets - File and Printer Sharing (NB-Session-In) and File and Printer Sharing (SMB-In) - you can find them under Windows Firewall/Advanced - and then enable these two rules...

I was able to do it with just a TCP rule and no UDP but I will try TCP ports 139, 445 instead of opening all the ports. I think that's a smarter way
thanks SFX

 

[yorgi]

For Samba/CIFS support - here's the protocols/ports that need to be opened

TCP 139, 445
UDP 137, 138

Windows Firewall may have these as presets - File and Printer Sharing (NB-Session-In) and File and Printer Sharing (SMB-In) - you can find them under Windows Firewall/Advanced - and then enable these two rules...

I tried TCP 139, 445 and it didn't want to connect. When I put all ports in Local and remote it works
there are probably more ports at play with windows file sharing.
So far just creating a TCP rule for all ports to the specific computer from incoming VPN traffic did the trick.
Its a safe rule because it applies 0nly to VPN

 

[RMerlin]

For Samba/CIFS support - here's the protocols/ports that need to be opened

TCP 139, 445
UDP 137, 138

Windows Firewall may have these as presets - File and Printer Sharing (NB-Session-In) and File and Printer Sharing (SMB-In) - you can find them under Windows Firewall/Advanced - and then enable these two rules...

They have these preset but only for the local subnet. VPN clients are probably blocked by default since they come from a different subnet.

That was at least the case with Norton's firewall. I had to add a ruleset for my OpenVPN subnet. I assume the Windows Firewall also does the same, otherwise a PC directly connected to a modem would be exposing SMB to the WAN.

 

[RMerlin]

I tried TCP 139, 445 and it didn't want to connect. When I put all ports in Local and remote it works
there are probably more ports at play with windows file sharing.
So far just creating a TCP rule for all ports to the specific computer from incoming VPN traffic did the trick.
Its a safe rule because it applies 0nly to VPN

You'll ideally want both TCP and UDP, as enumerated by sfx.

 

[yorgi]

You'll ideally want both TCP and UDP, as enumerated by sfx.

I don't doubt that you are right but I tried creating 2 rules one for UDP and one for TCP with ports 139, 445 and it won't work.
the only way I can make it work is to create a rule only for TCP for all ports. UDP doesn't seem to make a difference weather i make a rule or not.
Windows firewall is different from other firewalls I have used.
But I find it works really well this is why I kept using it.
anyways I will research further and see which specific ports it uses. there must be literature from Microsoft.
It still bothers me that I am allowing all ports to the VPN subnet 10.8.0.0/24 but that is my VPN server so I guess its fine because its still fire-walled from the router as to when i checked in grc.com so it should be fine.
I will try and narrow down the specific ports because from what I see now 139, 445 are not enough. there must be other ports that are used for file sharing with the windows firewall.