Re: [Openvpn-devel] [Openvpn-users] Is it possible to access Windows XP shares over port 445?

[Jan Just Keijser]

Hi Henno,

Henno Täht wrote:

FWIW, I posted this issue to Microsoft's forum:
http://social.answers.microsoft.com/Forums/en-US/xpnetwork/thread/82388e04-1791-43a0-a678-de8475bce537

Everyone who like this to be answered can mark that article to up the 
"X persons needs an answer" thing.



I think I finally figured it out (I ran into this issue myself this 
morning so I started hacking ;-)) :


if I set "Non-Admin Access" to "Not allowed" in the TAP-Win32 Adapter V9 
Advanced properties page and reboot the box then I can access the shares 
on my WinXP box using

 smbclient -L -p 445 \\192.168.200.2
(where 192.168.200.2 is the VPN IP).

Of course, the problem with not allowing this is that non-Admin users 
can no longer start a VPN connection. You'd need to run

 runas /env /profile user:AdminUser "openvpn ..."
to get around this.

Can somebody verify this? It sounds like a nice one for the FAQ.

share and enjoy,

JJK



2010/6/26 Gert Doering mailto:g...@greenie.muc.de>>

Hi,

On Wed, Jun 23, 2010 at 10:50:45PM +0300, Henno Täht wrote:
> On Wed, Jun 23, 2010 at 22:48, Gert Doering mailto:g...@greenie.muc.de>> wrote:
> > On Wed, Jun 23, 2010 at 09:10:10AM +0200, Jan Just Keijser wrote:
> > > assigns a 169.254 address. If this works for you as well
then maybe the
> > > tap-win32 developers can dive deeper into this and find out
why windows
> > > treats the 'always connected' adapter differently from an
'application
> > > controlled' adapter .
> >
> > I'd assume that windows services are not "bound" to "dynamic"
interfaces...
>
> By dynamic interface you mean an interface which has  "Obtain IP
address
> automatically" set?

No, I was thinking about interfaces that sort of "are not always
there".

But that was a misconception, the TAP interface *is* always there
- what's
application controlled is whether it's "connected to an ethernet
cable"
(virtual, of course) all the time, or only if openvpn tells it so.

But in that my idea doesn't really make sense - it's as if windows
wouldn't
start windows sharing if the ethernet cable is not plugged in at
boot time.

gert

--
USENET is *not* the non-clickable part of WWW!
 
//www.muc.de/~gert/ 
Gert Doering - Munich, Germany
g...@greenie.muc.de 
fax: +49-89-35655025  
 g...@net.informatik.tu-muenchen.de

Re: [Openvpn-devel] [Openvpn-users] Is it possible to access Windows XP shares over port 445?

[Henno Täht]

FWIW, I posted this issue to Microsoft's forum:
http://social.answers.microsoft.com/Forums/en-US/xpnetwork/thread/82388e04-1791-43a0-a678-de8475bce537

Everyone who like this to be answered can mark that article to up the "X
persons needs an answer" thing.

Henno


2010/6/26 Gert Doering 

> Hi,
>
> On Wed, Jun 23, 2010 at 10:50:45PM +0300, Henno Täht wrote:
> > On Wed, Jun 23, 2010 at 22:48, Gert Doering  wrote:
> > > On Wed, Jun 23, 2010 at 09:10:10AM +0200, Jan Just Keijser wrote:
> > > > assigns a 169.254 address. If this works for you as well then maybe
> the
> > > > tap-win32 developers can dive deeper into this and find out why
> windows
> > > > treats the 'always connected' adapter differently from an
> 'application
> > > > controlled' adapter .
> > >
> > > I'd assume that windows services are not "bound" to "dynamic"
> interfaces...
> >
> > By dynamic interface you mean an interface which has  "Obtain IP address
> > automatically" set?
>
> No, I was thinking about interfaces that sort of "are not always there".
>
> But that was a misconception, the TAP interface *is* always there - what's
> application controlled is whether it's "connected to an ethernet cable"
> (virtual, of course) all the time, or only if openvpn tells it so.
>
> But in that my idea doesn't really make sense - it's as if windows wouldn't
> start windows sharing if the ethernet cable is not plugged in at boot time.
>
> gert
>
> --
> USENET is *not* the non-clickable part of WWW!
>   //
> www.muc.de/~gert/
> Gert Doering - Munich, Germany
> g...@greenie.muc.de
> fax: +49-89-35655025
> g...@net.informatik.tu-muenchen.de
>

Re: [Openvpn-devel] [Openvpn-users] Is it possible to access Windows XP shares over port 445?

[Gert Doering]

Hi,

On Wed, Jun 23, 2010 at 10:50:45PM +0300, Henno Täht wrote:
> On Wed, Jun 23, 2010 at 22:48, Gert Doering  wrote:
> > On Wed, Jun 23, 2010 at 09:10:10AM +0200, Jan Just Keijser wrote:
> > > assigns a 169.254 address. If this works for you as well then maybe the
> > > tap-win32 developers can dive deeper into this and find out why windows
> > > treats the 'always connected' adapter differently from an 'application
> > > controlled' adapter .
> >
> > I'd assume that windows services are not "bound" to "dynamic" interfaces...
> 
> By dynamic interface you mean an interface which has  "Obtain IP address
> automatically" set?

No, I was thinking about interfaces that sort of "are not always there".

But that was a misconception, the TAP interface *is* always there - what's
application controlled is whether it's "connected to an ethernet cable" 
(virtual, of course) all the time, or only if openvpn tells it so.

But in that my idea doesn't really make sense - it's as if windows wouldn't
start windows sharing if the ethernet cable is not plugged in at boot time.

gert

-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

Re: [Openvpn-devel] [Openvpn-users] Is it possible to access Windows XP shares over port 445?

[Jan Just Keijser]

Gert Doering wrote:

Hi,

On Wed, Jun 23, 2010 at 09:10:10AM +0200, Jan Just Keijser wrote:
  
assigns a 169.254 address. If this works for you as well then maybe the 
tap-win32 developers can dive deeper into this and find out why windows 
treats the 'always connected' adapter differently from an 'application 
controlled' adapter .



I'd assume that windows services are not "bound" to "dynamic" interfaces...

  
They're not , as far as I know. 
However,
- the SMBoverIP service binds to 0.0.0.0:445 yet it refuses access from 
IPs other than the 'always connected' ones
- as Henno found out,  disabling and then enabling the "windows file 
sharing" protocol on the TAP-win32 adapter after the connection has been 
established fixes the problem ; I don't know if it is possible to do 
this using some 'netsh' magic, however

- the same thing works on windows 2000, no modifications
- on windows XP and higher it *does* work for PPTP/L2TP+IPsec VPNs


JJK

Re: [Openvpn-devel] [Openvpn-users] Is it possible to access Windows XP shares over port 445?

[Gert Doering]

Hi,

On Wed, Jun 23, 2010 at 09:10:10AM +0200, Jan Just Keijser wrote:
> assigns a 169.254 address. If this works for you as well then maybe the 
> tap-win32 developers can dive deeper into this and find out why windows 
> treats the 'always connected' adapter differently from an 'application 
> controlled' adapter .

I'd assume that windows services are not "bound" to "dynamic" interfaces...

gert
-- 
USENET is *not* the non-clickable part of WWW!
   //www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025g...@net.informatik.tu-muenchen.de

Re: [Openvpn-devel] [Openvpn-users] Is it possible to access Windows XP shares over port 445?

[Jan Just Keijser]

Hi Henno,

Henno Täht wrote:

Hi

2010/6/22 Jan Just Keijser mailto:janj...@nikhef.nl>>

Henno Täht wrote:

The only thing I can think of is that Windows XP explicitly
forbids access to port 445 as a countersecurity measure unless
it's coming from an "official" network card.


That crossed my mind also.

 


It seems like OpenVPN is working as it should, it's just that
Windows XP (and Vista/7?) does not regard the tap-win32 adapter as
an official network card and hence does not allow access.


I think it has something to do with the way OpenVPN configures the TAP 
adapter while first connecting after boot. Because when I uncheck and 
recheck OpenVPN adapter's "File and Printer Sharing service", port 445 
starts operating normally also on this adapter. But unfortunately that 
fortune only lasts until next computer restart.


Your best bet is to continue using netbios-over-tcpip for the time
being (I always disable port 445 anyways) until a Windows kernel
guru can tell us just what the heck is happening here (where would
this be logged? my XP firewall is turned off


I cannot do that because my W2003 servers stubbornly refuse to use 
netbios-over-tcpip. I have triple checked that Enable NetBIOS over 
TCP/IP is checked and even restarted the servers but they still only 
try to connect to port 445. :(

I think I got it:

- change the media status on the tap-win32 adapter from 'Application 
Controller' to 'Always Connected'

- add the lines
   dhcp-pre-release
   dhcp-renew
   dhcp-release
 to the openvpn client config file.
- Restart windows, connect to the VPN and try the share.

This worked for my WinXP SP3 installation.

The downside is that the system takes a bit longer to come up, as 
windows tries to get a DHCP lease for the tap-win32 adapter and finally 
assigns a 169.254 address. If this works for you as well then maybe the 
tap-win32 developers can dive deeper into this and find out why windows 
treats the 'always connected' adapter differently from an 'application 
controlled' adapter .


And now that I think of it: this *might* also affect the windows 
2003/2008 server problem that some people have reported here...


HTH,

JJK

Re: [Openvpn-devel] [Openvpn-users] Is it possible to access Windows XP shares over port 445?

[Peter Stuge]

Jan Just Keijser wrote:
> > So XP is refusing port 445 connections from OpenVPN adapter.
> 
> Maybe someone on the -devel list (CC'ed) knows more about the
> interaction between the tap-win32 adapter and the rest of the
> windows os?

This reminds me of my experience with pushing a DNS server address
as part of the VPN connection.

I was using a configuration where traffic to the DNS server always
needed to be routed. It was not directly reachable on any client
interface.

After the DHCP client for e.g. a LAN or wifi connection in Windows
has been configured with a DNS server, the DNS resolver would bind
to the underlying interface that was configured by DHCP.

Even if the OpenVPN server pushes another DNS server setting which is
applied to the system when bringing up the TAP adapter, the DNS
resolver was still "bound" to the underlying interface and DNS
lookups would now fail. (The new IP was firewalled to only be
reachable via VPN.)

(My solution was to make the DNS server always be on the same IP
network as the underlying interface.)

This seems to have nothing to do with incoming port 445 traffic, but
maybe something similar is going wrong?

You could try to stop and then start the service responsible for
listening on that port. I'm not quite sure which one it is though.

Stopping and starting the DNS resolver helped in my situation, but
wasn't an adequate fix.

At least it might provide you with some more information.


Kind regards

//Peter

Re: [Openvpn-devel] [Openvpn-users] Is it possible to access Windows XP shares over port 445?

[Jan Just Keijser]

Hi Henno,

Henno Täht wrote:

Is it possible to share files from Windows XP using port 445 over
OpenVPN tunnel?

Everything works within the LAN but from the other side of OpenVPN
connection I'm getting "No network provider accepted the given network
path." error while trying to access XP's shares.

Sniffing shows this:
(zeus is the machine trying to access XP's shares)

TimeSourceDestination ProtoInfo
1.718123zeusxpTCP  3285 > 445 [SYN]
Seq=0 Win=64240 Len=0 MSS=1460
1.830665xp  zeus  TCP  445 > 3285 [RST,
ACK] Seq=1 Ack=1 Win=0 Len=0
2.189052zeusxpTCP  3285 > 445 [SYN]
Seq=0 Win=64240 Len=0 MSS=1460
2.219486xp  zeus  TCP  445 > 3285 [RST,
ACK] Seq=1 Ack=1 Win=0 Len=0
2.735585zeusxpTCP  3285 > 445 [SYN]
Seq=0 Win=64240 Len=0 MSS=1460
2.766907xp  zeus  TCP  445 > 3285 [RST,
ACK] Seq=1 Ack=1 Win=0 Len=0

So XP is refusing port 445 connections from OpenVPN adapter. Firewall
is off (otherwise no packet would be sent back).

While NetBIOS over TCP/IP works (port 139), it has been disabled on
zeus and as I understand DirectSMB (microsoft-ds or port 445) should
be more efficient.
  

you're actually not the first person to report this issue...

I can reproduce the behaviour on Windows XP but not on Windows 2000 , 
using the exact same openvpn version and installation configuration.


similar to what you are seeing , I can see in wireshark is that any 
access over port 445 to \\>\ is dropped immediately by windows 
XP, yet on windows 2000 this works flawlessly.


The only thing I can think of is that Windows XP explicitly forbids 
access to port 445 as a countersecurity measure unless it's coming from 
an "official" network card.
It seems like OpenVPN is working as it should, it's just that Windows XP 
(and Vista/7?) does not regard the tap-win32 adapter as an official 
network card and hence does not allow access.


Your best bet is to continue using netbios-over-tcpip for the time being 
(I always disable port 445 anyways) until a Windows kernel guru can tell 
us just what the heck is happening here (where would this be logged? my 
XP firewall is turned off


Maybe someone on the -devel list (CC'ed) knows more about the 
interaction between the tap-win32 adapter and the rest of the windows os?


cheers,

JJK