Is a firewall rule stopping my openvpn connection from local access?

[daptap]

I have my DS718+ running a vpn server with openvpn protocol. LE certificate is valid. I can connect and view my cameras through Blue Iris ios app (BI is hosted on a local computer). However, when I connect my laptop to the vpn when travelling, I can't access my drives on the DS. Is one of these router (rt2600ac) firewall rules the problem (all the general rules at the bottom (unseen here) are market "no")? I don't have my firewall active on the DS.

 

[daptap]

These are the permissions for the user that I use to login to the vpn server. I think I will test another user with further privileges.

So, maybe my question should be: which permissions does a user need to access files on the ds?

 

[fredbert]

If you're able to successfully create an OpenVPN tunnel through the SRM firewall to DSM's VPN Server then the SRM firewall shouldn't be the issue.

From what you've said you can create the tunnel and access the BI LAN device. That implies you've enable the setting 'Allow clients to access the server's LAN' and tunnel traffic is being successfully routed from the OpenVPN gateway (VPN Server) out of the NAS onto the LAN.

How are you trying to access the NAS's shared folders? What address and which file sharing services (SMB, AFP, etc)?

 

[akahan]

Try creating a firewall rule like so:
Protocol TCP/UDP
Source Specific IP Range: 172.22.0.0 - 172.22.0.254 (or whatever your OpenVPN range is)
Ports All
Desitnation IP address All
Ports All
Allow

(The fact that OpenVPN is permitted to connect to SRM does NOT mean that OpenVPN can connect to local resources on the LAN; doing what I've described above should enable that.)

 

[WST16]

I have my DS718+ running a vpn server with openvpn protocol. LE certificate is valid. I can connect and view my cameras through Blue Iris ios app (BI is hosted on a local computer). However, when I connect my laptop to the vpn when travelling, I can't access my drives

As @fredbert mentioned. Elaborate. Stating that your BI iOS app can access the local computer implies that you already have access to the LAN and should have access to the LAN side IP address of the DS!

Did you try accessing the DS via its virtual IP address as a test?

 

[NSquirrel]

Just a thought-and an error I made. For local access I use 192.168.1.240 (or something similar) from laptop to NAS, but for VPN access to the NAS I use 10.8.0.1 as per VPN Server/OpenVPN - Dynamic IP address on the NAS.

 

[daptap]

From what you've said you can create the tunnel and access the BI LAN device. That implies you've enable the setting 'Allow clients to access the server's LAN' and tunnel traffic is being successfully routed from the OpenVPN gateway (VPN Server) out of the NAS onto the LAN.

Yes, I have it set to "allow clients to access..."

How are you trying to access the NAS's shared folders? What address and which file sharing services (SMB, AFP, etc)?

after logging in on the laptop, I'm trying to use the laptop to access the folders on the NAS via windows explorer, so through smb. I can access them this way when on my lan at home, without vpn. SMB is enabled on the DS but not the synology router.

Logged in to my laptop at home, using cell phone service as wifi. this is what windows explorer shows as the error when trying to accces my DS.

@WST16 - Yes, I can access the login page to my DS and login.

 

[daptap]

Try creating a firewall rule like so:
Protocol TCP/UDP
Source Specific IP Range: 172.22.0.0 - 172.22.0.254 (or whatever your OpenVPN range is)
Ports All
Desitnation IP address All
Ports All
Allow

(The fact that OpenVPN is permitted to connect to SRM does NOT mean that OpenVPN can connect to local resources on the LAN; doing what I've described above should enable that.)

This is what I was really wondering since my openvpn range is shown below. firewall rules still confuse me. What if someone has that ip address and is trying to access my machine, wouldn't they then have access without vpn? I would think they could get to my login page at that point.

 

[WST16]

What if someone has that ip address and is trying to access my machine, wouldn't they then have access without vpn? I would think they could get to my login page at that point.

These are private IP address. The internet doesn’t route them. They are internal.

 

[fredbert]

However, just be aware that most ISPs will be using RFC 1918 reserved IP subnets for some of their infrastructure. Their routers will be configured to route these IP ranges so it is advisable to configure your router's firewall to allow only your LAN side subnets.

Hopefully the firewall will employ mechanisms that prevent declared subnets on specific interfaces from being spoofed on the other interfaces. For example, LAN interface connects to 192.168.X.0/24 and VPN on 172.16.Y.0/24 then WAN will not accept a connection from source IP in those subnet ranges. Other firewall technologies can support defining more intranet subnets than just the connected subnets.

 

[daptap]

I added the following firewall rule and no dice on getting to the files on DS through windows explorer (@fredbert - don't see the if/and type of options for the firewall rules in SRM). What else could be stopping the network discovery of the DS through windows explorer?

I also tried to connect to my blue iris desktop through windows remote desktop connection and got this message:

 

[fredbert]

I'm not a Windows networking expert but I think the discovery is being done as a broadcast on the LAN and is very probable that the OpenVPN server, which acts as a gateway between VPN clients and the LAN, isn't routing those packets onto VPN subnets.

I have UPnP speakers at home and they advertise on the LAN/WiFi for the Denon HEOS app to see them. But if I connect via VPN from the Internet then none of the VPN Plus services (OpenVPN, L2TP, SSL-VPN) allow the HEOS app to find the speakers. Could very well be the same for Windows networking.

You could try \\NAS_LAN_IP\share_name and \\SERVER_IP\other_share_name? Or run a local DNS server* on DSM and use that for your LAN and VPN devices so that you can have a standard resolution for home devices, e.g \\mynas.mydomain.com\share_name or, if you have specified a search domain as 'mydomain.com' in DHCP and VPN configs, \\mynas\share_name .

*You should reserve the LAN IP address in the DHCP server so that the same IP is always provided to the NAS. Better still is to reserve the IP so no other client gets assigned it and then manually assign the IP in DSM.


BTW Everyone on the Internet can use your SRM as a NTP server. I think there are enough NTP servers without you having to add your's

 

[daptap]

Been a while...re-read the suggestions and tried things again.

You could try \\NAS_LAN_IP\share_name

So, I did \\192.168.1.8\Nameofmynas. static ip for nas\name of my nas. response: "windows can't find ...." I can open the file manager in DSM though, so all is not lost, but nothing like working in the native W10 system.

I think it has something to do with my TAP adapter. This all changed when I installed mullvad VPN on my laptop, which installed a new mullvad tap adapter. Right now it is listed as an unknown network and its DNS server is 10.9.0.1, which I don't understand. My OpenVPN serve Dynamic IP address is 10.8.0.1 and the client is 10.8.0.6 right now.

Probably just shooting in the dark. Maybe I should try starting from scratch including removing mullvad and reinstalling the tap adapter (those things confuse me though).

 

[daptap]

Well, the one thing I didn't try...It didn't like the DS name, but just entering the IP address in the address bar in windows explorer worked. Huh. I also, uninstalled Mullvad and OpenVPN, then reinstalled OpenVPN. Not sure if that mattered.

same getting remote desktop connection to work to another pc on the network: enter lan ip worked.

Not sure why it doesn't accept the names of the servers though. Thanks all!