OpenVPN can access router, but not local shares on lan, what am I doing wrong?

[torstein]

Guys, I've googled for days and read many tutorials, tried different solutions but I cannot see my local shares on my lan when connecting remotely through openvpn. I've searched the snb-forum, but can't find a solution. When remotely connected through the openvpn, I can only log-on to my routers interface and use the internet, but I cannot see any of my shared folders and other macs on the lan. What am I doing wrong?

Setup:
- macOS Big Sur 11.2.3
- Asus AX58U
- Asuswrt-Merlin 386.2
- Tunnelblick and OpenVPN Connect apps

I've read that I have to make sure my vpn and lan is on the same subnet, but I don't understand how I'm supposed to "make sure" of that, and I can't find any place to configure that. Many of the tutorials also often is based on older merlin-firmwares, and has different options and layout, sadly, making it all the more confusing.

Can someone please help?

Attached photos of my DCHP server settings, and openvpn-settings.

 

[eibgrad]

FYI. The push'd route in custom config is NOT necessary, since if you specify LAN only or Both for the type of access on the OpenVPN server, the appropriate push route is automatically generated. Besides, the one you have specified is NOT even valid. Had it been necessary, it would need to be the following.

push "route 192.168.50.0 255.255.255.0"

It's not clear from your your description if you are having a problem specifically w/ accessing "shares", or just accessing anything on the LAN in general, even being able to ping devices. A common problem w/ the latter is personal firewalls. For example, in the case of Windows, it will NOT allow access by any other *private* networks (in this case, the tunnels' IP network, 10.8.0.0/24) by default. I can't speak to the issue of MACs in this regard since I don't use the platform.

I assume your access attempts to the LAN are based on the explicit IP (e.g., 192.168.50.100) and NOT any local hostnames.

I also assume you do NOT have an active OpenVPN client on the same router when accessing that OpenVPN server (that can sometimes raise problems).

 

[torstein]

Thank you for your response

1) I can access the router interface on 192.168.50.1 when on VPN
2) When connecting to the VPN on my Macbook remotely, I cannot see any shared folders from the Mac mini I have set up sharing on in Finder (macs version of windows explorer)
3) I get a response when trying to ping the mac mini from my macbook with the shared folders, so that works
4) I'm not using the local hostnames when trying to ping, I try to ping the IP-address of the shared mac on the network ie ping 192.168.50.205
5)I don't have a VPN-client running on the router, just the VPN-server
6) I have disabled the firewall on the mac I'm trying to access remotely through the VPN, but it did nothing
7) I also can access the mac mini through ssh username@192.168.50.205 when on openvpn and access all the files, but the Mac mini doesn't show up in my Macbook's Finder (windows explorer) when connected through openvpn.

So why can I access my Mac mini remotely through SSH and have full access to the Mac mini's file system, but I can not see it or connect to it through my Macbook's Finder?

 

[eibgrad]

2) I cannot see any shared folders or computers in Finder (macs version of windows explorer)

Again, I'm NOT a MAC user, but if the OpenVPN client is a MAC using Finder and is anything like Windows Explorer, it's using network discovery to find available shares. But network discovery will NOT work across a routed VPN. You can only establish access to those shares explicitly using their IP address on the LAN.

3) I get a response when trying to ping the mac with the shared folders, so that works

Well that at least indicates you have access and the firewall is NOT an obstacle.

4) I'm not using the local hostnames when trying to ping, I try to ping the IP-address of the shared mac on the network ie ping 192.168.50.205

Here again we get into this term "shared". The term "share" has a specific meaning. It refers to a folder that you've specifically made publicly available on that machine, as opposed to just being to access that device generally, be it via ping, remote desktop, etc. I'm trying to be sure if this is a case of NO ACCESS AT ALL (nothing works), vs. *only* NOT being able to access "shares", but otherwise all other types of access are working.

6) I have disabled the firewall on the mac I'm trying to access remotely through the VPN, but it did nothing

Keep it off for the time being until the issue is resolved.

 

[torstein]

1) The VPN setup:
Macbook = VPN client
AX58U router = VPN server
Mac mini = file-server with a specific folder set as shared.

2) Regarding "share". Yes, I have made a certain folder on the Mac mini "shared" so publicly accessible from other macs on my network, but the entire Mac mini is also accessible from other macs on my network, not just the shared folder. I guess that's just how Apple wants networking on macs to work? I don't know. It's full access to everything or nothing, apparently.

3) Connecting remotely with openvpn and SSH: Through SSH in the terminal, yes, I can access the Mac mini remotely, and have full access to the entire hdd, not just the Mac mini file system, but also the external storage and shared folders and everything. but it's inside the terminal-app, so it's a bit impractical.

4) Connecting remotely with openvpn and Finder: In Finder I can not see the Mac mini or any shared folders.

5) Conlcusion:
So everything works when it's SSH, but it doesn't work when it's the Finder (windows explorer). Why is that?

 

[eibgrad]

The reason you can "see" your shares when connected locally is because the client is *bridged* to the local network. And things like Finder and Windows Explorer rely on network discovery protocols (e.g, in the case of Apple, typically Bonjour) to *find* available shares. But once the client is on a different IP network (in this case, 10.8.0.0/24), you are now *routed* wrt the remote network, and network discovery no longer works! For it to work, you would have to configured a *bridged* (tap) OpenVPN server. NOW the client is once again bridged to the remote network, just as if plugged in via wire to the router's switch.

That doesn't mean the share isn't available when using a routed (tun) VPN. Using Windows, I can still establish a connection as long as I know the share's IP address. I just can't depend on network discovery to automatically find it for me.

 

[torstein]

Yes, I read about TUN and TAP, but Apple only supports TUN, and the VPN-app Tunnelblick (openvpn for mac) supports TAP by installing a system extension, but Apple is removing support for installing system extensions in a not so far away macOS update, basically, we're losing support for TAP on Mac within the next year or two.

Having said that, I tried installing Tunnelblick with TAP, but it didn't work anyways, even if I configured my router OpenVPN setting to be TAP and not TUN, and exported the profile and installed in Tunnelblick. It just didn't connect.

So, is that it? It's TAP or it will not work in Finder?

 

[eibgrad]

Yes, I read about TUN and TAP, but Apple only supports TUN, and the VPN-app Tunnelblick (openvpn for mac) supports TAP by installing a system extension, but Apple is removing support for installing system extensions in a not so far away macOS update, basically, we're losing support for TAP on Mac within the next year or two.

Yes, so I've heard. I'm aware of others having similar problems.

Having said that, I tried installing Tunnelblick with TAP, but it didn't work anyways, even if I configured my router OpenVPN setting to be TAP and not TUN, and exported the profile and installed in Tunnelblick. It just didn't connect.

So, is that it? It's TAP or it will not work in Finder?

Again, at least in the case of Windows Explorer, I can connect to any share explicitly using one of the menu options (I don't recall specifically), where I can specify the address of the share:

\\192.168.1.100\myshare

I would assume Finder can do the same thing (hard to believe it can't). But if in fact it can't, but *requires* network discovery, then you're out of luck. Or perhaps like Windows, the connection to the share can be established on the command line.

 

[torstein]

Or perhaps like Windows, the connection to the share can be established on the command line.

Do you per chance know how to do that on mac?

Edit:
Oh my god... that worked. Sort of.

cmd + k in Finder, let me type in username@192.168.50.205 followed by username and password, and I now have access remotely through vpn to my mac mini... what? how? I don't understand, so I can connect directly to it, but Finder can't see it on its own? It's not optimal, as in my macbook doesn't think it's on the home network, so my Time Machine backup can't run (since macbook cant find the Time Machine volume) but I can at least do file management remotely. Screen sharing also doesn't work this way, but it's better than nothing I guess.

Too bad I can't make my Mac think it's on the home network when connecting through openvpn remotely.

 

[eibgrad]

Here's an example of how I can add a connection to a share in Windows Explorer. I just right click This PC, then select "Map a network drive..." and up comes the dialog, where I can explicitly specify the IP address and share name (\\192.168.1.100\myshare).

https://imgur.com/a/UdjuUoz

On Windows, I can do the same thing w/ the command line:

net use W: \\192.168.1.100\myshare

I don't use the MAC, so I can't tell you if or how it's possible w/ Finder. Or what the command line option might be.

 

[eibgrad]

FWIW, here's how to use Finder to connect to a Windows share (via SMB).

For an Apple share, it may be a different protocol. Or perhaps just don't specify the protocol and let it default to whatever it wants.

 

[torstein]

Yes thank you, I figured that out it's the cmd + k keybaord shortcut.

Thank you for taking the time to help me out.

Too bad I can't connect with TAP anymore or access my home network through openvpn and be on the lan itself.

Isn't there a thing about subnets or something? Say if my Mac mini is 192.168.80.205 and my macbook vpn client is 10.8.0.2, then shouldn't there be a way to have my vpn client have the same subnet as my mac mini on the vpn-connection?

 

[xtv]

Guys, I've googled for days and read many tutorials, tried different solutions but I cannot see my local shares on my lan when connecting remotely through openvpn. I've searched the snb-forum, but can't find a solution. When remotely connected through the openvpn, I can only log-on to my routers interface and use the internet, but I cannot see any of my shared folders and other macs on the lan. What am I doing wrong?

Setup:
- macOS Big Sur 11.2.3
- Asus AX58U
- Asuswrt-Merlin 386.2
- Tunnelblick and OpenVPN Connect apps

I've read that I have to make sure my vpn and lan is on the same subnet, but I don't understand how I'm supposed to "make sure" of that, and I can't find any place to configure that. Many of the tutorials also often is based on older merlin-firmwares, and has different options and layout, sadly, making it all the more confusing.

Can someone please help?

Attached photos of my DCHP server settings, and openvpn-settings.

With "local shares" I assume you are referring to Samba Shares or Apple shared folders.
Actually if everything else works I think you do have access to them, the issue is probably that only the announcement that there are shares available does not pass to the VPN.
Let's assume that you have local network 192.168.0.0/24 and VPN external network 192.168.1.0/24, this is normal since usually that announcement is sent with broadcast packets, and broadcast is never forwarded between different subnets.

If that is the case you should be able to access shares selecting the Finder menu: "Go" > "Connect to server".

To forward broadcast packets to another subnet is possible, but is not easily achieved, as it would need some kind of proxy/repeater.

 

[eibgrad]

Isn't there a thing about subnets or something? Say if my Mac mini is 192.168.80.205 and my macbook vpn client is 10.8.0.2, then shouldn't there be a way to have my vpn client have the same subnet as my mac mini on the vpn-connection?

Yes, it's called a bridged (tap) OpenVPN tunnel!

As I (and now others) have pointed out, if the only problem is a lack of network discovery, that shouldn't preclude you from accessing those resources. Except in very rare instances (e.g., Google Chromecast), network discovery is only a *convenience*, NOT a *requirement*. It makes things like Finder and Windows Explorer more convenient to use because it automatically detects available resources on your behalf, then reports them so all you have to do is select (Click) the resource and authenticate yourself to access it. It's particularly convenient if you don't happen to know/remember the IP+sharename of a given resource. But again, that shouldn't preclude you from *manually* accessing the same resource by using an explicit IP+sharename reference. And in the case of Finder, that seems to be the purpose of the Go->Connect to server option.

 

[torstein]

Thank you for explaining it so thoroughly. I understand now. So for all intents and purposes it works now as intended and i should be happy about it

The TAP situation on mac will be interesting to see if will receive an alternative in the future or if there will be no bridging on macs through vpn anymore. Because, as i understand it, TAP is *the* only option for my remote mac to be visible in Finder on my mac mini at home through openvpn?

 

[eibgrad]

Because, as i understand it, TAP is *the* only option for my remote mac to be visible in Finder on my mac mini at home through openvpn?

Yes. That's one of the big differences between being routed vs. bridged to the remote network. When bridged, it just like being hardwired into your home network's switch. The behavior is identical. You have unfettered access to everything (including network discovery). It's as close to actually "being there" as possible.

But a routed connection is more limiting. Things like network discovery won't cross IP boundaries. And it makes sense since how would it otherwise know when to stop searching for available resources! But it's also more secure since one of those limits is being able to decide which resources are available to those remote clients using the IP firewall. IOW, if you offered remote access to a friend, perhaps to some specific device/server, you would NOT typically offer access to a bridged VPN, but a routed VPN, so you can limit their access.

P.S. In the case of WireGuard, as least w/ the current implementation, there is no bridged option, only routed! So having a bridged option is actually a bit unusual. And perhaps why Apple is willing to eliminate it.

 

[Chuckles67]

+1: on a "remote" Mac I cannot see network shares on the "home" network, nor will remote Time Machine backups run on home NAS.

My home network is an AX86U with an OVPN server (LAN only), and my remote network is an AC-66U_B1 with OVPN client connected to the home network OVPN server.

I can connect remotely to home NAS through SMB by specifying IP address.

Remote Plex on an Apple TV or an iPad works fine through the OVPN with home media server connected as expected.

Thanks for this helpful thread!

 

[xtv]

+1: on a "remote" Mac I cannot see network shares on the "home" network, nor will remote Time Machine backups run on home NAS.

My home network is an AX86U with an OVPN server (LAN only), and my remote network is an AC-66U_B1 with OVPN client connected to the home network OVPN server.

I can connect remotely to home NAS through SMB by specifying IP address.

Remote Plex on an Apple TV or an iPad works fine through the OVPN with home media server connected as expected.

Thanks for this helpful thread!

As mentioned above, it doesn't work because shares are not announced across different subnets "by-design".
Thus it is simply not possible to achieve that without additional software (e.g. an avahi-server running on a server on the remote subnet).

 

[torstein]

It is a bit strange though, how I can connect to my mac mini through openvpn remotely when the mac mini is not running a VPN itself (Mullvad VPN), but when it IS running Mullvad VPN (for, ehm, some particular reason...) then I cannot connect to my mac mini remotely with openVPN. That's strange isn't it? Because I can easily connect to the mac mini (while Mullvad VPN is active on it) when I'm at home on my network with my macbook pro...

Do you understand what I mean?

Mac mini without running Mullvad VPN = Connects to mac mini just fine remotely with openvpn
Mac mini running Mullvad VPN = Can't connect to mac mini remotely with openvpn
Mac mini running Mullvad VPN = Connects to mac mini just fine when ON the same network at home

 

[xtv]

It is a bit strange though, how I can connect to my mac mini through openvpn remotely when the mac mini is not running a VPN itself (Mullvad VPN), but when it IS running Mullvad VPN (for, ehm, some particular reason...) then I cannot connect to my mac mini remotely with openVPN. That's strange isn't it? Because I can easily connect to the mac mini (while Mullvad VPN is active on it) when I'm at home on my network with my macbook pro...

Do you understand what I mean?

Mac mini without running Mullvad VPN = Connects to mac mini just fine remotely with openvpn
Mac mini running Mullvad VPN = Can't connect to mac mini remotely with openvpn
Mac mini running Mullvad VPN = Connects to mac mini just fine when ON the same network at home

If with "connect to the share" you imply _connecting via the icon appearing in finder_, it is because when you are at home you can probably still see the Mac-mini's broadcasts on the local net and those announcements contain the local address of the server, thus you are eventually connecting to share still via local net...
Connecting to a VPN (even if I don't know anything about _Mullvad VPN_) doesn't imply that you are disconnecting from the local network (aka: routing all the traffic to the vpn channel).

You should check if you can connect the shares remotely (when you are not connected to the local network) via the menu option writing the server address.