Use raspberry pi samba share with vpn

[xrhstos.dim1]

Hi I've configured a raspberry pi as a file server using samba for my local network. I'd like to have access to the server from outside my local network and the only manageable way I thought is using a vpn. So, I have 2 questions;

1. Can I install open vpn on the same raspberry with samba configured?

2. Do I have to make any "special" tweaks so the share will work trough the vpn?

 

Guides I used: 

Samba: https://youtu.be/s0Sc2n3gUqA

VPN: https://youtu.be/15VjDVCISj0

 

Thanks   

 

[Haraikomono]

1.yes 2.no

 

its pretty simple, go for it

[xrhstos.dim1]

3 minutes ago, Haraikomono said:

1.yes 2.no

 

its pretty simple, go for it

ok, thanks  

[dag_dg]

If you have trouble post back here. When you have multiple subnets it can get tricky if you don't have your OpenVPN server configuration push the needed routes to your VPN clients to where they can talk to other devices on your LAN(if needed).

[xrhstos.dim1]

16 hours ago, dag_dg said:

If you have trouble post back here. When you have multiple subnets it can get tricky if you don't have your OpenVPN server configuration push the needed routes to your VPN clients to where they can talk to other devices on your LAN(if needed).

Didn't quite get what you talking about. Can you explain further??

[dag_dg]

4 hours ago, xrhstos.dim1 said:

Didn't quite get what you talking about. Can you explain further??

Sure. So with most home networks you'll have a private IP range of like:

 

192.168.1.2 - 192.168.1.254 with 192.168.1.1 being your default gateway and the IP of your router.

 

Let's say you set up your VPN to use a different range of IP addresses say:

 

192.168.2.2 - 192.168.2.254 with 192.168.2.1 being the VPN gateway(not default gateway) and the VPN IP of whatever is running your OpenVPN server.

 

To have devices on your home network talk to the devices on your VPN and vice versa you need two things. First for a "route" that tells the VPN client "Hey for network traffic destined to 192.168.1.X, send it to the next hop of 192.168.2.1". The second thing is that your OpenVPN configuration needs to be set up so that the VPN itself is aware of the route; you can't just add the route by hand to the client(plus that would be inconvenient even if it did work). Basically if you configure your OpenVPN server to push a "route" to the clients that connect to tell them to route traffic destined for 192.168.1.X in this example to a next hop of 192.168.2.1, it should allow VPN clients to talk to devices on your home network. Now if the device running your OpenVPN server also hosts your file/samba server and that service is configure(usually does automatically) to listen on the OpenVPN IP, then you may not need to mess with any routes at all so long as you don't care about the ability for VPN clients to talk to other devices on your home network.

 

For the curious, typically you won't need to add a route to devices on your home network because all of their traffic in most situations will use your home router as a default route and so long as that is acting as your VPN server *or* it is configured to route traffic on the VPN subnet(ex. 192.168.2.X) to whatever you have running your OpenVPN server.

 

Another situation you can get into is if you set things up for VPN clients to route *all* of their traffic through the VPN, including internet traffic. It can take a few extra steps to configure but basically then your VPN client sends even internet traffic through the VPN and it effectively sends and receives it through your home internet connection. There are some reasons to do this like having your own personal VPN service to bypass certain restrictions or other use cases but it's not very common. Setting it up a way where you have your OpenVPN server to push "routes" to your VPN clients would be known as a "split-tunnel" configuration.

 

Something else to be aware of is how different subnets can be carved up especially if you're looking at an example of how an OpenVPN configuration is set up or maybe someone you know who has set up their own configuration. In the example above we use an entire class C network for both the home network and the OpenVPN configuration. With subnetting you can wind up with a situation where your home network has a range of say 192.168.1.2 - 192.168.1.128 and your OpenVPN network could be set up with a range of 192.168.1.129 - 192.168.1.254. In terms of routing these separate networks would be referenced as:

192.168.1.0/25 (or subnet mask 255.255.255.128)

and

192.168.1.128/25 (or subnet mask 255.255.255.128)

 

Last thing I'll leave with is IPv6 where you have the potential to avoid using a VPN entirely. If your client device you would normally connect to your VPN has a public IPv6 address and the device on your home network has a public IPv6 address, you have the potential to connect directly to said device over the internet without having to deal with VPNs or NATting. Note that by doing this you lose the encryption of a VPN and in configuring your firewall at home you'd need to be very careful in what IPv6 IP ranges you allow through; generally not a good idea to open it up to the entire internet. For myself I have both a VPN set up as well as leverage IPv6 depending on what my needs are. Typically with IPv6 I'll open to a specific IP for a certain period of time and then remove the access when I'm done.

 

Hope this helps.

[xrhstos.dim1]

Thank you so much!

[Tensor77]

Hello, i have a specific networking problem and i’d much appreciate some help.

I have Asus router (192.168.2.1) with openvpn server running on it (TUN, 10.5.0.0/255.255.255.0), so i can have access to my home network from the outside. On my rpi osmc (192.168.2.5) i have Surfshark VPN, managed through Zomboided addon. If i’m on my home network or if surfshark openvpn on my osmc is disabled, i can normally access rpi (NAS, Transmission etc). But when i’m connected to my home network via VPN, i cannot see rpi or access NAS etc. on it. I can do that only, if i disconnect rpi from the Surfshark VPN. Any hints how to solve this? Thank you.