What configuration issue is preventing Samba Network Shares from being visible over VPN?

Question

I set up a VPN using L2TP and IPSEC (with LibreSwan) using this script: https://github.com/hwdsl2/setup-ipsec-vpn

The only change I had to make was to change the instances of 'eth0' to the new format of Ubuntu device naming. My devices are enp0s31f6 (primary) and enp3s0 (secondary, unused).

Initially I had Firewall issues, where I could not connect to the VPN at all and in fact the SMB Shares were not visible. I essentially turned off the firewall temporarily to debug.

I have tried expanding and changing the hosts and interfaces in SMB.conf, and I had to some of the rules it added to iptables to use enp0s31f6 instead of eth0. I can connect to the VPN from my house or anywhere else just fine, but I never am able to connect to the shares on the VPN server.

If I navigate to \192.168.42.10 from my Windows 7 machine while I'm on the VPN, it shows MY shares. Going to any of the other IPs doesn't do anything, or immediately says it is inaccessible.

The server, which has the VPN and the SMB share is running Ubuntu Server 15.10. The clients are Windows 7, 8 and 10, as well as OSX El Capitan.

The server's LAN IP address is: 192.168.1.93 My LAN IP (when connected to the VPN) is: 192.168.42.10

From my samba logs, I see nothing about my computer trying to connect, which makes me think SAMBA is not accessible from the VPN connection?

Here is the output of iptables.rules:

# Added by hwdsl2 VPN script
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/8 -j REJECT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p udp --dport 67:68 --sport 67:68 -j ACCEPT
-A INPUT -p tcp --dport 22 -j ACCEPT
-A INPUT -p udp -m multiport --dports 500,4500 -j ACCEPT#
-A INPUT -p udp --dport 1701 -m policy --dir in --pol ipsec -j ACCEPT
-A INPUT -p udp --dport 1701 -j DROP
-A INPUT -j DROP
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -i enp0s31f6 -o ppp+ -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ppp+ -o enp0s31f6 -j ACCEPT
# If you wish to allow traffic between VPN clients themselves, uncomment this line:
-A FORWARD -i ppp+ -o ppp+ -s 192.168.42.0/24 -d 192.168.42.0/24 -j ACCEPT
#-A FORWARD -j DROP
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.42.0/24 -o enp0s31f6 -j SNAT --to-source "192.168.1.93"
COMMIT

The output of smb.conf (relevant parts):

[global]
    server role = standalone server
    server string = %h server (Samba, Ubuntu)
    passwd program = /usr/bin/passwd %u
    path = /home/kmdgserver/share
    log file = /var/log/samba/log.%m
    pam password change = yes
    dns proxy = no
    hosts allow = 10.0.0.0/255.255.254.0 10.0.0.0/8 192.168.0.0/16 172.16.0.0/12 192.168.42.0/24 192.168.1. 192.168.
    map to guest = bad user
    comment = KMDG Server Share
    max log size = 1000
    syslog = 0
    unix password sync = yes
    usershare allow guests = yes
    passdb backend = tdbsam
    obey pam restrictions = yes
    workgroup = WORKGROUP
    panic action = /usr/share/samba/panic-action %d
    passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

interfaces = enp0s31f6 enp3s0 10.8.0.0/24 127.0.0.0/8

[KMDG Server]
    writeable = yes
    valid users = kmdgserver,@kmdgserver
    force user = kmdgserver
    force group = kmdgserver
    write list = kmdgserver,@kmdgserver
    user = kmdgserver,@kmdgserver

And the output of ipsec.conf:

version 2.0

config setup
  virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
  #virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12,%v4:25.0.0.0/8,%v4:100.64.0.0/10
  protostack=netkey
  nhelpers=0
  interfaces=%defaultroute

conn vpnpsk
  auto=add
  #left=[public facing IP]
  left=192.168.1.93
  #leftid=192.168.1.93
  leftid=[public facing IP]
  leftsubnet=192.168.1.93/32
  #leftsubnet=192.168.1.0/24
  leftnexthop=%defaultroute
  leftprotoport=17/1701
  rightprotoport=17/%any
  right=%any
  rightsubnet=192.168.1.0/24
  #rightsubnetwithin=0.0.0.0/0
  forceencaps=yes
  authby=secret
  pfs=no
  type=transport
  auth=esp
  ike=3des-sha1,aes-sha1
  phase2alg=3des-sha1,aes-sha1
  rekey=no
  keyingtries=5
  dpddelay=30
  dpdtimeout=120
  dpdaction=clear

And the output of xl2tpd.conf:

[global]
port = 1701

[lns default]
ip range = 192.168.42.10-192.168.42.250
local ip = 192.168.1.93
require chap = yes
refuse pap = yes
require authentication = yes
name = l2tpd
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes

And sysctl.conf:

# Log Martian Packets
#net.ipv4.conf.all.log_martians = 1
#

# Added by hwdsl2 VPN script
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296

net.ipv4.ip_forward = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.enp0s31f6.send_redirects = 0
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.lo.rp_filter = 0
net.ipv4.conf.enp0s31f6.rp_filter = 0
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1

net.core.wmem_max = 12582912
net.core.rmem_max = 12582912
net.ipv4.tcp_rmem = 10240 87380 12582912
net.ipv4.tcp_wmem = 10240 87380 12582912

And here is the output of ifconfig on the VPN/SMB server when I'm connected to the VPN from another computer in a remote location:

kmdgserver@jupiter:~$ ifconfig
enp0s31f6 Link encap:Ethernet  HWaddr 40:8d:5c:b9:1d:da  
          inet addr:192.168.1.93  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::428d:5cff:feb9:1dda/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:683992926 errors:0 dropped:1 overruns:0 frame:0
          TX packets:180842795 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:941095568867 (941.0 GB)  TX bytes:19465551430 (19.4 GB)
          Interrupt:16 Memory:df200000-df220000 

enp3s0    Link encap:Ethernet  HWaddr 40:8d:5c:b9:1d:d8  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
          Memory:df100000-df11ffff 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:1551082 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1551082 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:699248341 (699.2 MB)  TX bytes:699248341 (699.2 MB)

ppp0      Link encap:Point-to-Point Protocol  
          inet addr:192.168.1.93  P-t-P:192.168.42.10  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1280  Metric:1
          RX packets:124 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3 
          RX bytes:18788 (18.7 KB)  TX bytes:86 (86.0 B)

Output of syslog from most recent attempt:

May 13 14:27:31 jupiter xl2tpd[21396]: Connection established to [MY HOME IP], 1701.  Local: 18878, Remote: 1 (ref=0/0).  LNS session is 'default'
May 13 14:27:31 jupiter xl2tpd[21396]: start_pppd: I'm running:
May 13 14:27:31 jupiter xl2tpd[21396]: "/usr/sbin/pppd"
May 13 14:27:31 jupiter xl2tpd[21396]: "passive"
May 13 14:27:31 jupiter xl2tpd[21396]: "nodetach"
May 13 14:27:31 jupiter xl2tpd[21396]: "192.168.1.93:192.168.42.10"
May 13 14:27:31 jupiter xl2tpd[21396]: "refuse-pap"
May 13 14:27:31 jupiter xl2tpd[21396]: "auth"
May 13 14:27:31 jupiter xl2tpd[21396]: "require-chap"
May 13 14:27:31 jupiter xl2tpd[21396]: "name"
May 13 14:27:31 jupiter xl2tpd[21396]: "l2tpd"
May 13 14:27:31 jupiter xl2tpd[21396]: "file"
May 13 14:27:31 jupiter xl2tpd[21396]: "/etc/ppp/options.xl2tpd"
May 13 14:27:31 jupiter xl2tpd[21396]: "/dev/pts/15"
May 13 14:27:31 jupiter xl2tpd[21396]: Call established with [MY HOME IP], Local: 11552, Remote: 1, Serial: 0
May 13 14:27:32 jupiter pppd[31490]: pppd 2.4.6 started by root, uid 0
May 13 14:27:32 jupiter pppd[31490]: Using interface ppp0
May 13 14:27:32 jupiter pppd[31490]: Connect: ppp0 <--> /dev/pts/15
May 13 14:27:32 jupiter NetworkManager[749]: nm_device_get_device_type: assertion 'NM_IS_DEVICE (self)' failed
May 13 14:27:32 jupiter NetworkManager[749]: <info>  (ppp0): new Generic device (carrier: UNKNOWN, driver: 'unknown', ifindex: 12)
May 13 14:27:32 jupiter NetworkManager[749]: <info>  devices added (path: /sys/devices/virtual/net/ppp0, iface: ppp0)
May 13 14:27:32 jupiter NetworkManager[749]: <info>  device added (path: /sys/devices/virtual/net/ppp0, iface: ppp0): no ifupdown configuration found.
May 13 14:27:35 jupiter pppd[31490]: user kmdgserver logged in on tty pts/15 intf ppp0
May 13 14:27:35 jupiter systemd[1]: Started Session c20 of user kmdgserver.
May 13 14:27:36 jupiter pppd[31490]: local  IP address 192.168.1.93
May 13 14:27:36 jupiter pppd[31490]: remote IP address 192.168.42.10
May 13 14:27:36 jupiter NetworkManager[749]: <info>  keyfile: add connection in-memory ([SERVER KEY],"ppp0")
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
May 13 14:27:37 jupiter NetworkManager[749]: <info>  Device 'ppp0' has no connection; scheduling activate_check in 0 seconds.
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): Activation: starting connection 'ppp0' ([SERVER KEY])
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: disconnected -> prepare (reason 'none') [30 40 0]
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: prepare -> config (reason 'none') [40 50 0]
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: config -> ip-config (reason 'none') [50 70 0]
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: ip-config -> ip-check (reason 'none') [70 80 0]
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: ip-check -> secondaries (reason 'none') [80 90 0]
May 13 14:27:37 jupiter NetworkManager[749]: <info>  (ppp0): device state change: secondaries -> activated (reason 'none') [90 100 0]
May 13 14:27:39 jupiter NetworkManager[749]: <info>  (ppp0): Activation: successful, device activated.
May 13 14:27:39 jupiter dbus[759]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
May 13 14:27:39 jupiter systemd[1]: Starting Network Manager Script Dispatcher Service...
May 13 14:27:39 jupiter dbus[759]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
May 13 14:27:39 jupiter systemd[1]: Started Network Manager Script Dispatcher Service.
May 13 14:27:39 jupiter nm-dispatcher: Dispatching action 'up' for ppp0
May 13 14:31:34 jupiter org.gnome.zeitgeist.SimpleIndexer[2238]: ** (zeitgeist-fts:3028): WARNING **: Unable to get info on application://nautilus-autostart.desktop
May 13 14:35:40 jupiter org.gnome.zeitgeist.SimpleIndexer[2238]: ** (zeitgeist-fts:3028): WARNING **: Unable to get info on application://nautilus-autostart.desktop

And auth.log from most recent attempts:

May 13 14:27:30 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: responding to Main Mode from unknown peer [MY HOME IP]
May 13 14:27:30 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: OAKLEY_GROUP 20 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: OAKLEY_GROUP 19 not supported.  Attribute OAKLEY_GROUP_DESCRIPTION
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: STATE_MAIN_R1: sent MR1, expecting MI2
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: STATE_MAIN_R2: sent MR2, expecting MI3
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: Main mode peer ID is ID_IPV4_ADDR: '192.168.0.2'
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[3] [MY HOME IP] #3: switched from "vpnpsk"[3] [MY HOME IP] to "vpnpsk"
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: deleting connection "vpnpsk" instance with peer [MY HOME IP] {isakmp=#0/ipsec=#0}
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: new NAT mapping for #3, was [MY HOME IP]:500, now [MY HOME IP]:4500
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: STATE_MAIN_R3: sent MR3, ISAKMP SA established {auth=PRESHARED_KEY cipher=aes_256 integ=sha group=MODP2048}
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: the peer proposed: [SERVER IP]/32:17/1701 -> 192.168.0.2/32:17/0
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #3: NAT-Traversal: received 2 NAT-OA. Using first, ignoring others
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: responding to Quick Mode proposal {msgid:01000000}
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4:     us: 192.168.1.93/32===192.168.1.93<192.168.1.93>[[SERVER IP]]:17/1701
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4:   them: [MY HOME IP][192.168.0.2]:17/1701===192.168.1.0/24
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2 transport mode {ESP/NAT=>0x3b5b2c52 <0xde6e289d xfrm=AES_128-HMAC_SHA1 NATOA=192.168.0.2 NATD=[MY HOME IP]:4500 DPD=active}
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: Configured DPD (RFC 3706) support not enabled because remote peer did not advertise DPD support
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
May 13 14:27:31 jupiter pluto[22203]: "vpnpsk"[4] [MY HOME IP] #4: STATE_QUICK_R2: IPsec SA established transport mode {ESP/NAT=>0x3b5b2c52 <0xde6e289d xfrm=AES_128-HMAC_SHA1 NATOA=192.168.0.2 NATD=[MY HOME IP]:4500 DPD=active}
May 13 14:27:33 jupiter pppd[31490]: pam_unix(ppp:session): session opened for user kmdgserver by (uid=0)
May 13 14:27:35 jupiter systemd-logind[753]: New session c20 of user kmdgserver.
May 13 14:29:15 jupiter smbd: pam_unix(samba:session): session opened for user kmdgserver by (uid=0)
May 13 14:30:15 jupiter smbd: pam_unix(samba:session): session closed for user kmdgserver
May 13 14:30:41 jupiter smbd: pam_unix(samba:session): session opened for user kmdgserver by (uid=0)
May 13 14:31:41 jupiter smbd: pam_unix(samba:session): session closed for user kmdgserver

Answer 1

Author of the IPsec VPN script here. In order to resolve the issue, please make the following changes:

In /etc/ipsec.conf, remove this line:

rightsubnet=192.168.1.0/24

And un-comment this line:

#rightsubnetwithin=0.0.0.0/0

In /etc/xl2tpd/xl2tpd.conf, replace this line:

local ip = 192.168.1.93

with the following:

local ip = 192.168.42.1

Now restart services:

service ipsec restart
service xl2tpd restart

Re-connect the VPN. Then access your SMB shares using this IP:

\\192.168.42.1

Note: This is the IP address of the server itself while connected to the VPN.

Let me know if this works!