Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
Hi, On 12/02/2022 00:12, Bo Berglund wrote: Since the connections targeting other nfs servers on the home LAN worked fine without this change I assume that when these are received by OpenVPN they are sent out on the 119 network after being NATed into the 119 LAN range and thus do not suffer the rejection. But when the target is the OpenVPN server itself it does not do the NAT translation and the call does not get out on the 119 LAN but uses the tunnel address directly instead and failed because of that. Just a little clarification (for the records and those coming after us): "it" is not OpenVPN, but rather your iptables/nftables and your routing table combined. If you wanted, you could configure NAT also for connections going to the server itself, but this is uncommon. Regards, -- Antonio Quartulli ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
On Fri, 11 Feb 2022 17:15:38 -0500, Nathan Stratton Treadway wrote: >On Fri, Feb 11, 2022 at 19:18:32 +0100, Gert Doering wrote: >> On Fri, Feb 11, 2022 at 07:10:17PM +0100, Bo Berglund wrote: >> > The output of tcpdump is saved to thie file: >> > http://blog.boberglund.com/tcpdump.log >> > >> > Does this show anything valuable? >> >> It says >> >> 18:58:12.150535 ip: 192.168.119.216.2049 > 10.8.139.3.942: Flags [P.], seq >> 29:53, ack 289, win 508, options [nop,nop,TS val 3346628708 ecr 3593052701], >> length 24: NFS reply xid 955890808 reply ERR 20: Auth Bogus Credentials >> (seal broken) >> >> so it's not a firewall or routing thing, but you *do* talk to the > >I noticed that the tcpdump gives the packet destination address of >10.8.139.3, but didn't see that IP mentioned in the mount/export >commands Is there NAT configured somewhere in the middle of this >connection, or something like that? > > > Nathan Correct observation! When the target is a service on the OpenVPN server itself it does not NAT the packet out and then back in again but instead goes directly to the NFS service run by itself. And then it uses a tunnel address, which is what you saw. I have just modified the system by adding the tunnel addresses to the exports file and it is now working. See my message sent just before this. -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
On Fri, 11 Feb 2022 22:20:38 +0100, Gert Doering wrote: >Hi, > >On Fri, Feb 11, 2022 at 09:52:21PM +0100, Bo Berglund wrote: >> But still it seems like it is OpenVPN that breaks the functionality... > >Unlikely theory. This is something about "packets coming from a >different source net" or possibly "from a different interface" than >before. Not "OpenVPN breaking this" - that would look different >(like, data transfers getting stuck due to MTU issues). > ISSUE RESOLVED! --- I added a new client spec in /etc/exports file so it now looks like this (on one line): /home/bosse/www/MSNBC -rw,sync,no_subtree_check,insecure 192.168.116.0/22 10.8.139.0/24 The last one is the IP of the tunnel device used by the OpenVPN server. This change made all the difference! Now the nfs server can be connected to by the remote devices just fine! So bottom line is that the nfs call source gets changed by OpenVPN to an address in the tunnel, in this case it is set via a ccd directive to a fixed address in that range. And it looks like this is what nfs sees as the source address and thus it rejected it because it was not in the allowed range. But now it is and it works! Since the connections targeting other nfs servers on the home LAN worked fine without this change I assume that when these are received by OpenVPN they are sent out on the 119 network after being NATed into the 119 LAN range and thus do not suffer the rejection. But when the target is the OpenVPN server itself it does not do the NAT translation and the call does not get out on the 119 LAN but uses the tunnel address directly instead and failed because of that. Now working as intended! :) Thanks for the discussion, which led me in the right direction! -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
On Fri, Feb 11, 2022 at 19:18:32 +0100, Gert Doering wrote: > On Fri, Feb 11, 2022 at 07:10:17PM +0100, Bo Berglund wrote: > > The output of tcpdump is saved to thie file: > > http://blog.boberglund.com/tcpdump.log > > > > Does this show anything valuable? > > It says > > 18:58:12.150535 ip: 192.168.119.216.2049 > 10.8.139.3.942: Flags [P.], seq > 29:53, ack 289, win 508, options [nop,nop,TS val 3346628708 ecr 3593052701], > length 24: NFS reply xid 955890808 reply ERR 20: Auth Bogus Credentials (seal > broken) > > so it's not a firewall or routing thing, but you *do* talk to the I noticed that the tcpdump gives the packet destination address of 10.8.139.3, but didn't see that IP mentioned in the mount/export commands Is there NAT configured somewhere in the middle of this connection, or something like that? Nathan Nathan Stratton Treadway - natha...@ontko.com - Mid-Atlantic region Ray Ontko & Co. - Software consulting services - http://www.ontko.com/ GPG Key: http://www.ontko.com/~nathanst/gpg_key.txt ID: 1023D/ECFB6239 Key fingerprint = 6AD8 485E 20B9 5C71 231C 0C32 15F3 ADCD ECFB 6239 ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
Hi, On Fri, Feb 11, 2022 at 09:52:21PM +0100, Bo Berglund wrote: > But still it seems like it is OpenVPN that breaks the functionality... Unlikely theory. This is something about "packets coming from a different source net" or possibly "from a different interface" than before. Not "OpenVPN breaking this" - that would look different (like, data transfers getting stuck due to MTU issues). gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
On Fri, 11 Feb 2022 19:18:32 +0100, Gert Doering wrote: >Hi, > >On Fri, Feb 11, 2022 at 07:10:17PM +0100, Bo Berglund wrote: >> The output of tcpdump is saved to thie file: >> http://blog.boberglund.com/tcpdump.log >> >> Does this show anything valuable? > >It says > >18:58:12.150535 ip: 192.168.119.216.2049 > 10.8.139.3.942: Flags [P.], seq >29:53, ack 289, win 508, options [nop,nop,TS val 3346628708 ecr 3593052701], >length 24: NFS reply xid 955890808 reply ERR 20: Auth Bogus Credentials (seal >broken) > >so it's not a firewall or routing thing, but you *do* talk to the >NFS server, and it's not liking the client. It seems to expect >a password or some other sort of credentials. This nfs server has been installed "ages" ago and I have used it on 3 different linux machines in order to transfer files between them. It has worked fine when the now remote client was still on my home LAN up until Wednesday this week... Then I moved it to the remote LAN when we got fiber installed there (it was on mobile broadband with metered data earlier). The remote and home networks were "wired together" using the OpenVPN client in the remote ASUS router towards my existing OpenVPN server at home. This server has been in use since about 2016 or so and was my first real Ubuntu server. It handles a lot of stuff like Subversion, my private website, video downloads and more. Given that everything else I tested before looking at the nfs connections worked really well I was surprised to see this fail so miserably. Especially that the connection fails from a client that has been working fine for a long time towards it when it was hardwired to the home LAN. And to find that an nfs server on a different device (Raspberry Pi) on the home LAN *is* accessible from the remote LAN makes it even stranger. >My next step would now involve googling for "Linux NFS server Auth Bogus >Credentials" or some variation of this and see what comes back. I did find at least one discussion of a similar problem, except there the problem seems to be persistent and non-working on a single LAN... Not my symptoms. https://serverfault.com/questions/584211/yet-another-nfs-permissions-error-linux-nfs4-access-denied-auth-bogus-credent I tried adding the insecure option as adviced to the exports file in the share definition with no change in the connectivity. >(Not having used Linux as an NFS Server in 10+ years, I have no idea >about current distributions and their ideas of NFS security) Me neither... But still it seems like it is OpenVPN that breaks the functionality... -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
Hi, On Fri, Feb 11, 2022 at 07:10:17PM +0100, Bo Berglund wrote: > The output of tcpdump is saved to thie file: > http://blog.boberglund.com/tcpdump.log > > Does this show anything valuable? It says 18:58:12.150535 ip: 192.168.119.216.2049 > 10.8.139.3.942: Flags [P.], seq 29:53, ack 289, win 508, options [nop,nop,TS val 3346628708 ecr 3593052701], length 24: NFS reply xid 955890808 reply ERR 20: Auth Bogus Credentials (seal broken) so it's not a firewall or routing thing, but you *do* talk to the NFS server, and it's not liking the client. It seems to expect a password or some other sort of credentials. My next step would now involve googling for "Linux NFS server Auth Bogus Credentials" or some variation of this and see what comes back. (Not having used Linux as an NFS Server in 10+ years, I have no idea about current distributions and their ideas of NFS security) gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
On Fri, 11 Feb 2022 18:12:23 +0100, Gert Doering wrote: >Hi, > >On Fri, Feb 11, 2022 at 06:06:58PM +0100, Bo Berglund wrote: >> I tried as follows (on the server): >> >> $ sudo tcpdump -nnel -i tun0 tcp port 2049 >> tcpdump: tun0 : No such device exists > >There's an "alt-space" character behind "tun0" here, which should not >be part of the command line. Just "-i tun0" (plus the other options >and the "tcp port 2049" filter). > >And yes, run that on both client tun and server tun, then try the >NFS mount and see if that is more enlightening - it might be, it might >not be. But I do wonder why you are not seeing anything in the server >log on denied requests. I made a quick departure from the kitchen and corrected the command as you described, then it started waiting for stuff. Then I ran the mount command on the remote device: $ sudo mount 192.168.119.216:/home/bosse/www/MSNBC /mnt/msnbc mount.nfs: access denied by server while mounting 192.168.119.216:/home/bosse/www/MSNBC (Note that I have now stopped editing the command regarding the share name...). The output of tcpdump is saved to thie file: http://blog.boberglund.com/tcpdump.log Does this show anything valuable? -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
Hi, On Fri, Feb 11, 2022 at 06:06:58PM +0100, Bo Berglund wrote: > I tried as follows (on the server): > > $ sudo tcpdump -nnel -i tun0 tcp port 2049 > tcpdump: tun0 : No such device exists There's an "alt-space" character behind "tun0" here, which should not be part of the command line. Just "-i tun0" (plus the other options and the "tcp port 2049" filter). And yes, run that on both client tun and server tun, then try the NFS mount and see if that is more enlightening - it might be, it might not be. But I do wonder why you are not seeing anything in the server log on denied requests. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
On Fri, 11 Feb 2022 16:47:36 +0100, Jan Just Keijser wrote: >> When the client accesses the RPi NFS then presumably this happens: >> >> [Client]-117->[Router->VPN]->Internet->[Router]-119->[OpenVPNserv]-119->[RPiNFS] >> >> But when replacing RPiNFS with the NFS port on the OpenVPN server for a call >> to >> the NFS server then the call out on LAN 119 should be for port 2049 on the >> OpenVPN server own IP address. >> >> Why would that be a problem? >> >> I have trouble understanding this "source routing" or "policy routing" of >> OpenVPN... >> >> Is there a document describing this case and how to configure for it? >> I would need to know the option/command name to be able to search for it... >> > >so which NFS server address are you using? the local LAN IP or the VPN >tunnel IP? the tunnel IP might work... When you say "using" what address do you mean? The mount command on the client looks like this: sudo mount 192.168.119.216:/home/bosse/www/VIDEO /mnt/video The client issuing this command has address 192.168.117.251 So the client 192.168.117.251 tries to mount the share offered by 192.168.119.216 and since that is non-local it goes through the VPN tunnel to the other LAN, where it gets routed to the OpenVPN server since that is the target here. When it gets to the server OpenVPN transfers the packet to the destination network I assume. And in this case the target will be 192.168.119.216:2049 which should resolve to that port on the OVPN server itself. And now it should connect to the nfs service but apparently it does not. Compare to what happens when the target is a different nfs server on the 119 LAN, in this case the packet is again put on the LAN and picked up by the other NFS server and handled there so the mount succeeds. Why does this not happen if the nfs server is the same as the OVPN server? > >and like Gert suggested, run tcpdump on the server to see what happens >to the traffic, e.g. > tcpdump -nnel -i tun0 tcp port 2049 I have never used this command, what is the procedure? Do I issue the command on the server, then go to the client and try to mount the nfs share and then something will be shown? Where? I tried as follows (on the server): $ sudo tcpdump -nnel -i tun0 tcp port 2049 tcpdump: tun0 : No such device exists But: $ ifconfig tun0 tun0: flags=4305 mtu 1500 inet 10.8.139.1 netmask 255.255.255.0 destination 10.8.139.1 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 2197245 bytes 146063190 (146.0 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 4022369 bytes 4854902161 (4.8 GB) TX errors 0 dropped 2892 overruns 0 carrier 0 collisions 0 So tun0 clearly exists Very confused now... -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
Hi, On 11/02/22 15:30, Bo Berglund wrote: On Fri, 11 Feb 2022 14:44:05 +0100, Jan Just Keijser wrote: EXPERIMENT -- I installed the nfs server on a RaspberryPi on the 119 LAN and used the same kind of exports entry: /mnt/nfs 192.168.116.0/22(rw,sync,no_subtree_check) After the setup was done: $ showmount -e Export list for rpi4-dev: /mnt/nfs 192.168.116.0/22 Then on the *remote* device which is unable to connect to the nfs share on the OVPN server I did this: sudo mount 192.168.119.164:/mnt/nfs /mnt/nas cd /mnt/nas/ touch kalle ls -l -rw-rw-r-- 1 bosse bosse 0 Feb 11 13:07 kalle So this connect succeeds! Definitely an OpenVPN server problem here, why cannot remote clients mount the nfs share on the OVPN server itself when they can connect to other nfs servers on the home LAN using the exact same export directive? accessing stuff on the Openvpn server via the VPN itself is tricky: keep in mind that OpenVPN needs to add a route *bypassing* the VPN from the client to the VPN server. If OpenVPN did not do that, then the openvpn traffic itself, intended for the OpenVPN server process, might get sent out via the VPN interface, causing a "biting your own tail" problem. Why? The call is destined for the server's IP address on port 2049, right? If you need to be able to access other services on the OpenVPN server then you will need to set up source routing or policy routing (not sure if Windows supports this) to ensure that UDP traffic over port 1194 from client to VPN server -> send out over the pre-VPN gateway/LAN all other traffic from client to VPN server -> send out over the VPN tunnel interface When the client accesses the RPi NFS then presumably this happens: [Client]-117->[Router->VPN]->Internet->[Router]-119->[OpenVPNserv]-119->[RPiNFS] But when replacing RPiNFS with the NFS port on the OpenVPN server for a call to the NFS server then the call out on LAN 119 should be for port 2049 on the OpenVPN server own IP address. Why would that be a problem? I have trouble understanding this "source routing" or "policy routing" of OpenVPN... Is there a document describing this case and how to configure for it? I would need to know the option/command name to be able to search for it... so which NFS server address are you using? the local LAN IP or the VPN tunnel IP? the tunnel IP might work... and like Gert suggested, run tcpdump on the server to see what happens to the traffic, e.g. tcpdump -nnel -i tun0 tcp port 2049 or something similar. HTH, JJK ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
Hi, On Fri, Feb 11, 2022 at 03:30:22PM +0100, Bo Berglund wrote: > I have trouble understanding this "source routing" or "policy routing" of > OpenVPN... It depends on "which address of the server you are talking to". If the OpenVPN client needs to send a packet to the "WAN" address of the server (or the server only has one address), it cannot send it "through the tunnel" (because then the tunneled packet would go "through the tunnel" as well, getting nowhere). So it installs a host route (/32 or /128) to go to the regular default router, for "all packets toward the OpenVPN server address". If the server has different WAN+LAN addresses, sending packets to the OpenVPN server's *LAN* address will "just go through the tunnel". There is no magic, just routing - traceroute will show which packets go where. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
On Fri, 11 Feb 2022 14:44:05 +0100, Jan Just Keijser wrote: >Hi Bo, >> EXPERIMENT >> -- >> I installed the nfs server on a RaspberryPi on the 119 LAN and used the same >> kind of exports entry: >> >> /mnt/nfs 192.168.116.0/22(rw,sync,no_subtree_check) >> >> After the setup was done: >> $ showmount -e >> Export list for rpi4-dev: >> /mnt/nfs 192.168.116.0/22 >> >> Then on the *remote* device which is unable to connect to the nfs share on >> the >> OVPN server I did this: >> >> sudo mount 192.168.119.164:/mnt/nfs /mnt/nas >> cd /mnt/nas/ >> touch kalle >> ls -l >> -rw-rw-r-- 1 bosse bosse 0 Feb 11 13:07 kalle >> >> So this connect succeeds! >> >> Definitely an OpenVPN server problem here, why cannot remote clients mount >> the >> nfs share on the OVPN server itself when they can connect to other nfs >> servers >> on the home LAN using the exact same export directive? >> > >accessing stuff on the Openvpn server via the VPN itself is tricky: keep >in mind that OpenVPN needs to add a route *bypassing* the VPN from the >client to the VPN server. If OpenVPN did not do that, then the openvpn >traffic itself, intended for the OpenVPN server process, might get sent >out via the VPN interface, causing a "biting your own tail" problem. Why? The call is destined for the server's IP address on port 2049, right? >If you need to be able to access other services on the OpenVPN server >then you will need to set up source routing or policy routing (not sure >if Windows supports this) to ensure that > > UDP traffic over port 1194 from client to VPN server -> send out >over the pre-VPN gateway/LAN > all other traffic from client to VPN server -> send out over the VPN >tunnel interface > When the client accesses the RPi NFS then presumably this happens: [Client]-117->[Router->VPN]->Internet->[Router]-119->[OpenVPNserv]-119->[RPiNFS] But when replacing RPiNFS with the NFS port on the OpenVPN server for a call to the NFS server then the call out on LAN 119 should be for port 2049 on the OpenVPN server own IP address. Why would that be a problem? I have trouble understanding this "source routing" or "policy routing" of OpenVPN... Is there a document describing this case and how to configure for it? I would need to know the option/command name to be able to search for it... -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
Hi, On Fri, Feb 11, 2022 at 03:16:12PM +0100, Bo Berglund wrote: > Seems like OpenVPN is "eating" the call if the NFS server runs on the OpenVPN > server itself The only packets OpenVPN will ever "eat" are DHCP packets (if you do bridged TAP, and want OpenVPN to provide DHCP service, and there is another DHCP server on the LAN). But you can see this running tcpdump on the tun interfaces - does the packet go out from the client->tun, does it come in on the server side. gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
On Fri, 11 Feb 2022 13:59:40 +0100, Gert Doering wrote: >Hi, > >On Fri, Feb 11, 2022 at 01:29:27PM +0100, Bo Berglund wrote: >> Definitely an OpenVPN server problem here, why cannot remote clients mount >> the >> nfs share on the OVPN server itself when they can connect to other nfs >> servers >> on the home LAN using the exact same export directive? > >Anything in the syslog on the "permission denied" server? Nothing at all. I have looked there before and there is a timegap in the log where the connection was tried and failing but nothing was logged. >On the client, if you do an "rpcinfo -p ", will it show >anything? $ rpcinfo -p 192.168.119.216 program vers proto port service 104 tcp111 portmapper 103 tcp111 portmapper 102 tcp111 portmapper 104 udp111 portmapper 103 udp111 portmapper 102 udp111 portmapper 151 udp 45084 mountd 151 tcp 36719 mountd 152 udp 57497 mountd 152 tcp 36603 mountd 153 udp 54765 mountd 153 tcp 45929 mountd 133 tcp 2049 nfs 134 tcp 2049 nfs 1002273 tcp 2049 133 udp 2049 nfs 1002273 udp 2049 1000211 udp 42845 nlockmgr 1000213 udp 42845 nlockmgr 1000214 udp 42845 nlockmgr 1000211 tcp 34993 nlockmgr 1000213 tcp 34993 nlockmgr 1000214 tcp 34993 nlockmgr >Does "showmount -e "? Looks exactly as if I had run this on the server itself: $ showmount -e 192.168.119.216 Export list for 192.168.119.216: /home/bosse/www/VIDEO 192.168.116.0/22 /nfs/pi_share 192.168.119.0/24 >Might be a firewall No firewall enabled on the client and on the server.. >or hosts.allow thing, in addition to /etc/exports /etc/hosts.allow on the server is empty, just comment text. Seems like OpenVPN is "eating" the call if the NFS server runs on the OpenVPN server itself -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
Hi Bo, On 11/02/22 13:29, Bo Berglund wrote: On Fri, 11 Feb 2022 08:03:05 +0100, Gert Doering wrote: Hi, On Fri, Feb 11, 2022 at 01:02:18AM +0100, Bo Berglund wrote: sudo mount 192.168.119.216:/home/bosse/www/VIDEO /mnt/video mount.nfs: access denied by server while mounting 192.168.119.216:/home/bosse/www/video "access denied" means "they have connectivity, but the server config is disallowing access" -> /etc/exports on the server My server side /etc/exports file looks like this: /nfs/pi_share 192.168.119.0/24(rw,sync,no_subtree_check) #Let the IP mask cover 1024 addresses rather than 256: /home/bosse/www/VIDEO 192.168.116.0/22(rw,sync,no_subtree_check) And here is what is shown as shared: $ showmount -e Export list for ubuntuserv: /home/bosse/www/VIDEO 192.168.116.0/22 /nfs/pi_share 192.168.119.0/24 The video share was defined like this before I widened it to 1024 addresses to cover both the 119 and 117 networks (on a single line, the newsreader wraps): /home/bosse/www/VIDEO -rw,sync,no_subtree_check 192.168.119.0/24 192.168.117.251 Here I just added a specific client IP for the remote device But it also did not work... For devices on the 119 LAN there are no problems to connect to the share on the OVPN server, it is just a problem for devices on the 117 LAN via the OpenVPN client connection. Always the "access denied" message. So the share itself must be OK, hence my questioning the OpenVPN functionality. Clients on the 117 LAN connect through the VPN tunnel and I assume exit from the server on to the 119 LAN, but with which IP address??? Are they exiting on to the 119 LAN with a tunnel address so that is why it won't work? Do I need to add the VPN tunnel addresses as allowed clients too? EXPERIMENT -- I installed the nfs server on a RaspberryPi on the 119 LAN and used the same kind of exports entry: /mnt/nfs 192.168.116.0/22(rw,sync,no_subtree_check) After the setup was done: $ showmount -e Export list for rpi4-dev: /mnt/nfs 192.168.116.0/22 Then on the *remote* device which is unable to connect to the nfs share on the OVPN server I did this: sudo mount 192.168.119.164:/mnt/nfs /mnt/nas cd /mnt/nas/ touch kalle ls -l -rw-rw-r-- 1 bosse bosse 0 Feb 11 13:07 kalle So this connect succeeds! Definitely an OpenVPN server problem here, why cannot remote clients mount the nfs share on the OVPN server itself when they can connect to other nfs servers on the home LAN using the exact same export directive? accessing stuff on the Openvpn server via the VPN itself is tricky: keep in mind that OpenVPN needs to add a route *bypassing* the VPN from the client to the VPN server. If OpenVPN did not do that, then the openvpn traffic itself, intended for the OpenVPN server process, might get sent out via the VPN interface, causing a "biting your own tail" problem. If you need to be able to access other services on the OpenVPN server then you will need to set up source routing or policy routing (not sure if Windows supports this) to ensure that UDP traffic over port 1194 from client to VPN server -> send out over the pre-VPN gateway/LAN all other traffic from client to VPN server -> send out over the VPN tunnel interface HTH, JJK ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
Hi, On Fri, Feb 11, 2022 at 01:29:27PM +0100, Bo Berglund wrote: > Definitely an OpenVPN server problem here, why cannot remote clients mount the > nfs share on the OVPN server itself when they can connect to other nfs servers > on the home LAN using the exact same export directive? Anything in the syslog on the "permission denied" server? On the client, if you do an "rpcinfo -p ", will it show anything? Does "showmount -e "? Might be a firewall or hosts.allow thing, in addition to /etc/exports gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
On Fri, 11 Feb 2022 08:03:05 +0100, Gert Doering wrote: >Hi, > >On Fri, Feb 11, 2022 at 01:02:18AM +0100, Bo Berglund wrote: >> sudo mount 192.168.119.216:/home/bosse/www/VIDEO /mnt/video >> mount.nfs: access denied by server while mounting >> 192.168.119.216:/home/bosse/www/video > >"access denied" means "they have connectivity, but the server config >is disallowing access" -> /etc/exports on the server > My server side /etc/exports file looks like this: /nfs/pi_share 192.168.119.0/24(rw,sync,no_subtree_check) #Let the IP mask cover 1024 addresses rather than 256: /home/bosse/www/VIDEO 192.168.116.0/22(rw,sync,no_subtree_check) And here is what is shown as shared: $ showmount -e Export list for ubuntuserv: /home/bosse/www/VIDEO 192.168.116.0/22 /nfs/pi_share 192.168.119.0/24 The video share was defined like this before I widened it to 1024 addresses to cover both the 119 and 117 networks (on a single line, the newsreader wraps): /home/bosse/www/VIDEO -rw,sync,no_subtree_check 192.168.119.0/24 192.168.117.251 Here I just added a specific client IP for the remote device But it also did not work... For devices on the 119 LAN there are no problems to connect to the share on the OVPN server, it is just a problem for devices on the 117 LAN via the OpenVPN client connection. Always the "access denied" message. So the share itself must be OK, hence my questioning the OpenVPN functionality. Clients on the 117 LAN connect through the VPN tunnel and I assume exit from the server on to the 119 LAN, but with which IP address??? Are they exiting on to the 119 LAN with a tunnel address so that is why it won't work? Do I need to add the VPN tunnel addresses as allowed clients too? EXPERIMENT -- I installed the nfs server on a RaspberryPi on the 119 LAN and used the same kind of exports entry: /mnt/nfs 192.168.116.0/22(rw,sync,no_subtree_check) After the setup was done: $ showmount -e Export list for rpi4-dev: /mnt/nfs 192.168.116.0/22 Then on the *remote* device which is unable to connect to the nfs share on the OVPN server I did this: sudo mount 192.168.119.164:/mnt/nfs /mnt/nas cd /mnt/nas/ touch kalle ls -l -rw-rw-r-- 1 bosse bosse 0 Feb 11 13:07 kalle So this connect succeeds! Definitely an OpenVPN server problem here, why cannot remote clients mount the nfs share on the OVPN server itself when they can connect to other nfs servers on the home LAN using the exact same export directive? -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
Re: [Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
Hi, On Fri, Feb 11, 2022 at 01:02:18AM +0100, Bo Berglund wrote: > sudo mount 192.168.119.216:/home/bosse/www/VIDEO /mnt/video > mount.nfs: access denied by server while mounting > 192.168.119.216:/home/bosse/www/video "access denied" means "they have connectivity, but the server config is disallowing access" -> /etc/exports on the server gert -- "If was one thing all people took for granted, was conviction that if you feed honest figures into a computer, honest figures come out. Never doubted it myself till I met a computer with a sense of humor." Robert A. Heinlein, The Moon is a Harsh Mistress Gert Doering - Munich, Germany g...@greenie.muc.de signature.asc Description: PGP signature ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
[Openvpn-users] Can a remote device connect to an NFS share on the OVPN server?
I am trying to track down a strange NFS connection problem that surfaced today... I have two LAN's, one at home using 192.168.119.0/24 and another in a remote location using 192.168.117.0/24. On my home LAN I have an Ubuntu 20.04.3 Server which is the OpenVPN server as well as a file store served out via NFS. The connection between the two LAN is by way of OpenVPN where the client is the remote LAN ASUS router and the server is the Ubuntu server on the home LAN. In order to have bidirectional access I have set up the client connection with a ccd where there is a routing directive to allow reverse communication from the home LAN devices to the remote LAN. It looks like this: iroute 192.168.117.0 255.255.255.0 And to make that happen there is also a static route added to the home LAN router which routes traffic towards the remote LAN IP addresses through the OpenVPN server: Network IPNetmask Gateway Metric Interface 192.168.117.0 255.255.255.0 192.168.119.216 2 LAN This worked amazingly well when I deployed it yesterday, I can access the devices on the other LAN from any device on any of the two networks. But while testing today I found that an Ubuntu machine that was sitting on the home LAN for a considerable time and was using an NFS share to the file store on the OpenVPN server now cannot connect to that NFS share anymore after it moed to the remote LAN. If I make a manual mount attempt this is what happens: sudo mount 192.168.119.216:/home/bosse/www/VIDEO /mnt/video mount.nfs: access denied by server while mounting 192.168.119.216:/home/bosse/www/video But if I try to mount another NFS share on the home LAN from that Ubuntu machine it works instantly! That is to an NFS share on a Synology NAS on my home LAN. This proves that it should be possible to connect also the wanted share on the OVPN server, but no matter what I tried today it does not happen. So now I have to ask here if there is a limitation that the OVPN server handling the tunnel between the two networks cannot also be an NFS server reachable from a LAN connecting in via VPN??? All of the devices on my home LAN can use the NFS share fully but none on the remote LAN... Is there a solution? -- Bo Berglund Developer in Sweden ___ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users