Posted: Sat Jun 13, 2020 7:22 Post subject: Samba share no longer accessible when connected as PPTP VPN
When connected as a PPTP VPN client to the router I used to have an access to a Samba share (e.g. "/ /192.168.2.1/share"). Now I don't.
The router has an IP of 192.168.2.1 and was setup as a PPTP VPN server. Current release is r43392.
I've tried toggling bcrelay - it doesn't help.
I've rolled back to r40270 - everything works like a charm, so this might relate to in-kernel samba. It just doesn't allow to connect from a different sub-network
I've tried printing to 192.168.2.1 (p910nd) through VPN - and it worked.
Currently client VPN gets IP of 192.168.2.10 in the 255.255.255.255 subnetwork. Router LAN is in 255.255.255.0
Workaround of putting ppp0 (PPTP) and router lan interfaces on same subnet interface also didn't help.
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Sat Jun 13, 2020 8:12 Post subject:
It could well be related to the in kernel samba.
Instructions, which *might* work are in place for OpenVPN and WireGuard.
PPtP is really unsafe and not that much used any more (and should be deprecated IMHO) so there are no instructions for it.
WireGuard instructions See page 17 of the WireGuard Advanced setup guide, link in my signature at the bottom of this post
Need PPTP for various reasons (when pc doesn't allow installation of 3rd party software, or OpenVPN is blocked from downloading). I've left a ticket here https://svn.dd-wrt.com/ticket/7144 since it's code
Joined: 24 Feb 2013 Posts: 1634 Location: Belgrade
Posted: Sat Jun 13, 2020 8:48 Post subject:
madi123 wrote:
Need PPTP for various reasons (when pc doesn't allow installation of 3rd party software, or OpenVPN is blocked from downloading). I've left a ticket here https://svn.dd-wrt.com/ticket/7144 since it's code
when you ssh to router and do cat /tmp/smb.conf
do you have something like bind interfaces only = yes
if answer is positive that's answer for your question... so, no bug... configuration issue...
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Sat Jun 13, 2020 15:22 Post subject:
You need to quit opening invalid / incomplete tickets and do some research in the forum about PPTP. Especially if you aren't submitting a patch to fix whatever is broken.
Need PPTP for various reasons (when pc doesn't allow installation of 3rd party software, or OpenVPN is blocked from downloading). I've left a ticket here https://svn.dd-wrt.com/ticket/7144 since it's code
when you ssh to router and do cat /tmp/smb.conf
do you have something like bind interfaces only = yes
if answer is positive that's answer for your question... so, no bug... configuration issue...
I did my homework, in the previous working configuration it was also bind interfaces only = yes, but it worked flawlessly. It is not related to config and I can't find in the code what changed
Joined: 08 May 2018 Posts: 14246 Location: Texas, USA
Posted: Sat Jun 13, 2020 19:22 Post subject:
Search the forum. Search my username and PPTP if you want. Adding duplicate useless tickets isn't going to get anything fixed if you can't find what broke. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
You need to quit opening invalid / incomplete tickets and do some research in the forum about PPTP. Especially if you aren't submitting a patch to fix whatever is broken.
I've posted a recommended solution for VPN connection on https://svn.dd-wrt.com/ticket/7145, some modules are not loaded which causing the problem. I hope this will be included in the next release, before my ticket will close. This will take away frustration from many users like me. I'm trying to be helpful.
Instructions, which *might* work are in place for OpenVPN and WireGuard.
PPtP is really unsafe and not that much used any more (and should be deprecated IMHO) so there are no instructions for it.
WireGuard instructions See page 17 of the WireGuard Advanced setup guide, link in my signature at the bottom of this post
BTW also read the forum guide lines, link also in my signature, so that you know where to post these questions so that you will get better assistance
This is actually super useful. I apologies for not reading the DDWRT WireGuard Advanced Setup p.17 you referred. It actually was super helpful. I'm citing it below so others can read and not create duplicate threads:
"The Routers NAS might not be reachable on newer builds with ksmbd.
When you want to access the routers NAS via internet with an app like andSMB it is reported that
change the hosts allow in tmp/smb.conf to include the WG subnet (10.4.0.0/24) might work:
hosts allow = 10.4.0.0/24. (in global section) (some say to also include the local host 127.0.0.1)
And add the interface of the VPN:
interfaces = br0, oet1 (maybe also WAN interface eth0 or vlan2, those seem to be running by default
(see ps) )
Alternatvely change bind interfaces only = yes to:
bind interfaces only = no
You can copy tmp/smb.conf and smb.db to /jffs/etc/ if you have permanent/usb storage so that it
will be read from there (since build 42693).
Use stopservice samba3, startservice samba3, to stop and start
I got it working with andSMB but I had to choose SMB v1 in andSMB."
Apparently after following the Wireguard guidance above ksmbd based samba share is still not discoverable in Windows 10. I'm out of luck. I did every possible change (smb.conf (Bind interfaces only = no, hosts allow = xx.xx.xx.) edit and copy to jffs together with smb.db + bcrelay + static advanced routing)
Did anyone really got ksmbd based samba working through PPTP vpn (also tried OpenVPN) with any of the recent builds past r43320? really need your help to make it work
I was able to get LAN access through VPN and see other network devices but still couldn't get the access to SAMBA share
So after investigations I found it works ONLY when 3 conditions are met:
1) ppp0 is UP (e.g. VPN is connected)
2) ppp0 is added to interfaces in smb.conf
3) samba3 service is restarted while ppp0 is UP
(to check ppp0 status run ifconfig -a)
So it works only when samba3 service was started while ppp0 link is up, and I was able to connect to samba share and transfer the files. However, if you disconnect from VPN then connect again you no longer have samba share access, and samba3 service needs to be restarted again. This is not practical.
If you are interested I've opened a discussion on ksmbd, hopefully they will fix it, since according to one of the developers:
I think this is true for now, since when I add IP/netmask nothing changes from the access standpoint, as a check I was able to add additional interface lo, which you normally won't see after running commands below. So, ksmbd still listens to interfaces only (e.g. eth0, br0, etc), but not the IP/netmask.
Commands and outputs:
for smb.conf (copied to /jffs/etc then edited with vi)
interfaces = br0 eth0 lo 192.168.2.1/32
bind interfaces only = no
root@DD-WRT2:/jffs/etc# netstat -an | grep 445
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN
netstat: /proc/net/tcp6: No such file or directory
netstat: /proc/net/udp6: No such file or directory
netstat: /proc/net/raw6: No such file or directory
What do you think guys? Can someone try to fix it from DD-WRT side?
Is there any way to dynamically add the ppp0 to ksmbd listening ports as soon as ppp0 is UP? This should not restart samba3, otherwise it will screw up other transfers
Alternatively if you can help to create a Firewall rule that will mask requests coming from 192.168.2.1/32 PPTP network to Samba as they are coming from br0 lan 192.168.1.1/24 network (e.g. Use NAT for samba requests on port 445)
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Tue Jun 16, 2020 16:34 Post subject:
Of course you can make a script which adds the interface to smb.conf when the interface is up.
(for openVPN there is a route up script and for Wireguard there will be route-up -down and use of native fwmark in the future)
But it probably still need a restart of samba3 unless ksmbd detects a change in config and acts accordingly (by restarting? )
Restarting services is not uncommon, for OpenVPN set_routes, firewall and wshaper (QoS) are restarted when the interfaces is up (and QoS is used)
I think the fix that will work for everyone is adding support in ksmbd for ip/mask in interfaces param defined in smb.conf. This will fix the root of the problem. I hope this can be done sooner or later.