我正在尝试通过我使用 OpenVPN 设置的 VPN 连接到 Samba 共享。Samba 和 OpenVPN 均在运行 Ubunutu 14.04 的虚拟机中设置。在客户端,我使用多台 Windows 机器。VPN 运行正常,我目前正在将 Web 流量从客户端路由到 www(一种 Web 代理),并且我能够访问其他客户端以及服务机器本身(ping 和网站)。我使用的当前子网:
- 我不确定你是否可以说服务器端有一个“子网”,因为它是一个有自己 VLAN 的虚拟机
- 客户端子网为 172.16.0.0/16
- VPN 子网为 192.168.0.0/24
ifconfig服务器上的输出为(将公网ip涂黑):
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:22 errors:0 dropped:0 overruns:0 frame:0
TX packets:22 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1100 (1.1 KB) TX bytes:1100 (1.1 KB)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.0.1 P-t-P:192.168.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:6046 errors:0 dropped:0 overruns:0 frame:0
TX packets:7621 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:549492 (549.4 KB) TX bytes:6177350 (6.1 MB)
venet0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:127.0.0.1 P-t-P:127.0.0.1 Bcast:0.0.0.0 Mask:255.255.255.255
inet6 addr: ::2/128 Scope:Compat
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
RX packets:77095 errors:0 dropped:0 overruns:0 frame:0
TX packets:84984 errors:0 dropped:32 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:26204249 (26.2 MB) TX bytes:25862190 (25.8 MB)
venet0:0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:xxx.xxx.xxx.xxx P-t-P:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.xxx Mask:255.255.255.255
UP BROADCAST POINTOPOINT RUNNING NOARP MTU:1500 Metric:1
对 VPN 使用不同的子网(10.8.0.0./24),以避免在我疏忽某些事情时发生冲突……无论如何都不起作用。
这OpenVPN 服务器.conf我使用的样子如下:
port 1095
proto tcp
dev tun0
ca /usr/share/easy-rsa/keys/ca.crt
cert /usr/share/easy-rsa/keys/server.crt
key /usr/share/easy-rsa/keys/server.key
dh /usr/share/easy-rsa/keys/dh2048.pem
server 192.168.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "route 192.168.0.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
;push "route 0.0.0.0 0.0.0.0"
push "dhcp-option DNS 208.67.222.222"
push "dhcp-option WINS 208.67.220.220"
client-to-client
keepalive 10 120
auth SHA1
cipher BF-CBC
comp-lzo
user <sambauser>
group <sambagroupshare>
persist-key
persist-tun
status openvpn-status.log
log-append openvpn.log
verb 3
是<sambauser>拥有我想要访问的目录的用户,也是拥有该目录的组的成员<sambashare>。这里也尝试了不同的用户和组。
也许我需要注意一些有关用户权限管理的事情?
我还启用push "route 0.0.0.0 0.0.0.0"和禁用了它,因为无论如何我都用不到它。
testparm显示以下内容smb配置文件:
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
WARNING: The "syslog" option is deprecated
Processing section "[homes]"
Processing section "[share]"
Loaded services file OK.
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
workgroup = LAB
server string = %h server (Samba, Ubuntu)
interfaces = tun0
bind interfaces only = Yes
server role = standalone server
map to guest = Bad User
obey pam restrictions = Yes
pam password change = Yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
unix password sync = Yes
log file = /var/log/samba/log.%m
max log size = 1000
dns proxy = No
wins support = Yes
usershare allow guests = Yes
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
hosts allow = 192.168.0.0/24
[homes]
comment = Home Directories
create mask = 0740
directory mask = 0740
directory mode = 0740
[share]
comment = share
path = /home/share
create mask = 0600
directory mask = 0740
directory mode = 0740
guest ok = Yes
此外我已经设定hosts allow = 192.168.0.0/24
我使用的规则iptables看起来像这样:
#
# NAT
#
*nat
# Route all VPN Subnet traffic to the www
-A POSTROUTING -o venet0 -s 192.168.0.0/24 -j MASQUERADE
#-A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source 81.169.250.110
#-A POSTROUTING -s 10.8.0.0/24 -o venet0 -j SNAT --to-source $(ifconfig venet0:0 | grep -i 'inet' | cut -d: -f2 | awk '{ print $1}')
COMMIT
#
# FILTER
#
*filter
#
# FILTER - INPUT
#
# Log incoming traffic
#-A INPUT -p tcp -j LOG --log-prefix "iptables: " --log-level 7
#-A INPUT -p udp -j LOG --log-prefix "iptables: " --log-level 7
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that does not use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j ACCEPT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# HTTP
-A INPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
# HTTPS
-A INPUT -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
# VPN
-A INPUT -p tcp --dport 1095 -m state --state NEW,ESTABLISHED -j ACCEPT
# SAMBA
-A INPUT -i tun0 -p udp --dport 137 -j ACCEPT
-A INPUT -i tun0 -p udp --dport 138 -j ACCEPT
-A INPUT -i tun0 -p tcp --dport 139 -j ACCEPT
-A INPUT -i tun0 -p tcp --dport 445 -j ACCEPT
# Allows SSH connections
# The --dport number *has to be* the same as in /etc/ssh/sshd_config
-A INPUT -p tcp -m state --state NEW --dport 22 -m limit --limit 1/m --limit-burst 5 -j ACCEPT
# Allow ping
# note that blocking other types of icmp packets is considered a bad idea by some
# remove -m icmp --icmp-type 8 from this line to allow all kinds of icmp:
# https://security.stackexchange.com/questions/22711
#-A INPUT -s 10.8.0.0/255.255.255.0 -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Allow all kinds of icmp
-A INPUT -i tun0 -s 192.168.0.0/24 -p icmp -j ACCEPT
# log iptables denied calls (access via "dmesg" command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Drop everything else
-A INPUT -j DROP
#
# FILTER - FORWARD
#
# Forward all established connections
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# VPN - PROXY
-A FORWARD -o venet0 -i tun0 -s 192.168.0.0/24 -j ACCEPT
# Drop everything else
-A FORWARD -j DROP
#
# FILTER - OUTPUT
#
# Accepts all established outbound connections
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow HTTP and HTTPS
-A OUTPUT -p tcp --sport 80 -j ACCEPT
-A OUTPUT -p tcp --sport 443 -j ACCEPT
# VPN
-A OUTPUT -p tcp --dport 1095 -j ACCEPT
-A OUTPUT -p tcp --sport 1095 -j ACCEPT
# SAMBA
#-A OUTPUT -p udp --dport 137 -j ACCEPT
-A OUTPUT -p udp --sport 137 -j ACCEPT
#-A OUTPUT -p udp --dport 138 -j ACCEPT
-A OUTPUT -p udp --sport 138 -j ACCEPT
#-A OUTPUT -p tcp --dport 139 -j ACCEPT
-A OUTPUT -p tcp --sport 139 -j ACCEPT
#-A OUTPUT -p tcp --dport 445 -j ACCEPT
-A OUTPUT -p tcp --sport 445 -j ACCEPT
# Allow SSH
-A OUTPUT -p tcp --sport 22 -j ACCEPT
# Allow ping
-A OUTPUT -p icmp -j ACCEPT
# Drop everything else
-A OUTPUT -j DROP
#
# /FILTER
#
COMMIT
我不知道我还能做些什么。我尝试了几种 iptables 配置,例如允许所有输入来自(哪里tun0:-A INPUT -i tun0 -j ACCEPT。
我还尝试禁用hosts allow = 192.168.0.0/24-line 并禁用对tun0-接口。另一方面,我尝试像这样收紧接口绑定:
hosts allow = 192.168.0.0/24
interfaces = 192.168.0.0/24 tun0
bind interfaces only = yes
这当然没有什么明显的区别。
尝试通过在 Windows资源管理器的地址行中键入\\192.168.0.1\share或来手动从 Windows 访问共享,最终会提示错误消息。\\192.168.0.1
如果有人能帮助我,我将非常感激,我欢迎任何建议!
亲切的问候 ga
答案1
我看到您在 smb.conf 中尝试将 tun 接口与“仅绑定接口”配置指令相结合。由于 tun 不是“支持广播”的接口,因此这不起作用(请参阅 Samba 文档以了解“仅绑定接口”)。您稍后的配置中的 192.168.0.0/24 仍然是相同的 tun 接口,因此此更改无济于事。
结果,Samba 没有监听任何地方,因此无法满足任何请求。
您可以在 log.smbd 中检查日志级别 = 3 是否存在这种情况。您可能会发现类似以下内容:
[YYYY/MM/DD HH:HH:SS.ssssss,X] ../source3/lib/interface.c:316(add_interface) 未添加非广播接口 tun0
[YYYY/MM/DD HH:HH:SS.ssssss,X] ../source3/lib/interface.c:543(load_interfaces) 警告:没有网络接口成立
答案2
如果您只想通过 VPN 访问 samba,那么 smb.conf 中的全局部分应该包含以下行:
interfaces = 127.0.0.0/8 192.168.0.0/24
hosts deny = ALL
hosts allow = 127.0.0.1 192.168.0.1/24