Map Samba shares via VPN?

[RJM62]

A colleague called me today and asked me to take over for him on a particular job. I haven't been there yet, so I have only rudimentary information.

Apparently, from what I can gather talking to the client, his company has a Windows peer-to-peer network connecting to a RedHat box that is being used as an application server. The client wants to move all the user data on the client computers to the server (easy enough so far), but also allow the users to be access the shares as mapped drives via VPN.

They are using a Netgear VPN router (don't know which model yet), and the Linux server is behind the firewall. They seem to have port forwarding set up properly and can ping the Linux box, but the Samba shares remain inaccesible over VPN.

I'm thinking that there must be something screwy in smb.conf, but I was wondering if anyone else has any suggestions for me to take with me.

As always, thanks.

Rich

 

[mikea]

Opening up the firewall may be a bear, if doesn't have a preset rule.

BUT you don't have to chase down anything Samba specfic. SAMBA's SMB uses EXACTLY the same protocols as Windows does - well, except that Samba works better and is faster than a Windows server.

My suggestion: Bring a laptop and plug it in to the local LAN. Export a folder. Mount the folder on the client PC.

Then connect the client PC remotely over VPN and tinker with the NetGear settings until the folder mounts again.

You should not have to enable NetBios or UDP... if you have tunneling over TCP/IP working. AFAIK, that only requires listing TCP/IP as a Windows protocol.

You know that one thing that will work on the LAN is the RPC UDP port 5000+ stuff that goes over broadcasts and UDP. Any firewall worth its salt will block that, but the VPN should send it over.

The VPN itself requires IPSEC to be open but that has to be working if VPN is working.

Maybe you have to list the SAMBA server as an allowed host for the VPN to pass on the firewall?

 

[Areeda]

Just a note of caution on this. I haven't done this in years so it may have changed but sharing folders over the internet is not a pleasant experience.

When packets are dropped computers hang. A lot of support calls are "reboot and try again" " wait until tomorrow and see if it's better" "how does it work late at night when the Internet is not busy".

AFAIK there's nothing you can do to make it reliable.

I've had much better luck with the "work offline" stuff. Resyncing when you get back on line.

Joe

 

[RJM62]

Areeda: Thanks. This particular client is already aware of the frailties of Internet directory sharing. They're already mapping to shared folders on the client machines over the Internet (scary), and he understands the inevitability of occasional outages and slowdowns.

Mike: Thanks. I'm sorry I forgot to mention that they already are able to map the folders on the Windows clients to their home computers via VPN, so the VPN itself is working for the Windows machines. They're also able to access the application on the Linux server remotely, but not map to the SMB directories remotely. But they are able to map to the SMB directories from the LAN.

Because they're already able to connect to the Windows machines and the application on the Linux machine over the VPN, and they're able to access the Samba shares over the LAN (but not the VPN), and because the Samba SMB protocol is the same as Windows... I was thinking more along the lines of a configuration issue on the Linux server, such as maybe

hosts allow = [range or list of LAN computers' IP addresses]
​

or something similar in smb.conf, which would exclude computers that aren't on the LAN.

But I wasn't thinking so much along the lines of a Netgear configuration issue until you brought it up, because they are able to access the application on the Linux machine remotely. But that could just mean that whatever port that app runs on is being forwarded by the Netgear. (It could just be some Web-based thing on 80, 8080, or 443.) The Linux server could be specifically excluded from the VPN (or conversely, only the Windows clients included, using static IPs or hardware MACs).

Here's a scary possibility: Maybe they're currently allowing NetBios over TCP/IP through the firewall, but smb.conf limits allowed hosts to the LAN machines and/or the Linux box is excluded from the VPN by the firewall. That would explain why they can browse the Windows machines over the VPN, but it would also mean that they have ports 137 (TCP/UDP), 138 (TCP/UDP) 139 (TCP), and 445 (TCP) open over the Internet. That would be a security/liability nightmare, IMO.

I really need to inspect the setup in person.

I deal with a company in Florida that monitors and maintains VPN's. They monitor for suspicious activity 24/7 using a Watchguard firewall and log literally everything that happens over the VPN. They also filter the Internet access of the local clients to eliminate on-the-job IM'ing, porn surfing, music downloading, etc. Once I get the machines to talk to each other, I may try to talk the client into going with the Florida company for ongoing management and security monitoring.

The three very, very nice things about doing it that way would be (1) all future support / VPN down calls go to them, not me; (2) it reduces my liability; and (3) I get a commission check every month, for life, for as long as the client uses their services.

Thanks again.

Rich

 

[Tristar]

I don't exactly have time to read this entire thread and I'm on Tristan's username. I just thought that I would give some quick input.

I have a fair bit of experience with Samba and actually ran the entire company on it at my previous job. I *would not* expose Samba to the open internet. You are asking for a whole load of potential problems. It's also useless to use the host allow function as your users ip address will be changing constantly.


The easiest thing is just to VPN into the network as your thread title suggests. My experience with the netgear vpn software that's built into their routers has been less then pleasent. Take a look at openvpn http://openvpn.net/

Edit:
I just read some of the thread and the above sounds like that's already known. It'd be pretty impossible to troubleshoot something like this without looking at their setup. Whatever you do *do not* open up Samba directly to the internet. You *must* go through the VPN unless you like being hacked in under 30 seconds flat.
--Jesse

 

[RJM62]

Thanks Jesse, I appreciate your input.

I was thinking about OpenVPN, which I've used before (though not recently) and never had any problems with.

A friend of mine who's a data guy in the Marine Corps suggested I look at Hamachi, which I've never used. You have any experience with it? I'm not sure what, if any advantages it would offer.

Thanks again,

Rich

 

[RJM62]

Oh, well... this turned out to be a non-issue. When the company administering the application server got wind of what my buddy had been trying to do for the client, they threatened the client with bodily harm if he ever touched the Linux server again. Seriously.

But as it turns out, the client is more concerned about his remote users properly backing up their documents than anything else. It's not so much that he wants them to be able to work remotely. They already are. It's that he wants a central backup.

So I'm hooking him up with a FilesAnywhere.com account big enough to handle all of his employees' data and taking some commissions and consulting fees for setting it up. Not a bad sale, actually. I'll probably wind up with the tech support account for his factory, as well.

Thanks for all the input.

Rich

 

[mikea]

Oh, well... this turned out to be a non-issue. When the company administering the application server got wind of what my buddy had been trying to do for the client, they threatened the client with bodily harm if he ever touched the Linux server again. Seriously.

But as it turns out, the client is more concerned about his remote users properly backing up their documents than anything else. It's not so much that he wants them to be able to work remotely. They already are. It's that he wants a central backup.
...

O wow!. Been there. He goes off and apparently asked that they open up file sharing so the remote clients folders can be acessed inside or vice-versa?

I've had cases where half way through an an hour conference call I say, "What is the problem you need solved? " rather than "What is it you wanted to do and why?" and I discovered we've been flapping jaws over a solution proposed by the client that could solved easily and cleanly if he just said what the problem was rather than how he was going to solve it.

 

[RJM62]

That's basically what happened with this guy. He called my buddy with a solution in mind, rather than a problem he needed solved. The solution was easy once I knew what the problem was.

In fact, even had the app company not objected to him using the Linux server as a file server, I would have pointed him away from it in this case. All he actually wanted was centralized, remote backup, and there are easier and safer ways to accomplish that.

Rich