How to access remotely Freenas SMB shares through a jail running an OpenVPN client service?

aeki11

Cadet
Joined
Mar 26, 2020
Messages
5
Hi all

I've been searching this point all day. I think I'm pretty close but I am missing something...

Here is my situation

My LAN is running :
  • A modem connected to the Internet, with Internet IP XXX.XXX.XXX.XXX and LAN IP 192.168.0.1
  • A VPN server on a Ubuntu Machine : LAN IP is 192.168.0.10 and Virtual IP is 10.8.0.1
  • A Freenas server (11.2) with samba shares : LAN IP of the Freenas server is 192.168.0.11
    1. On this Freenas server, I run a jail that runs Openvpn-client as a service. The jail's LAN IP is 192.168.0.12 and the openvpn client can establish a connection to virtual network with Virtual IP 10.8.0.12
  • A local Windows computer with LAN IP 192.168.0.12. This windows computer runs also an openvpn client and can establish a connection to virtual network with Virtual IP 10.8.0.13.
    1. This windows computer can access the Freenas samba shares through LAN path \\192.168.0.11\myshare. However, this machine CAN NOT access shares throught path through the virtual network. I would have expected to also access samba shares through a path like \\10.8.0.12\myshare.
My question is how can a remote computer can access my Freenas samba shares through VPN. This remote computer with IP YYY.YYY.YYY.YYY is also running a openvpn client which connects to the Virtual Network with Virtual IP 10.8.0.14
I guess i have to forward some ports on my modem, but which ones (the samba ones 137,138,139 and 445??) and should i forward them to the VPN server, to the Freenas server or to the Freenas Jail??

And then how to access the samba shares from the remote computer. I would have expected something as simple as \\10.8.0.12\myshare, but since it doesn't work on the LAN network, it can't work remotely??!?
All computers or jail can connect to the internet (ping 8.8.8.8 is ok), and all computers/jail connected to the Virtual Network can ping each other

Please help, I am think I am pretty close, but I am missing something....
 

Fredda

Guru
Joined
Jul 9, 2019
Messages
608
I would have expected something as simple as \\10.8.0.12\myshare
No, this won't work, because the jail is connected to the VPN. But it's not the jail providing the SMB, but the FreeNAS server.
You'll need to do some routing:
  • Add a route on the remote PC for 192.168.0.0/24 with the jail virtual ip as gateway
  • Add a route on the FreeNAS for 10.8.0.0/24 with the jail normal ip as gateway
  • Enable routing in the jail
 

Dan Tudora

Patron
Joined
Jul 6, 2017
Messages
276
hello
why this complication? and for what is ubuntu server with VPN?
discution is not about sharing is about routing and VPN
a simple way is
remote machine=>modem+pfsense(withOpenVPN)=>NAS
or
remote machine=>modem+ubuntu VPN=>NAS

succes
 

aeki11

Cadet
Joined
Mar 26, 2020
Messages
5
Hi Freeda,

Thanks a million far answering. I am note very familiar with "routing".

If I understand well all the 3 points you mention:

  • Enable routing in the jail

On the jail, I have set on /etc/rc.conf
Code:
gateway_enable="YES"

As far as I've understood, this should configure the jail to start at boot with routing enabled, am I correct?

  • Add a route on the FreeNAS for 10.8.0.0/24 with the jail normal IP as gateway
As far as I've understood, I've set this in the Freenas GUI : Network > Static Routes with Destination = 10.8.0.0/24 and gateway = 192.168.0.12 (the LAN jail IP).
Performing a netstat -r on the freenas machine seems to confirm that it is ok. Can you confirm?
Code:
netstat -r
Routing tables

Internet:
Destination        Gateway            Flags     Netif Expire
default            192.168.0.1        UGS         re0
10.8.0.0/24        192.168.0.12       UGS         re0


  • Add a route on the remote PC for 192.168.0.0/24 with the jail virtual IP as gateway
For this one, I don't really know what to do. I guess i have to edit the OPENVPN server configuration file "/etc/openvpn/server.conf" to add a line such as

Code:
push "route 192.168.0.0 255.255.255.0 10.8.0.12" # 10.8.0.12 is the virtual IP of the freenas jail
 

Fredda

Guru
Joined
Jul 9, 2019
Messages
608
Ah. I overlooked the VPN server is an extra machine and not the Jail.

But nevertheless, as the FreeNAS is not in the ip Range of the VPN, you will need a route in the remote machine for correctly addressing the 192.168.0.0/24 net. So the last two bullets of my suggestion need now be done in the Ubuntu server. Or this can be done by NATting into the 192.168.0.0 net.
 

aeki11

Cadet
Joined
Mar 26, 2020
Messages
5
Sorry guys, thanks for helping, but i am now completly lost..

If i try to put things clear

On the jail, I have /usr/local/etc/ipfw.rules :
Code:
#!/bin/sh

EPAIR=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep epair)
ipfw -q -f flush
ipfw -q nat 1 config if ${EPAIR}
ipfw -q add nat 1 all from 10.8.0.0/24 to any out via ${EPAIR}
ipfw -q add nat 1 all from any to any in via ${EPAIR}

TUN=$(/sbin/ifconfig -l | tr " " "\n" | /usr/bin/grep tun)
ifconfig ${TUN} name tun0


The line ipfw -q add nat 1 all from [COLOR=rgb(0, 168, 133)]10.8.0.0/24[/COLOR] to any out via ${EPAIR} creates a rule saying that all traffic from Virtual IP 10.8.0.0/24 should be translated and outputted through the epair0b interface (the one connected to the LAN IP??)

The line ipfw -q add nat 1 all from any to any in via ${EPAIR} accepts any traffic coming from the epair0b interface (the one connected to the LAN IP??) back into the jail. Not very sure to clearly understand this line however....

ipfw list results

Code:
00100 nat 1 ip from 10.8.0.0/24 to any out via epair0b

00200 nat 1 ip from any to any in via epair0b

65535 allow ip from any to any





On the VPN server machine, I've set the following conf in /etct/openvpn/server.conf

Code:
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 10.8.0.1"
push "redirect-gateway def1"
# To Allow VPN Clients to access LAN 192.168.0.0/24
push "route 192.168.0.0 255.255.255.0"


On this VPN server machine, I add a route from 10.8.0.0/24 with the jail normal IP (192.168.0.12) as gateway
I've added these 3lines to /etc/netplan/50-cloud-init.yaml
Code:
            routes:
            - to: 10.8.0.0/24
              via: 192.168.0.12

A netstat -r on the VPN server machine shows

Code:
:~# netstat -r
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
default         _gateway        0.0.0.0         UG        0 0          0 enp2s0
10.8.0.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
10.8.0.0        192.168.0.12    255.255.255.0   UG        0 0          0 enp2s0
192.168.0.0     0.0.0.0         255.255.255.0   U         0 0          0 enp2s0
_gateway        0.0.0.0         255.255.255.255 UH        0 0          0 enp2s0


But not luck when i try to access \\10.8.0.12\myshare.
How can the jail access to SMB shares that are on the Freenas server???
 

Fredda

Guru
Joined
Jul 9, 2019
Messages
608
As I mentioned in my previous post, I overlooked your linux maschine running the VPN server. So I would do the routing there, as it is the entry point to the virtual LAN anyway. Do not use the FreeNAS jail, you don't need the jail at all.

So assuming you configured your VPN server so that the remote clients route to the FreeNAS server points to you Linux VPN server you'd need to add there the following iptabtles rules:
Code:
# probably not needed for a VPN server
echo 1 > /proc/sys/net/ipv4/ip_forward
# Forward the traffic to NIC and NAT the traffic
/sbin/iptables -A FORWARD -i tun0 -o enp2s0 -j ACCEPT
/sbin/iptables -s 10.8.0.0/24 -d 192.168.0.0/24 -t nat -A POSTROUTING -o enp2s0 -j MASQUERADE

This should work, check if the IPs and IF-names are correct, but that piece of code works for me to connect a TV and a raspi via my Laptop to the internet.
 
Last edited:

aeki11

Cadet
Joined
Mar 26, 2020
Messages
5
Thanks a million!!!! It works.

You are right, I don't need a jail running an openVPN-client instance, but i was confused by the fact that i was thinking that to remotely access a specific LAN machine, this LAN machine had to itself be connected to the Virtual network. That why I was running a jail on the Freenas I was expecting to connect the freenas server to the Virtual network.

Thanks again !!!
 
Top