Unable to reach SMB shares through openVPN tunnel

NethServer Version: 7.9.2009
Module:

  • VPN: 1.7.2
  • File server: 4.6.0
  • Firewall: 3.19.1

Dear all,

I would like to request help, guidance and suggestions to solve the following issue.

I am in the process of setting up a NethServer to replace a ClearOS small infra. Amongst other services, NethServer is responsible for firewalling, file server (SMB) and VPN (openVPN) services.
Here follows a short description of the setup:

  • Green (bridge) and Red interface
  • OpenVPN: tunnel client (P2P topology) to remote network ; operate as expected (able to connect by ssh to the NethServer from client on the remote network)
  • Firewall : no specific setup so far (the NethServer is in test phase ; additional rules might be added later)
  • Trusted networks : remote network range added
  • SMB: no issue to connect to SMB share through a linux client on the physical Green network

The concern is that I can not connect to SMB share from the remote network.

Additional information:

  • nmap scan from Green physical network
nmap 192.168.50.1
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-19 00:05 CEST
Nmap scan report for 192.168.50.1
Host is up (0.026s latency).
Not shown: 982 closed ports
PORT     STATE    SERVICE
22/tcp   open      ssh
25/tcp   open      smtp
53/tcp   open      domain
80/tcp   open      http
110/tcp  open     pop3
111/tcp  open     rpcbind
139/tcp  open     netbios-ssn
143/tcp  open     imap
443/tcp  open     https
445/tcp  open     microsoft-ds
465/tcp  open     smtps
587/tcp  open     submission
993/tcp  open     imaps
995/tcp  open     pop3s
3128/tcp open     squid-http
3306/tcp open     mysql
5190/tcp open     aol
9090/tcp open     zeus-admin

Nmap done: 1 IP address (1 host up) scanned in 1.12 seconds
  • nmap scan from remote network
nmap 192.168.50.1
Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-19 00:05 CEST
Nmap scan report for 192.168.50.1
Host is up (0.026s latency).
Not shown: 982 closed ports
PORT     STATE    SERVICE
22/tcp   open      ssh
25/tcp   open      smtp
53/tcp   open      domain
80/tcp   open      http
110/tcp  open     pop3
111/tcp  open     rpcbind
139/tcp  filtered  netbios-ssn
143/tcp  open     imap
443/tcp  open     https
445/tcp  filtered  microsoft-ds
465/tcp  open     smtps
587/tcp  open     submission
993/tcp  open     imaps
995/tcp  open     pop3s
3128/tcp open    squid-http
3306/tcp open    mysql
5190/tcp filtered aol
9090/tcp open    zeus-admin

Nmap done: 1 IP address (1 host up) scanned in 1.53 seconds

I may be wrong but it looks like the smb ports can not be reached. I am not familiar with Shorewall and roughly looked into the setup:

  • interfaces: ovpn is declared in interfaces (ovpn tun+)
  • smb rules are active fro Green
#       Service: smb Access: green
#
?COMMENT smb
ACCEPT  loc     $FW     tcp     139
#ACCEPT $FW     loc     tcp     139
?COMMENT smb
ACCEPT  loc     $FW     tcp     445
#ACCEPT $FW     loc     tcp     445
  • No rules for openvpn:
#
# 90openvpn-tunnels
#

I am slightly puzzled about this situation and rather than ‘playing’ I would be very grateful for guidance and advice.

Best regards,

SmoothFroggy

Hi @smoothfroggy

And welcome to the NethServer Forum!

In NethServer, you must have all networks accessing your NethServer entered in “Trusted networks”, as this allows SMB access. As you’re running a Site2Site VPN (P2P?), this is needed!

After entering, access should be possible to Samba shares. A reboot is not needed (usually!).

My 2 cents
Andy

Note: I do not use NethServer as firewall, I use OPNsense as dedicated firewall. I do have one instance in the cloud where NethServer does firewalling and VPNs. My clients here in Switzerland prefer a dedicated box as firewall, me too

3 Likes

Hello Andy,

Thanks for your inputs and please accept my apologies for the late reply (I have been away for a few days).

Regarding trusted network, the remote network range was added to the list during the setup of the VPN.
Regarding reboot, Nethserver was once rebooted as a last test prior writing the thread but this did not solve the issue.

In fact, the issue was on the remote network and more exactly on one router that is lying in between the remote samba client machine (Debian) and the remote openVPN P2P server. This router had a rule to filter samba traffic which explain the reason why nmap from the remote network was showing filtered status for port 139 and 445 ; executing nmap from the openVPN remote server was showing open ports and smbclient was working as expected. After suppression of the filters, the remote samba client worked as expected.
I am sorry for the misinterpretation of NethServer openVPN operation. I had a deeper look into smoothwall documentation as well as outputs from iptables commands ; still a lot to go through but routing and filtering through NethServer is slowly building up. I am also in the process of reading the NethServer developper manual which help to understand some aspects of the implementation.

Andy, regarding the note on using a dedicated/independent firewall rather than NethServer, I agree that it would be much better in term of global security and control. Unfortunately, the objective is to replace an existing old small infra by a single small low power dedicated box, having a dedicated firewall box was not considered. May be in the future…

Thanks again,

Best regards,

SmoothFroggy

2 Likes