Prev: How can I change the order of init scripts?
Next: Help new Debian user
From: H.S. on 7 Jun 2010 13:00
Consider a LAN with a Debian machine as a router. The Debian machine
has three interfaces, eth0, eth1 and wlan0. The interface for VPN is tun0.
,----------.
ppp0 <------eth1 eth0--192.168.0.0/24--->to LAN switch
| wlan0--192.168.5.0/24---> WLAN
| tun0--172.16.15.0/24---> VPN
|__________|

|
Router, Samba and VPN server machine


Now, I have generated the certificates and keys for the VPN server
for various client.

>From my iptables firewall in the router machine, I allow traffic from my
LAN and WLAN to and from my VPN. This all works, I can browse the
internet by connecting via VPN from a laptop on WLAN.

However, how do I make sure all my traffic is going through the VPN
tunnel? On a client laptop on WLAN, I have the following information
after creating a VPN connection to the VPN server machine:
---------------------------------------------------------
~$ ifconfig
eth0 Link encap:Ethernet HWaddr <HEXNUM>
inet6 addr: fe80::211:43ff:fe5d:d6c3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4031 errors:0 dropped:0 overruns:0 frame:0
TX packets:326 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1056515 (1.0 MB) TX bytes:46841 (46.8 KB)
Interrupt:17

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:53 errors:0 dropped:0 overruns:0 frame:0
TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3644 (3.6 KB) TX bytes:3644 (3.6 KB)

tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.15.22 P-t-P:172.16.15.21 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:38 errors:0 dropped:0 overruns:0 frame:0
TX packets:33 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:4426 (4.4 KB) TX bytes:4493 (4.4 KB)

wlan0 Link encap:Ethernet HWaddr <HEXNUM>
inet addr:192.168.5.15 Bcast:192.168.5.255 Mask:255.255.255.0
inet6 addr: fe80::20b:7dff:fe08:259d/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2467 errors:0 dropped:0 overruns:0 frame:0
TX packets:2763 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1435407 (1.4 MB) TX bytes:461844 (461.8 KB)



~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.5.1 0.0.0.0 255.255.255.255 UH 0 0 0 wlan0
172.16.15.21 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.5.0 0.0.0.0 255.255.255.0 U 2 0 0 wlan0
192.168.0.0 172.16.15.21 255.255.255.0 UG 0 0 0 tun0
172.16.15.0 172.16.15.21 255.255.255.0 UG 0 0 0 tun0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 wlan0
0.0.0.0 172.16.15.21 0.0.0.0 UG 0 0 0 tun0

---------------------------------------------------------

This VPN client is on WLAN with address 192.168.5.15 and is also on VPN
(as a client, of course) with address 172.16.15.22. I am able to SSH
from a wired LAN machine to 172.16.15.22, but cannot to 192.168.5.15.
This is expected and correct behavior?


Now, the real question. I have setup Samba with a shared folder on the
VPN server. I have configured it to listen for connections from LAN
(192.168.0.0/24) and from VPN (172.16.15.0/24). Note that samba
connections from WLAN is not included here. I can browse the Samba
network from wireless machines fine. But I cannot do so from a wireless
machine with a VPN connection, i.e. VPN clients from my WLAN do not see
the Samba network (from Gnome Network browsing GUI). This is what I
wanted to achieve but it is not working. What am I missing here?

For reference, the relevant options in smb.conf are:
workgroup = VPN_Server
interfaces = 127.0.0.0/8 172.16.15.0/24 192.168.0.0/24


Thanks.



--

Please reply to this list only. I read this list on its corresponding
newsgroup on gmane.org. Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/huj881$8pk$1(a)dough.gmane.org
From: Márcio Luciano Donada on 7 Jun 2010 13:20
Em 7/6/2010 13:54, H.S. escreveu:
> Consider a LAN with a Debian machine as a router. The Debian machine
> has three interfaces, eth0, eth1 and wlan0. The interface for VPN is tun0.
> ,----------.
> ppp0 <------eth1 eth0--192.168.0.0/24--->to LAN switch
> | wlan0--192.168.5.0/24---> WLAN
> | tun0--172.16.15.0/24---> VPN
> |__________|
>
> |
> Router, Samba and VPN server machine
>
>
> Now, I have generated the certificates and keys for the VPN server
> for various client.
>

Protocol CIFS not roteable. Please read on DNS or wins server (degraded)
for solution.

Thanks!!!


--
M�rcio Luciano Donada <mdonada -at- auroraalimentos -dot- com -dot- br>
Aurora Alimentos - Cooperativa Central Oeste Catarinense
Departamento de T.I.


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/4C0D26B4.8080205(a)auroraalimentos.com.br
From: H.S. on 7 Jun 2010 13:40
On 07/06/10 01:04 PM, M�rcio Luciano Donada wrote:
> Em 7/6/2010 13:54, H.S. escreveu:
>> Consider a LAN with a Debian machine as a router. The Debian machine
>> has three interfaces, eth0, eth1 and wlan0. The interface for VPN is tun0.
>> ,----------.
>> ppp0 <------eth1 eth0--192.168.0.0/24--->to LAN switch
>> | wlan0--192.168.5.0/24---> WLAN
>> | tun0--172.16.15.0/24---> VPN
>> |__________|
>>
>> |
>> Router, Samba and VPN server machine
>>
>>
>> Now, I have generated the certificates and keys for the VPN server
>> for various client.
>>
>
> Protocol CIFS not roteable. Please read on DNS or wins server (degraded)
> for solution.

Sorry, I don't think I understand. Could you explain a bit more what I
am looking for?

With a VPN connection established on the wireless machine as a client, I
can connect my samba share on the server through its LAN ip address
(192.168.0.1) but not by using VPN gateway address (172.16.15.1). The
latter try gives "connection refused" if I try to do it using "sudo
smbmount //172.16.15.1/share /path/to/mountpoint -o user=gues"




--

Please reply to this list only. I read this list on its corresponding
newsgroup on gmane.org. Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/hujanq$jmc$1(a)dough.gmane.org
From: Javier Barroso on 7 Jun 2010 15:20
Hi,

On Mon, Jun 7, 2010 at 7:36 PM, H.S. <hs.samix(a)gmail.com> wrote:

> On 07/06/10 01:04 PM, Márcio Luciano Donada wrote:
> > Em 7/6/2010 13:54, H.S. escreveu:
> >> Consider a LAN with a Debian machine as a router. The Debian machine
> >> has three interfaces, eth0, eth1 and wlan0. The interface for VPN is
> tun0.
> >> ,----------.
> >> ppp0 <------eth1 eth0--192.168.0.0/24--->to LAN switch
> >> | wlan0--192.168.5.0/24---> WLAN
> >> | tun0--172.16.15.0/24---> VPN
> >> |__________|
> >>
> >> |
> >> Router, Samba and VPN server machine
> >>
> >>
> >> Now, I have generated the certificates and keys for the VPN server
> >> for various client.
> >>
> >
> > Protocol CIFS not roteable. Please read on DNS or wins server (degraded)
> > for solution.
>
> Sorry, I don't think I understand. Could you explain a bit more what I
> am looking for?
>
> With a VPN connection established on the wireless machine as a client, I
> can connect my samba share on the server through its LAN ip address
> (192.168.0.1) but not by using VPN gateway address (172.16.15.1). The
> latter try gives "connection refused" if I try to do it using "sudo
> smbmount //172.16.15.1/share /path/to/mountpoint -o user=gues"
>
Did you check "hosts allow" parameter from smb.conf in your server ?

I'm not sure if it can works, so please tell us if you get this working :)

Regards,
From: H.S. on 7 Jun 2010 15:30
On 07/06/10 03:11 PM, Javier Barroso wrote:
> Hi,
> Did you check "hosts allow" parameter from smb.conf in your server ?
>
> I'm not sure if it can works, so please tell us if you get this working :)
>
> Regards,
>

I didn't have that in smb.conf file at all. I have included the
following lines in it and restarted samba:
hosts allow = 127.0.0.1 192.168.0.0/24 172.16.15.0/24
hosts deny = 0.0.0.0/0

So no client from the wireless LAN (192.168.5.0/24) is allowed, and only
from the wired LAN and VPN are allowed.

I see a samba log file for the VPN client from which I am trying to
access the shared folder. Here are the last few lines(the log has lines
from earlier today as well which say similar stuff as below):
[2010/06/07 13:58:21, 1] smbd/service.c:1063(make_connection_snum)
172.16.15.22 (172.16.15.22) connect to service SharedFolder initially
as user nobody (uid=65534, gid=65534) (pid 8948)
[2010/06/07 13:58:46, 1] smbd/service.c:1240(close_cnum)
172.16.15.22 (172.16.15.22) closed connection to service SharedFolder


Does this give any further clues?


--

Please reply to this list only. I read this list on its corresponding
newsgroup on gmane.org. Replies sent to my email address are just
filtered to a folder in my mailbox and get periodically deleted without
ever having been read.


--
To UNSUBSCRIBE, email to debian-user-REQUEST(a)lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster(a)lists.debian.org
Archive: http://lists.debian.org/hujh8j$g6p$1(a)dough.gmane.org
 |  Next  |  Last
Pages: 1 2 3
Prev: How can I change the order of init scripts?
Next: Help new Debian user