Discussion:
[Openvpn-users] Openvpn and samba
David Mehler
2017-04-27 17:12:11 UTC
Permalink
Hello,

I've got a machine running Openvpn 2.4. It's also got a web server on
it. Currently to alter files users have to sftp them in to place. What
I was wondering is would it be possible to run samba4 as a standalone
server not as a domain member or controller, and give connecting users
rights to the web areas? Ideally they'd just hit their system's
network area then the workgroup then the share and copy in files that
way.

One issue is I don't want smbd and nmbd listening on the public
interface so I've got them locked down to 127.0.0.1 wondering if this
would be an issue?

Thanks.
Dave.
Gert Doering
2017-04-27 17:19:07 UTC
Permalink
Hi,
Post by David Mehler
One issue is I don't want smbd and nmbd listening on the public
interface so I've got them locked down to 127.0.0.1 wondering if this
would be an issue?
This will not work - 127.0.0.1 is not reachable from anywhere.

You can make them listen to the tun IP on the server, and restrict
client access to "openvpn client IPs" - that should work.

gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany ***@greenie.muc.de
fax: +49-89-35655025 ***@net.informatik.tu-muenchen.de
David Sommerseth
2017-04-27 17:25:17 UTC
Permalink
Post by David Mehler
Hello,
I've got a machine running Openvpn 2.4. It's also got a web server on
it. Currently to alter files users have to sftp them in to place. What
I was wondering is would it be possible to run samba4 as a standalone
server not as a domain member or controller, and give connecting users
rights to the web areas? Ideally they'd just hit their system's
network area then the workgroup then the share and copy in files that
way.
That can work. But Windows network browsing is a mysterious monster to
me. I have used a similar setup elsewhere, but we added some logon
scripts which assigned a drive letter to these shares. This can be done
via --route-up script on the client, with the disconnect being run via
--route-pre-down.
Post by David Mehler
One issue is I don't want smbd and nmbd listening on the public
interface so I've got them locked down to 127.0.0.1 wondering if this
would be an issue?
Gert covered the issue with 127.0.0.1. So either you need to ensure
smbd is started _after_ the OpenVPN interface is configured on your system.

Or you can add a dummy interface (modprobe dummy) and configure smbd to
listen to that. Then you should be able to route to that interface
properly via the VPN.

Or you can let smbd listen to all IPs, and do the rest of the magic in
iptables.

In all these scenarios, you should also add restrictions in smb.conf.


--
kind regards,

David Sommerseth
Jan Just Keijser
2017-04-30 21:45:00 UTC
Permalink
Hi Dave,
Post by David Mehler
Hello,
I've got a machine running Openvpn 2.4. It's also got a web server on
it. Currently to alter files users have to sftp them in to place. What
I was wondering is would it be possible to run samba4 as a standalone
server not as a domain member or controller, and give connecting users
rights to the web areas? Ideally they'd just hit their system's
network area then the workgroup then the share and copy in files that
way.
One issue is I don't want smbd and nmbd listening on the public
interface so I've got them locked down to 127.0.0.1 wondering if this
would be an issue?
I won't cover what the others already told you, but keep in mind that
windows 7+ clients normally don't trust the Windows TAP adapter ; the
result is that the VPN connection is placed in the public network zone
and you will not be able to browse any files in that zone. The easiest
trick to work aroudn this is to add a (bogus) default route :
push "route 0.0.0.0 0.0.0.0 net_gateway 300"
to the server config - this will create a default route with a very high
metric on the client. This route will normally never be used but it does
allow you to place the Windows TAP adapter in a private zone.

HTH,

JJK

Continue reading on narkive:
Loading...