WAN Access via VPN?

Hello, this is my first post on the forum, so please bear with me. I want to be able to access ALL of my shares from outside my LAN, using a VPN. OpenVPN doesn’t seem to be able to do what I want. I have 4 shares on my local network, accessible via any windows machine connected to the network. I would like to be able to somehow remote into the network over a secure connection (i.e. VPN) to transfer and access the files. If somebody could please explain to me how this is possible either through Rockstor itself, or with a second machine (I have an extra laptop that can be used if needed), I will be greatly thankful.

Hi @CaseyMazur,

OpenVPN will allow you to access shares. I have tested this on my mobile phone, using OpenVPN over cellular network and listing/browsing both CIFS and NFS shares successfully (using VLC media player as the browser, for lack of something better at short notice).

Please note that the windows firewall on the VPN client will likely prevent CIFS (Windows shares) from being accessible over the VPN network (due to subnet change), and will need to be reconfigured or disabled.

I was able to list the shares on any host on the remote network simply by point to the host IP address (smb://192.168.0.[7-10], nfs://192.168.0.[7-10])

@Haioken So what I would do is set up the OpenVPN Rock-on again, and try to connect with my firewalls disabled?

@CaseyMazur Effectively, yes. Please note that I’m referring specifically to the firewalls on the client system, not the Rockstor OVPN server.

If that succeeds, you’ll need to add firewall rules to allow for SMB over ‘public’ networks, as this is what Windows considers your OpenVPN connection to be (Assuming you’re using Windows clients!).

@Haioken Cool, thanks. I’m currently trying this and will report back when I’m finished.

@Haioken So, I installed OpenVPN and created the config file which I had to copy to my computer by copying it section by section from the shell inside the web GUI. I got this error after disabling all my firewalls: image I’m assuming this had to do with me not copying the config correctly? What is the best way to get the config file onto my computer other than the way I used?

Hi @CaseyMazur,

Not sure exactly what caused the error you’re seeing. Perhaps if you copy the whole log as text, I might be able to provide more insight.
Off the bat however, it’s likely that the copy/paste process has screwed up line terminations or line length (which are important in PEM/CRT/KEY files). This is backed up by the statement ‘ASN1_CHECK_TLEN:wrong tag’, which typically happens when the PEM file format has been butchered.

The way I would typically transfer my files is either via SFTP or ZModem, depending on your SSH client’s capabilities.
ZModem is the easiest, and is done from an existing SSH session, but you’ll need an SSH client capable of performing it.
I use Netsarang XShell, which has ZModem capability built in.
You’ll also need ZModem installed, which you can do with:

sudo yum install lrzsz

From there, while connected to the host, you can get the file on your local machine with:

sz /path/to/filename

XShell will prompt you for a place to put the file.

This is what the log said after I copied the config file with the program you mentioned:

Mon Oct 09 09:15:12 2017 OpenVPN 2.4.4 x86_64-w64-mingw32 [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [AEAD] built on Sep 26 2017
Mon Oct 09 09:15:12 2017 Windows version 6.2 (Windows 8 or greater) 64bit
Mon Oct 09 09:15:12 2017 library versions: OpenSSL 1.0.2l 25 May 2017, LZO 2.10
Enter Management Password:
Mon Oct 09 09:15:13 2017 TCP/UDP: Preserving recently used remote address: [AF_INET]74.105.0.3:1194
Mon Oct 09 09:15:13 2017 UDP link local: (not bound)
Mon Oct 09 09:15:13 2017 UDP link remote: [AF_INET]74.105.0.3:1194
Mon Oct 09 09:15:13 2017 [74.105.0.3] Peer Connection Initiated with [AF_INET]74.105.0.3:1194
Mon Oct 09 09:15:14 2017 open_tun
Mon Oct 09 09:15:14 2017 TAP-WIN32 device [Ethernet 3] opened: \.\Global{86AD8125-5D47-48E4-A008-05D41205E2F6}.tap
Mon Oct 09 09:15:14 2017 Notified TAP-Windows driver to set a DHCP IP/netmask of 192.168.255.6/255.255.255.252 on interface {86AD8125-5D47-48E4-A008-05D41205E2F6} [DHCP-serv: 192.168.255.5, lease-time: 31536000]
Mon Oct 09 09:15:14 2017 Successful ARP Flush on interface [45] {86AD8125-5D47-48E4-A008-05D41205E2F6}
Mon Oct 09 09:15:14 2017 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Mon Oct 09 09:15:15 2017 Blocking outside dns using service succeeded.
Mon Oct 09 09:15:20 2017 WARNING: this configuration may cache passwords in memory – use the auth-nocache option to prevent this
Mon Oct 09 09:15:20 2017 Initialization Sequence Completed

Now I believe that this worked but until I can get to a place with another internet connection to test this, I’ll assume that it’s working. If this isn’t the case, please tell me.

Hi @CaseyMazur,

That is a working OpenVPN connection, and matches the result I see when I connect.

Copying the file rather than the contents does appear to resolve the issue.
Note that there a few possibilities as to why this might be the case:

  • Windows and Linux handle line separation differently (Linux uses a newline character, while windows uses a carriage return and and a newline character)
  • Binary information containing non-printable characters doesn’t copy well.
  • Copying from a terminal window may copy newlines that do not actually exist the source, and are only present because the terminal has wrapped the lines.

Glad to see it up and working.
Can I suggest using “OpenVPN connect” on a mobile phone, via your cellular network?
This way you can test over an open internet connection, and ensure you don’t have any direct access to the hardware.

1 Like

I was on another WiFi network with my phone so I decided to see if it worked. I currently am switching carriers so I don’t have data yet. The error log is here: https://pastebin.com/WypMLWfc I put it in Pastebin because it’s 500+ lines long, and didn’t want to take up that much room in a post. What did I configure wrong?

Hi @CaseyMazur,

You have included a rather large paste there.
It appears that at the beginning of the log (2017-10-09 9:22) you successfully connected multiple times, though you’re having issues with keepalive packets:

2017-10-09 09:22:21 EVENT: CONNECTED @74.105.0.3:1194 (74.105.0.3) via /UDPv4 on tun/192.168.255.6/ gw=[192.168.255.5/]
2017-10-09 09:22:21 SetStatus Connected
2017-10-09 09:22:21 NET Internet:ReachableViaWiFi/-R t------
2017-10-09 09:24:25 Session invalidated: KEEPALIVE_TIMEOUT

This has previously been an issue with an old version of OpenVPN Connect for Android (not honoring keepalive parameters), though I’m unsure of the status now, and it also appears you’re using an IOS device (IV_GUI_VER=net.openvpn.connect.ios 1.1.1-212)

I can see somebody experiencing the same issue on this version of the client, but connecting fine with a MacBook:

However, later on (2017-10-10 07:52) you’re facing a different issue, you appear to be unable to get traffic to the server.
This is likely a port blockage on 1194, or blocked UDP traffic.

2017-10-10 07:53:05 EVENT: RECONNECTING
2017-10-10 07:53:05 EVENT: RESOLVE
2017-10-10 07:53:05 Contacting 74.105.0.3:1194 via UDP
2017-10-10 07:53:05 EVENT: WAIT
2017-10-10 07:53:05 SetTunnelSocket returned 1
2017-10-10 07:53:05 Connecting to [74.105.0.3]:1194 (74.105.0.3) via UDPv4
2017-10-10 07:53:15 Server poll timeout, trying next remote entry...

For the first situation, I suggest trying a different client app.
For the second situation, this appears to be related to the network config at the location from which you connected to WiFi. I can only suggest ensuring port 1194 is open, and there are no blocks on UDP. The next step would be to switch OpenVPN rockon to TCP, which would be an arduous process.