1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

ASUS RT-AC66U OpenVPN & SMB

Discussion in 'Other LAN and WAN' started by burgarwulf, Jan 19, 2016.

  1. burgarwulf

    burgarwulf New Around Here

    Joined:
    Jul 15, 2015
    Messages:
    8
    So I setup the OpenVPN server on the router the other day and was immediately able to connect no issues. It seems I can even use the SFTP/SSH settings on my phone to connect "locally" without any changes.

    But it's hung up on samba. No amount of discovery or manual addresses can find them.

    The samba server is on a Debian Jessie box hard wired to the Asus Router.

    Upon a bit of googling I saw advice to setup samba as a WINS server, and I've put the known address of the box in Windows 7 to no avail. But then I started wondering if it had to be the VPN ip or standard local ip?

    Any help is greatly appreciated, seems to be a lack of documentation when it comes to the server side of vpn on these routers.

    Server configure page and client config below

    [​IMG]
    [​IMG]

    Sent from my SM-G920V using Tapatalk
     
    Last edited: Jan 19, 2016
  2. rajl

    rajl Occasional Visitor

    Joined:
    Oct 1, 2014
    Messages:
    23
    Samba over openvpn has a number of documented problems. The root issue is that when you use the tun interface, your openvpn configuration has to advertise all routes to other devices. There are generally two ways to get SMB over openvpn working.

    If you want to use the tun interface then the first way is to configure a WINS server that resolves requests for netbios names and push the ip-address of the WINS server to clients so that they can use the WINS server to find the SMB server. Some additional configuration may be required.

    The easier way (in my opinion) is to use a tap interface instead of a tun interface. This basically has openvpn act as a layer 2 bridge that merges the client into the home network at the link layer. Once you have a working setup using the tap interface, SMB will work without any additional configuration. There are some documented performance issues when using the tap interface at scale, but on SOHO networks, the performance is equivalent.
     
  3. burgarwulf

    burgarwulf New Around Here

    Joined:
    Jul 15, 2015
    Messages:
    8
    Thanks for the reply :)

    Yeah I had read that TUN will provide better performance but there seems to be some disagreement on the internet over that topic.

    I've followed a simple guide to get WINS via the Samba daemon on the debian box, but tbh I have no idea if its working (I suppose not as I can't connect to those shares remotely haha).

    I'm wondering if I need to adjust known hosts or whatever on the debian box. Thats really the only computer I'm looking to access remotely.

    At this rate I'll likely give TAP a try as it's easy enough to reconfigure the router's settings. Just a little challenge to get TUN working (and apparently networking challenges are my thing now).
     
  4. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,117
    Location:
    San Diego, CA
    Why are you sharing SMB over OpenVPN?

    Seems like a security issue here... there's a reason why Samba is very restrictive as to who can access it..
     
  5. burgarwulf

    burgarwulf New Around Here

    Joined:
    Jul 15, 2015
    Messages:
    8
    Mostly just to try it, as I've got other means of connecting.
     
  6. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,117
    Location:
    San Diego, CA
    Practice safe-hex - only needed services need to be available on the WAN - limit your exposure, borrowing a phrase from "Mad Men"...
     
  7. burgarwulf

    burgarwulf New Around Here

    Joined:
    Jul 15, 2015
    Messages:
    8
    So with that in mind, would it be better to channel my remote access through the VPN exclusively? Versus having specific ports open?

    Sent from my SM-G920V using Tapatalk
     
  8. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,117
    Location:
    San Diego, CA
    Once the oVPN connection is up, then you can login to the Samba box - and there's a fair amount of latitude with acceptance IP ranges there - but that's a Samba setup question... key thing is don't forward those ports to the public internet...
     
  9. burgarwulf

    burgarwulf New Around Here

    Joined:
    Jul 15, 2015
    Messages:
    8
    Nah I meant more for any remote access, sftp, http, etc

    Sent from my SM-G920V using Tapatalk