OpenVPN Windows Shares

[keyboard99]

I am trying to use my Asus RT-AC-68U as a VPN server using the inbuilt VPN function. Running 378.56_2 Merlin.

I create the ovpn file and then for example load that into my phone via Openvpn app then I use es file explorer to browse my network. I have a Win7 machine with some shares and a Freenas Box. I can browse the freenas box(using my internal network ip, 192.168....) but I cannot view the win7.

Stangely if I use AIcloud I can browse both the freenas and the win7, so that app is doing something I am missing. I want to configure my laptop to VPN into the shares without the AIclooud app as its flaky. So I am missing something, but what?

 

[RMerlin]

Check the Windows PC firewall (especially if running a security suite such as Norton Security) - by default it will block the VPN's IP range.

 

[keyboard99]

Cheers Merlin for the quick reply, that certain looks like the problem as I disabled the firewall and its works a treat. Just need to figure out the setting to just remove the VPN IP block instead of the whole thing. I have AVG Free but I don't think that monitors the firewall.

I tried this to no avail

Windows Firewall setup:

1. run wf.msc
2. Click Inbound rules on the left panel, and on the right panel click "New Rule..."
3. Select Port for the rule type and click next. Image of steps 2-3
4. Select UDP and enter in port 1194 and click next
5. Select Allow the connection and click next
6. Select which networks to allow the rule, to be safe, allow for all and click next
7. Name the rule "openvpn in" (without quotes) and click finish.

 

[martinr]

Can you (temporarily) alter the notification on Windows firewall so that if an attempt is made to access a port, you will get a popup on the laptop asking you whether or not to allow it? That way you'd see if the problem was down to some other port automatically being blocked. Alternatively, is there a Windows firewall log you could check.

For years I've used a marvellous tiny program that works with Windows firewall called Windows Firewall Control (WFC) http://www.binisoft.org/wfc.php
(WFC and Sandboxie are the only 2 3rd party programs that have stood the test of time with me.). Anyway, WFC allows me varying levels of notification, including a popup every time a new program wants to access a new port; I can block or accept either permanently or temporarily. Great for just this sort of thing: seeing which additional sockets are trying to connect (or are being blocked).


EDIT:

Set Profiles to Medium (the recommended setting).

Set the Notifications tab to High.

And it looks like you need to make a donation in order to obtain an activation licence to unlock the Notification feature (and possibly others). But it is well worth (almost) any money you pay for it. (I've had a couple of questions over the years; the developer has always replied with an answer.)

 

[RMerlin]

Cheers Merlin for the quick reply, that certain looks like the problem as I disabled the firewall and its works a treat. Just need to figure out the setting to just remove the VPN IP block instead of the whole thing. I have AVG Free but I don't think that monitors the firewall.

I tried this to no avail

Windows Firewall setup:

1. run wf.msc
2. Click Inbound rules on the left panel, and on the right panel click "New Rule..."
3. Select Port for the rule type and click next. Image of steps 2-3
4. Select UDP and enter in port 1194 and click next
5. Select Allow the connection and click next
6. Select which networks to allow the rule, to be safe, allow for all and click next
7. Name the rule "openvpn in" (without quotes) and click finish.

Port 1194 traffic only reaches your router, it never reaches your PC. What you need to do is open the IP range that is used by your VPN, for ANY port (so it will get access to SMB's 139/445, for instance). The default OpenVPN range is 10.8.0.0/24.

 

[keyboard99]

Excellent thanks for that. Off to Google land to see how that's done. I tried that program above and it worked on the low setting but stopped on the medium level.

Sent from my SM-G900F using Tapatalk

 

[martinr]

I tried that program above and it worked on the low setting but stopped on the medium level.

Set Profiles to Medium (the recommended setting).

Set the Notifications tab to High.

 

[keyboard99]

Set Profiles to Medium (the recommended setting).

Set the Notifications tab to High.

Notifications is disabled in my version.

Trying to figure out who I open ports, read so many articles, I think whats confusing me is the Asus is doing everything. I read a lot of people setting up VPN in the network config area, is that where I need to be messing? Doesn't seem right given the router has it all built in?

 

[martinr]

I don't want to distract you away from Merlin's answer:

"Port 1194 traffic only reaches your router, it never reaches your PC. What you need to do is open the IP range that is used by your VPN, for ANY port (so it will get access to SMB's 139/445, for instance). The default OpenVPN range is 10.8.0.0/24."

So you need to open your Windows firewall to any port within the IP range Merlin specified. You can forget about the router: you've proved that side of the system is working perfectly.

 

[keyboard99]

Thanks, I am trying to figure out how to do that, for the last few hours must be simple as I read so many pages which state it needs doing but don't show how to. I can see my ip 10.8.0.2 when connected into the router. Think I am doing more damage than good in the firewall settings now.

Sent from my SM-G900F using Tapatalk

 

[martinr]

I tried your wf.msc and got a red Windows-is-upset message, so I looked at how I'd do it in Windows Firewall Control.

(I think you need to make a donation to get a licence to activate the Notifications feature. )

I don't know if WFC allows you to create a new rule without activating the licence (probably not), but the following is what I did on my licenced version. I'M NO EXPERT, so don't follow my instructions blindly without thinking what you are doing, and, if it works, I suggest you go back and tighten things up e.g. Instead of "All", narrow it down (remember Merlin's answer and the 2 SMB ports). I have not tested this!

1. Open WFC main panel.
2. Select "Manage Rules" ( bottom left corner)
3. Select "Create new rule" > Blank rule (right hand edge of window halfway down)
4. Under Programs "All programs"
5. Name eg. My VPN shares access rule
6. Location - leave as it is
7. Protocol and Ports:

a. Local ports - All ports
b. Remote ports - All ports

8. Under Local and remote IP addresses

a. Local addresses - 10.8.0.0/24
b. Remote addresses - Any

9. Service - Any (I was hoping I'd find SMB listed**)
10. Direction - Inbound
11. All interface types
12. Create

And if that works it'll be a miracle. If/when it works, go back and, one by one, tighten up all the "All"s and "Any"s, where possible.


** I see Windows Media Player Network Sharing Service listed; perhaps that's SMB. (Get it working first, then go back and experiment to tighten it up.)

 

[keyboard99]

Thanks. I am going to give up on this tonight. Spent far to long on it now. Pretty sure I have knackered some of my file sharing firewall rules. Trying to attached a screen grab of what I was playing with to see if I am miles away





Am questioning my windows shares now....

Sent from my SM-G900F using Tapatalk

 

[martinr]

And that's an inbound rule, I assume. If it doesn't work, change the remote and local addresses to All and see if that fixes it, and then go back, find out where the hiccup was and tighten it up. (The router's firewall is still protecting you.)

 

[martinr]

Just one other thought before I forget: I think you have to make sure Windows knows that your Home network is classed as a "trusted" one (I think that's the terminology), rather than a "public" one. (You might have it as a "public" network for enhanced security.) I noticed that the SMB shares don't show if it's a "public" network - not unsurprisingly!

 

[keyboard99]

Inbound rule

 

[keyboard99]

Network type, home so hopefully that's the trusted one

 

[martinr]

Looks good (to me, anyway). Now for the acid test. Good luck.

 

[keyboard99]

Nar doesn't work..

Sent from my SM-G900F using Tapatalk

 

[RMerlin]

Local should be Any, and remote should be the 10.x.y.z subnet.

 

[keyboard99]

Local should be Any, and remote should be the 10.x.y.z subnet.

Thanks changed that but still doesn't work. Flummoxed now.