Re: [Openvpn-devel] [Openvpn-users] Is it possible to access Windows XP shares over port 445?

[Peter Stuge]

Jan Just Keijser wrote:
> > So XP is refusing port 445 connections from OpenVPN adapter.
> 
> Maybe someone on the -devel list (CC'ed) knows more about the
> interaction between the tap-win32 adapter and the rest of the
> windows os?

This reminds me of my experience with pushing a DNS server address
as part of the VPN connection.

I was using a configuration where traffic to the DNS server always
needed to be routed. It was not directly reachable on any client
interface.

After the DHCP client for e.g. a LAN or wifi connection in Windows
has been configured with a DNS server, the DNS resolver would bind
to the underlying interface that was configured by DHCP.

Even if the OpenVPN server pushes another DNS server setting which is
applied to the system when bringing up the TAP adapter, the DNS
resolver was still "bound" to the underlying interface and DNS
lookups would now fail. (The new IP was firewalled to only be
reachable via VPN.)

(My solution was to make the DNS server always be on the same IP
network as the underlying interface.)

This seems to have nothing to do with incoming port 445 traffic, but
maybe something similar is going wrong?

You could try to stop and then start the service responsible for
listening on that port. I'm not quite sure which one it is though.

Stopping and starting the DNS resolver helped in my situation, but
wasn't an adequate fix.

At least it might provide you with some more information.


Kind regards

//Peter

Re: [Openvpn-devel] [Openvpn-users] Is it possible to access Windows XP shares over port 445?

[Jan Just Keijser]

Hi Henno,

Henno Täht wrote:

Is it possible to share files from Windows XP using port 445 over
OpenVPN tunnel?

Everything works within the LAN but from the other side of OpenVPN
connection I'm getting "No network provider accepted the given network
path." error while trying to access XP's shares.

Sniffing shows this:
(zeus is the machine trying to access XP's shares)

TimeSourceDestination ProtoInfo
1.718123zeusxpTCP  3285 > 445 [SYN]
Seq=0 Win=64240 Len=0 MSS=1460
1.830665xp  zeus  TCP  445 > 3285 [RST,
ACK] Seq=1 Ack=1 Win=0 Len=0
2.189052zeusxpTCP  3285 > 445 [SYN]
Seq=0 Win=64240 Len=0 MSS=1460
2.219486xp  zeus  TCP  445 > 3285 [RST,
ACK] Seq=1 Ack=1 Win=0 Len=0
2.735585zeusxpTCP  3285 > 445 [SYN]
Seq=0 Win=64240 Len=0 MSS=1460
2.766907xp  zeus  TCP  445 > 3285 [RST,
ACK] Seq=1 Ack=1 Win=0 Len=0

So XP is refusing port 445 connections from OpenVPN adapter. Firewall
is off (otherwise no packet would be sent back).

While NetBIOS over TCP/IP works (port 139), it has been disabled on
zeus and as I understand DirectSMB (microsoft-ds or port 445) should
be more efficient.
  

you're actually not the first person to report this issue...

I can reproduce the behaviour on Windows XP but not on Windows 2000 , 
using the exact same openvpn version and installation configuration.


similar to what you are seeing , I can see in wireshark is that any 
access over port 445 to \\>\ is dropped immediately by windows 
XP, yet on windows 2000 this works flawlessly.


The only thing I can think of is that Windows XP explicitly forbids 
access to port 445 as a countersecurity measure unless it's coming from 
an "official" network card.
It seems like OpenVPN is working as it should, it's just that Windows XP 
(and Vista/7?) does not regard the tap-win32 adapter as an official 
network card and hence does not allow access.


Your best bet is to continue using netbios-over-tcpip for the time being 
(I always disable port 445 anyways) until a Windows kernel guru can tell 
us just what the heck is happening here (where would this be logged? my 
XP firewall is turned off


Maybe someone on the -devel list (CC'ed) knows more about the 
interaction between the tap-win32 adapter and the rest of the windows os?


cheers,

JJK