darrenyorston Posted October 12, 2016 Share Posted October 12, 2016 Hello all. I have been trying to setup access to my network resources, shares and printers, when I am running VPN connection. I have been posting on the PFSense forums, I am using OpenVPN on PFSense, and have been told that it is isnt a OpenVPN or PFSense issue. I have been told that it is a Windows problem related to network discovery across subnets. I am after some advice about where I should be looking for information about being able to access my resources whilst VPNd. I am running Unraid Ver 10.1.1.40. How do I make resources, shares particularly, available to the client I am connecting via a VPN? Quote Link to comment
FreeMan Posted October 12, 2016 Share Posted October 12, 2016 I am running Unraid Ver 10.1.1.40. Dude, you've got a seriously early pre-alpha release of unRAID running there... v10.x? I just got updated to what I thought was the latest v6.2.1. I'm really behind the times! Sorry, I couldn't resist. I'm assuming that's the version of PFSense or OpenVPN? Quote Link to comment
darrenyorston Posted October 12, 2016 Author Share Posted October 12, 2016 lol..sorry..your correct 6.1.9..lol..was reading it on my phone...that was the servers IP...lol Always good to get ahead with these things!! Quote Link to comment
darrenyorston Posted October 13, 2016 Author Share Posted October 13, 2016 Anyway, where would I find information about being able to access my unRaid shares with my VPN clients? Quote Link to comment
darrenyorston Posted October 13, 2016 Author Share Posted October 13, 2016 After I VPN into my router I can connect fine however when I type enter my unRaid IP address (\\10.1.1.40) into File explorer I get a Windows security popup asking for my network credentials. However in red is written "Access is denied". I am presuming this is something at the unRaid end of the connection. As previously mentioned people on the PFSense forums indicated this may be an issue with network discovery across subnets. My home LAN subnet is 10.1.0.0/255.255.0.0 My VPN tunnel network is 172.22.203.0/24 My network shares are on 10.1.1.40 How do I make my unRaid shares on 10.1.1.40 accessible to my VPN clients on 172.22.203.0? Quote Link to comment
METDeath Posted October 13, 2016 Share Posted October 13, 2016 I have my local network as 192.168.1.x I made my OpenVPN hand out 192.168.2.x and haven't had any issues with unRAID access. Quote Link to comment
Naldinho Posted October 13, 2016 Share Posted October 13, 2016 I have been able to get network discovery to work across networks. Not only name resolution but also windows browsing. I'm not using pfSense -- Sophos but should be similar Sophos sets up the site to site VPN On one end I have a Linux VM running in unRaid that acts as a WINS server. On the other end I have an old computer running Linux that does acts as the local master. I needed to add a rule to Sophos's firewall to allow NetBIOS traffic between these two machines. I also added a Masquerading rule at each end from the remote network to the local network. All the computers have the same workgroup. Works perfectly. Currently I'm testing using unRaid to act as the WINS server. So far I have name resolution but no browsing -- that can sometimes take time but if I don't have browsing by tonight I'll revert back to my original setup. Quote Link to comment
darrenyorston Posted October 13, 2016 Author Share Posted October 13, 2016 I have my local network as 192.168.1.x I made my OpenVPN hand out 192.168.2.x and haven't had any issues with unRAID access. I had similar, my LAN was 10.1.1.X and my tunnel network was 10.1.2.x, however people on the PFSense forums said that this was a bad idea. That the tunnel network needed to be significantly different. Quote Link to comment
darrenyorston Posted October 13, 2016 Author Share Posted October 13, 2016 I have been able to get network discovery to work across networks. Not only name resolution but also windows browsing. I'm not using pfSense -- Sophos but should be similar Sophos sets up the site to site VPN On one end I have a Linux VM running in unRaid that acts as a WINS server. On the other end I have an old computer running Linux that does acts as the local master. I needed to add a rule to Sophos's firewall to allow NetBIOS traffic between these two machines. I also added a Masquerading rule at each end from the remote network to the local network. All the computers have the same workgroup. Works perfectly. Currently I'm testing using unRaid to act as the WINS server. So far I have name resolution but no browsing -- that can sometimes take time but if I don't have browsing by tonight I'll revert back to my original setup. How do you get UnRaid to act as a WINS server? Its quite ironic, one of the reasons I came to unRaid was that people said it was easy to configure. Getting shares accessible over the VPN connection has been an ongoing problem for 10 months now and I am no closer to having it work that I was before I started. Quote Link to comment
Naldinho Posted October 13, 2016 Share Posted October 13, 2016 You can configure unRaid's SAMBA settings using Samba extra configuration (Go to Settings --> SMB and you'll see a huge text box). I'm actually in the process of moving WINS off unRaid and back to the the machines that were running it before. Using two unRaid machines I was able setup WINS to get cross-subnet name resolution but no browsing. I don't know if I did something wrong or not but I don't think I did. I've spent a couple of hours on it and since name resolution works I have to assume everything is setup correctly but browsing doesn't work and it was working before using a VM and an old Linux computer so I'm going back to that. Quote Link to comment
gundamguy Posted October 13, 2016 Share Posted October 13, 2016 Is your local DNS server included as a DHCP Push Option in your VPN setup? Quote Link to comment
darrenyorston Posted October 13, 2016 Author Share Posted October 13, 2016 You can configure unRaid's SAMBA settings using Samba extra configuration (Go to Settings --> SMB and you'll see a huge text box). I'm actually in the process of moving WINS off unRaid and back to the the machines that were running it before. Using two unRaid machines I was able setup WINS to get cross-subnet name resolution but no browsing. I don't know if I did something wrong or not but I don't think I did. I've spent a couple of hours on it and since name resolution works I have to assume everything is setup correctly but browsing doesn't work and it was working before using a VM and an old Linux computer so I'm going back to that. Yes it is. Enable samba is set to 'Yes(workgroup)'. Workgroup setting Local Master is set to 'Yes'. I can ping all the local clients from my VPN client by IP Address but not by name. Quote Link to comment
darrenyorston Posted October 13, 2016 Author Share Posted October 13, 2016 Is your local DNS server included as a DHCP Push Option in your VPN setup? I don't know what you mean sorry. My IPv4 tunnel network is set to 172.22.203.0/24. DNS Server is set to my local LAN DNS (10.1.1.1) Enable NetBIOS over TCP/IP is enabled. Node type set to 'b-node' (broadcasts) I have not enabled 'Provide a WINS server list to clients' as I don't know what to enter into the WINS Server 1 field. I don't have any custom options set, I don't know what to enter here either. Quote Link to comment
Naldinho Posted October 13, 2016 Share Posted October 13, 2016 My understanding is that Broadcasts won't be sent over a VPN. This is my setup. 192.168.2.0/24 Office 10.1.1.0/24 Home I have a computer at each location running Sophos which establish a site to site VPN using IPsec I then have a masquerading rule for from the remote network to the local interface at each end. This alone gets you to being able to access any computer on either subnet using IP To get name resolution (and hopefully browsing) you need to then use WINS. At the office I have a Ubuntu server VM that I use for the internal web server so I designated it the WINS server for both networks. At home I set a Ubuntu computer to act as local master. These two machines then replicate and broadcast their computers to each other. The DHCP server at each end pushes out the WINS server and set the node type to H The last step is to allow NetBIOS traffic though your firewall. You just need to make a rule allowing the WINS server and the Local Master to pass NetBIOS back and forth and you're done. Quote Link to comment
Naldinho Posted October 13, 2016 Share Posted October 13, 2016 If you need more details I can post the actual WINS settings. I just didn't want to get into that level of detail if we're talking about something different. Quote Link to comment
darrenyorston Posted October 13, 2016 Author Share Posted October 13, 2016 My understanding is that Broadcasts won't be sent over a VPN. This is my setup. 192.168.2.0/24 Office 10.1.1.0/24 Home I have a computer at each location running Sophos which establish a site to site VPN using IPsec I then have a masquerading rule for from the remote network to the local interface at each end. This alone gets you to being able to access any computer on either subnet using IP To get name resolution (and hopefully browsing) you need to then use WINS. At the office I have a Ubuntu server VM that I use for the internal web server so I designated it the WINS server for both networks. At home I set a Ubuntu computer to act as local master. These two machines then replicate and broadcast their computers to each other. The DHCP server at each end pushes out the WINS server and set the node type to H The last step is to allow NetBIOS traffic though your firewall. You just need to make a rule allowing the WINS server and the Local Master to pass NetBIOS back and forth and you're done. Ok. I am using OpenVPN to my connection. The OpenVPN server is on PFSense at home and my travelling laptop of using the OpenVPN client. I don't know what Sophos is, presuming a VPN server/client setup. I have a Firewall rule setup on my PFsense box allowing all OpenVPN traffic to pass. I am presuming it is working as I can ping local IP addresses over the VPN. I am not sure what else I need to do to actually map SMB shares. I don't have 'WINS server enable' set to provide WINS server list to clients. If I enable it it asks for a WINS Server. I don't know if I have one and if I do where I get that information from. Quote Link to comment
Naldinho Posted October 13, 2016 Share Posted October 13, 2016 Sophos is just a PFSense alternative. Ok so I misunderstood. I thought you had a site to site VPN that was on 24/7 and you were trying to browse across subnets. You're situation is quite different. I've setup my laptop to access the network remotely but that was all automatic and I've never tested if name resolution works. Quote Link to comment
darrenyorston Posted October 14, 2016 Author Share Posted October 14, 2016 Sophos is just a PFSense alternative. Ok so I misunderstood. I thought you had a site to site VPN that was on 24/7 and you were trying to browse across subnets. You're situation is quite different. I've setup my laptop to access the network remotely but that was all automatic and I've never tested if name resolution works. Well I thought I was browsing across subnets. My LAN is 10.1.1.1/255.255.0.0 and my VPN Tunnel network is 172.22.203.0/24. The peps on the PFSense forums were saying that I am trying to browse across subnets. To be honest I am not really concerned with getting my config to work, I just want any config to work!! I am the only one using the system, I just want to be able to access network shares when I am not at home. I am surprised that know one knows how to get it to work. Quote Link to comment
Msan Posted October 14, 2016 Share Posted October 14, 2016 Sophos is just a PFSense alternative. Ok so I misunderstood. I thought you had a site to site VPN that was on 24/7 and you were trying to browse across subnets. You're situation is quite different. I've setup my laptop to access the network remotely but that was all automatic and I've never tested if name resolution works. Well I thought I was browsing across subnets. My LAN is 10.1.1.1/255.255.0.0 and my VPN Tunnel network is 172.22.203.0/24. The peps on the PFSense forums were saying that I am trying to browse across subnets. To be honest I am not really concerned with getting my config to work, I just want any config to work!! I am the only one using the system, I just want to be able to access network shares when I am not at home. I am surprised that know one knows how to get it to work. can't you access the share via \\server.ip\sharename ? Quote Link to comment
darrenyorston Posted October 14, 2016 Author Share Posted October 14, 2016 Sophos is just a PFSense alternative. Ok so I misunderstood. I thought you had a site to site VPN that was on 24/7 and you were trying to browse across subnets. You're situation is quite different. I've setup my laptop to access the network remotely but that was all automatic and I've never tested if name resolution works. Well I thought I was browsing across subnets. My LAN is 10.1.1.1/255.255.0.0 and my VPN Tunnel network is 172.22.203.0/24. The peps on the PFSense forums were saying that I am trying to browse across subnets. To be honest I am not really concerned with getting my config to work, I just want any config to work!! I am the only one using the system, I just want to be able to access network shares when I am not at home. I am surprised that know one knows how to get it to work. can't you access the share via \\server.ip\sharename ? No I cannot. I get a Windows Security popup on my laptop asking me to enter my credentials for 10.1.1.40 (my unRaid box). Beneath the password field appears in red text 'Access is denied', that's even before I put my password in. If I put my password in and hit enter it just shows the same message. I am presuming there is a setting somewhere on unRaid that is blocking access to the shares from a VPN connection. I can ping the UnRaid box fine, same with the Router. Quote Link to comment
ljm42 Posted October 14, 2016 Share Posted October 14, 2016 I am presuming there is a setting somewhere on unRaid that is blocking access to the shares from a VPN connection. I don't think that is the case. I maintain two unRAID systems on two different networks, I'll call them "home" and "remote". The home server is running unRAID 6.3.0 rc1 and the remote one is on unRAID 6.2.1. There is a router-based (Asus Merlin OpenVPN) site-to-site VPN connection between the home and remote locations. I am able to access SMB shares on the remote server from Win 10 machines on my home network without any problems. To test your use case, I went to Starbucks this morning and vpn'd to the remote router directly from my Win 10 laptop, and was still able to access SMB shares on the remote unRAID system. So I'm not sure why it isn't working for you, but I really don't think unRAID is doing anything to block your VPN / other subnet connections. A couple of other points: I have had problems with name resolution in the past, so I manually added both unRAID systems to my Windows hosts and lmhosts files (in c:\windows\system32\drivers\etc) and that solved the problem. My work laptop is part of a domain for work, and not my local workgroup. This complicates authentication, but can be solved by going to the Windows Credential Manager and adding a "Windows Credential" for each unRAID server. Hope it helps! Quote Link to comment
darrenyorston Posted October 15, 2016 Author Share Posted October 15, 2016 I have deleted the VPN server/client a number of times and set it back up however, I still have the same problem; unable to access SMB shares over the VPN. I also cannot see any computers on the network either. I don't know what you mean by adding my unRaid system to Windows hosts either. I will try and set up an Ubuntu VM tonight and see if I can connect that way. If it works then I will know that it is a Windows problem. Quote Link to comment
METDeath Posted October 15, 2016 Share Posted October 15, 2016 Just to check in pfSense under Services > VPN > Servers > *Your VPN Server* find the section called "IPv4 Local network(s)" make sure your normal network subnet is there. I'm not sure what the CIDR notation is for your particular setup. Also, make sure to provide the normal DNS server to the VPN client, typically it will be the Local Network's DNS server (that interface's IP). Quote Link to comment
darrenyorston Posted October 16, 2016 Author Share Posted October 16, 2016 Just to check in pfSense under Services > VPN > Servers > *Your VPN Server* find the section called "IPv4 Local network(s)" make sure your normal network subnet is there. I'm not sure what the CIDR notation is for your particular setup. Also, make sure to provide the normal DNS server to the VPN client, typically it will be the Local Network's DNS server (that interface's IP). Hello there. There is no; Services > VPN > Servers > *Your VPN Server*, I am presuming you mean; VPN > OpenVPN > Servers > *Your VPN Server*. If so there is also no section called "IPv4 Local network(s)". My LAN DNS server is listed correctly. Quote Link to comment
METDeath Posted October 16, 2016 Share Posted October 16, 2016 Just to check in pfSense under Services > VPN > Servers > *Your VPN Server* find the section called "IPv4 Local network(s)" make sure your normal network subnet is there. I'm not sure what the CIDR notation is for your particular setup. Also, make sure to provide the normal DNS server to the VPN client, typically it will be the Local Network's DNS server (that interface's IP). Hello there. There is no; Services > VPN > Servers > *Your VPN Server*, I am presuming you mean; VPN > OpenVPN > Servers > *Your VPN Server*. If so there is also no section called "IPv4 Local network(s)". My LAN DNS server is listed correctly. What version of pfSense are you on? I pulled that from my 2.3.2 box, and you are correct about the Services bit... The "IPv4 Local Network(s)" is under "Tunnel Settings" Edited for clarity and missing words. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.