OPENVPN does not see shared folders on the network

Offline

OPENVPN does not see shared folders on the network

Resolved

0 votes

At connection openvpn I do not see shared folders and computers in a network. Although the ping from client to server is stable and the working group is the same. I enclose my configuration. I reviewed the entire forum and the Internet but did not find the answer.

# Tip - if you are using this as a template for configuring other VPNs:
# - the ifconfig-pool-persist file must be unique
# - the port/protocol combination must be unique
# - different server IPs are recommended
# - don't forget about the firewall
port 1194
proto udp
dev tun
ca /etc/pki/CA/ca-cert.pem
cert /etc/pki/CA/sys-0-cert.pem
key /etc/pki/CA/private/sys-0-key.pem
dh /etc/openvpn/ssl/dh1024.pem
server 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
user nobody
group nobody
multihome
persist-key
persist-tun
ifconfig-pool-persist /var/lib/openvpn/ipp.txt 120
status /var/lib/openvpn/openvpn-status.log
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
verb 3
push "dhcp-option DNS 192.168.5.1"
push "dhcp-option WINS 192.168.5.1"
push "dhcp-option DOMAIN server.njh.lan"
plugin /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so openvpn
push "route 192.168.5.0 255.255.255.0"
push "route 192.168.0.0 255.255.255.0"
client-to-client
client-config-dir /etc/openvpn/ccd

/etc/openvpn/ccd
iroute 192.168.0.0 255.255.255.0
iroute 192.168.5.0 255.255.255.0

Attachments:

openvpn net.png

In OpenVPN

Wednesday, February 27 2019, 04:02 PM

Share this post:

Responses (12)

Accepted Answer
Nick Howitt

Offline
Thursday, February 28 2019, 08:56 PM - #Permalink
Resolved

0 votes

Your last post means nothing without the headers.

Every time you add a custom rule the firewall reloads. If you think nothing is happening, please give the contents of /etc/clearos/firewall.d/custom, and please put it and any firewall output between code tags - the piece of paper icon with a <> on it.
The reply is currently minimized Show
Accepted Answer

maxwell

Offline
Thursday, February 28 2019, 06:17 PM - #Permalink
Resolved

0 votes

0 0 DROP all -- eth0 * 127.0.0.0/8 0.0.0.0/0
0 0 DROP all -- eth0 * 169.254.0.0/16 0.0.0.0/0
4195 9076K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
3 185 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
45995 2967K ACCEPT all -- eth1 * 0.0.0.0/0 0.0.0.0/0
The reply is currently minimized Show
Accepted Answer

maxwell

Offline
Thursday, February 28 2019, 06:13 PM - #Permalink
Resolved

0 votes

I entered everything into a custom firewall rule, but nothing changed even after the firewall was overloaded.
The reply is currently minimized Show

Accepted Answer

maxwell

Offline

Thursday, February 28 2019, 06:12 PM - #Permalink

Resolved

0 votes

Nick Howitt wrote:

It is correct the first time you run it. Restart your firewall then to an "iptables nvL -t NAT" and have a look at the POSTROUTING chain. There should be a rule with a tun+ interface. Run the command and it deletes that line. Run it again and it fails:

[root@server ~]# iptables -nvL -t nat

Chain PREROUTING (policy ACCEPT 9 packets, 1141 bytes)

 pkts bytes target     prot opt in     out     source               destination

   13  1501 DNSthingy  all  --  *      *       0.0.0.0/0            0.0.0.0/0

    7   948 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

    6   816 MINIUPNPD  all  --  enp2s0 *       0.0.0.0/0            0.0.0.0/0



Chain INPUT (policy ACCEPT 6 packets, 816 bytes)

 pkts bytes target     prot opt in     out     source               destination



Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            62.252.0.0/14        udp dpt:67 to:255.255.255.255

    1   369 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL



Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec

    5   398 MASQUERADE  all  --  *      enp2s0  0.0.0.0/0            0.0.0.0/0

    0     0 MASQUERADE  all  --  *      !docker0  172.18.0.0/16        0.0.0.0/0

    0     0 MASQUERADE  all  --  *      !br-a2579ec9ae9c  172.19.0.0/16        0.0.0.0/0



Chain DNSthingy (1 references)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DNAT       udp  --  enp5s0 *       0.0.0.0/0           !172.17.2.1           udp dpt:53 to:172.17.2.1:53

    0     0 DNAT       tcp  --  enp5s0 *       0.0.0.0/0           !172.17.2.1           tcp dpt:53 to:172.17.2.1:53

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            172.27.27.27         tcp dpt:80 to:172.27.27.27:6373



Chain DOCKER (2 references)

 pkts bytes target     prot opt in     out     source               destination

    0     0 RETURN     all  --  br-a2579ec9ae9c *       0.0.0.0/0            0.0.0.0/0



Chain MINIUPNPD (1 references)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:9305 to:172.17.2.112:9305

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:9307 to:172.17.2.112:9307

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:9308 to:172.17.2.112:9308

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:59909 to:172.17.2.112:59909

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:19132 to:172.17.2.116:19132

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:9304 to:172.17.2.112:9304

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:34182 to:172.17.2.118:34182

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:34181 to:172.17.2.118:34181

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:34180 to:172.17.2.118:34180

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:59820 to:172.17.2.101:59820

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:49396 to:172.17.2.140:49396

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:50677 to:172.17.2.181:50677

[root@server ~]# iptables -D POSTROUTING -t nat -o tun+ -j ACCEPT

[root@server ~]# iptables -D POSTROUTING -t nat -o tun+ -j ACCEPT

iptables: Bad rule (does a matching rule exist in that chain?).

The reply is currently minimized Show

Accepted Answer

maxwell

Offline
Wednesday, February 27 2019, 08:43 PM - #Permalink
Resolved

0 votes

[root@system ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.8.0.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.8.0.0 10.8.0.2 255.255.255.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 eth0

$IPTABLES -D POSTROUTING -t nat -o tun+ -j ACCEPT - deleted
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Wednesday, February 27 2019, 08:25 PM - #Permalink
Resolved

0 votes

What does that mean? So you have not deleted the ACCEPT rule but have added the MASQUERADE rule. Does it work? Your post is a bit meaningless.
The reply is currently minimized Show

Accepted Answer

maxwell

Offline

Wednesday, February 27 2019, 07:56 PM - #Permalink

Resolved

0 votes

[root@system ~]# iptables -nvL -t nat

Chain PREROUTING (policy ACCEPT 5 packets, 582 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:1211 to:192.168.5.16:1211

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:106 to:192.168.5.19:106

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:121 to:192.168.5.13:121

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:124 to:192.168.5.6:124

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:127 to:192.168.5.15:127

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:160 to:192.168.5.20:160

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:185 to:192.168.5.21:185

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:2025 to:192.168.5.23:2025

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:2026 to:192.168.5.23:2026

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:29021 to:192.168.5.23:29021

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:1853 to:192.168.5.21:1853

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:18530 to:192.168.5.29:1853

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:122 to:192.168.5.18:122

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:316 to:192.168.5.22:316

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:178 to:192.168.5.10:178

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:5000 to:192.168.5.23:5000

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:810 to:192.168.5.41:81

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:220 to:192.168.5.41:12092

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.5.1         tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.75        tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.1.254       tcp dpt:80

    0     0 ACCEPT     tcp  --  *      *       192.168.1.254        0.0.0.0/0           tcp dpt:80

    1    52 REDIRECT   tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080



Chain POSTROUTING (policy ACCEPT 1 packets, 60 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 MASQUERADE  all  --  *      *       10.8.0.0/24          0.0.0.0/0

    0     0 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.16        tcp dpt:1211 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.19        tcp dpt:106 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.13        tcp dpt:121 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.6         tcp dpt:124 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.15        tcp dpt:127 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.20        tcp dpt:160 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.21        tcp dpt:185 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.23        tcp dpt:2025 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.23        tcp dpt:2026 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.23        tcp dpt:29021 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.21        tcp dpt:1853 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.29        tcp dpt:1853 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.18        tcp dpt:122 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.22        tcp dpt:316 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.10        tcp dpt:178 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.23        tcp dpt:5000 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.41        tcp dpt:81 to:192.168.5.1

    0     0 SNAT       tcp  --  *      *       192.168.5.0/24       192.168.5.41        tcp dpt:12092 to:192.168.5.1

    3   178 MASQUERADE  all  --  *      eth0    0.0.0.0/0            0.0.0.0/0



Chain OUTPUT (policy ACCEPT 1 packets, 60 bytes)

 pkts bytes target     prot opt in     out     source               destination

[root@system ~]#

The reply is currently minimized Show

Accepted Answer

Nick Howitt

Offline

Wednesday, February 27 2019, 07:23 PM - #Permalink

Resolved

0 votes

It is correct the first time you run it. Restart your firewall then to an "iptables nvL -t NAT" and have a look at the POSTROUTING chain. There should be a rule with a tun+ interface. Run the command and it deletes that line. Run it again and it fails:

[root@server ~]# iptables -nvL -t nat

Chain PREROUTING (policy ACCEPT 9 packets, 1141 bytes)

 pkts bytes target     prot opt in     out     source               destination

   13  1501 DNSthingy  all  --  *      *       0.0.0.0/0            0.0.0.0/0

    7   948 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

    6   816 MINIUPNPD  all  --  enp2s0 *       0.0.0.0/0            0.0.0.0/0



Chain INPUT (policy ACCEPT 6 packets, 816 bytes)

 pkts bytes target     prot opt in     out     source               destination



Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            62.252.0.0/14        udp dpt:67 to:255.255.255.255

    1   369 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL



Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  *      tun+    0.0.0.0/0            0.0.0.0/0

    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            policy match dir out pol ipsec

    5   398 MASQUERADE  all  --  *      enp2s0  0.0.0.0/0            0.0.0.0/0

    0     0 MASQUERADE  all  --  *      !docker0  172.18.0.0/16        0.0.0.0/0

    0     0 MASQUERADE  all  --  *      !br-a2579ec9ae9c  172.19.0.0/16        0.0.0.0/0



Chain DNSthingy (1 references)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DNAT       udp  --  enp5s0 *       0.0.0.0/0           !172.17.2.1           udp dpt:53 to:172.17.2.1:53

    0     0 DNAT       tcp  --  enp5s0 *       0.0.0.0/0           !172.17.2.1           tcp dpt:53 to:172.17.2.1:53

    0     0 DNAT       tcp  --  *      *       0.0.0.0/0            172.27.27.27         tcp dpt:80 to:172.27.27.27:6373



Chain DOCKER (2 references)

 pkts bytes target     prot opt in     out     source               destination

    0     0 RETURN     all  --  br-a2579ec9ae9c *       0.0.0.0/0            0.0.0.0/0



Chain MINIUPNPD (1 references)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:9305 to:172.17.2.112:9305

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:9307 to:172.17.2.112:9307

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:9308 to:172.17.2.112:9308

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:59909 to:172.17.2.112:59909

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:19132 to:172.17.2.116:19132

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:9304 to:172.17.2.112:9304

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:34182 to:172.17.2.118:34182

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:34181 to:172.17.2.118:34181

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:34180 to:172.17.2.118:34180

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:59820 to:172.17.2.101:59820

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:49396 to:172.17.2.140:49396

    0     0 DNAT       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:50677 to:172.17.2.181:50677

[root@server ~]# iptables -D POSTROUTING -t nat -o tun+ -j ACCEPT

[root@server ~]# iptables -D POSTROUTING -t nat -o tun+ -j ACCEPT

iptables: Bad rule (does a matching rule exist in that chain?).

The reply is currently minimized Show

Accepted Answer

maxwell

Offline
Wednesday, February 27 2019, 06:53 PM - #Permalink
Resolved

0 votes

This rule:iptables -D POSTROUTING -t nat -o tun+ -j ACCEPT here is a mistake: Firewall rule is invalid.
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Wednesday, February 27 2019, 06:19 PM - #Permalink
Resolved

0 votes

Did not fit where? What error? They should work in the Custom Firewall module. If not, just temporarily, change "$IPTABLES" to "iptables" and apply them at the command line. We can work on a permanent solution after.
The reply is currently minimized Show
Accepted Answer

maxwell

Offline
Wednesday, February 27 2019, 05:38 PM - #Permalink
Resolved

0 votes

These commands do not fit I get an error
The reply is currently minimized Show
Accepted Answer
Nick Howitt

Offline
Wednesday, February 27 2019, 04:38 PM - #Permalink
Resolved

0 votes

I've no idea what your ccd stuff is. I've come across it before but never bothered with it.

There are some other issues. You are getting round the DNS issue as you have a LAN name which does not resolve externally so your DNS should always resolve.

There isa firewalling issue as well. From your config, all your packets will appear on your LAN as coming from 10.8.0.0/24. For any Windows device this will not be seen as coming from its own LAN and the Windows firewall could be blocking you. You can get round this by allowing traffic from 10.8.0.0/24 into your Windows machines. Alternatively you can probably delete a firewall rule in ClearOS by adding the following Custom Firewall rule:

$IPTABLES -D POSTROUTING -t nat -o tun+ -j ACCEPT
This should allow all the packets to appear on your LAN as if they are coming from your ClearOS LAN IP so should be accepted by the Windows firewall.

Please can you try this rule. If it does not have the desired results, instead can you use the following rule:
$IPTABLES -t nat -I POSTROUTING -s 10.8.0.0/24 -j MASQUERADE

Please can you post back with your results.
The reply is currently minimized Show

Your Reply

Please login to post a reply

You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.

Community Forums

ClearOS Portal

ClearVM Platform

ClearVM 2 Platform

Forums