CIFS/SMB access from Internet

[swmspam]

Off Topic:

I've been working to access CIFS/SMB shares from the internet. My network has about 5 remote users, located thousands of miles apart. The remote users have Windows XP, some may have Vista. The share process needs to be easy for the users.

The access needs to be "interactive", such as opening a file directly from the shared drive. FTP (or SFTP or SCP) requires you to download the file locally, do the edits, and then upload the changes to the server. FTP doesn't open the file interactively from the server.

I tried PPTP VPN, but it tunnels everything from the remote user. All that needs to be tunneled is the share.

My first attempt was to tunnel SMB through SSH. This required the Windows XP user to disable all other shares. This doesn't work, because the remote users also have their local shares, too. I also found a way to create a dummy network adapter in windows that allows for both a tunneled share and local shares, but the setup and implementation gets complicated. In addition, it's rather unreliable and takes an expert to keep it working.

I am currently using Hamachi, but it works best if the server operating system is also Windows. I prefer the server to be a headless JEOS box, preferably with a secure operating system such as BSD.

So, is there a secure way to access a Linux/BSD share over the internet with a Windows XP remote user, without (1) tunneling everything else, and (2) giving up the user's local shares?

[sky-knight]

Well the PPTP failed because you forgot the magic checkbox...

Hit the properties of the pptp connection in XP. Then hit the properties of the TCP/IP protocol in said connection. Then click the advanced button. See that "use default gateway on remote network" box? Kill it!

Poof only stuff destined for the remote subnet gets tunneled.

Alternatively you can use UT and setup OpenVPN. Then you can export only the hosts you want, firewall the rest to control access, and access to the remotes is handled in exactly the same way.

Oh, just in case you go the OpenVPN route, watch your samba configuration. The remotes will be coming from a different subnet.

[swmspam]

Thanks for the "magic" advice!

Will stick with PPTP for now, I think it will work great. Is compression possible using PPTP? I dug through some of the windows menus, and didn't see it.

[sky-knight]

Compression/Encryption are technically the same process.. one is just more easily reversed than the other. So I believe by their nature most VPN technologies are compressed.

Also I really wish Microsoft wouldn't turn that checkbox on by default. It is really lame having to clear it on every single pptp client configuration I make.

[swmspam]

I found that Hamachi for Linux does not have a GUI, so I made a quick Debian box for testing using Samba and Hamachi. I put the Debian box behind the m0n0wall and enabled PPTP on the m0n0wall. Hamachi takes care of itself, and tunnels out just fine.

Using one of my remote Windows XP users, they attached to the network using PPTP and performed some file transfers to the Debian box using FC-Test (useful benchmarking program). They then disabled the PPTP and logged onto Hamachi and performed the same benchmark a second time. There was no discernible speed difference between PPTP and Hamachi tunnels for the bi-directional file transfers. So there's no performance advantages either way.

My network already has a FreeNAS box, so PPTP->m0n0wall->FreeNAS seemed like the best solution. That was, until PPTP got all borked on the remote XP machine and required maintenance to keep the connection stable. Evidentially, the Windows XP has a hard time maintaining a PPTP psudo-permanently.

So I'm back to the Debian box running Samba and Hamachi, just for this purpose. That means the network will have yet another box to maintain. The best would be if FreeNAS had a tunneling tool. (It's possible to tunnel SMB directly to FreeNAS through SSH, but it's really tricky, especially for an XP user.) Hamachi is really cool, because it uses an outside "mediation" server, so it will attempt to stay connected all the time, and you don't have to poke holes in your firewall!

Now here's the question of the day: do you know of a good tool the remote user can see how much hard drive space remains on the server? I have installed phpsysinfo for now. The remote XP users don't like it, it's too complicated. I could write my own php script, but that's just more custom work on an already custom solution.

[Silver Bullet]

Now here's the question of the day: do you know of a good tool the remote user can see how much hard drive space remains on the server? I have installed phpsysinfo for now. The remote XP users don't like it, it's too complicated. I could write my own php script, but that's just more custom work on an already custom solution.

If you talking about the Untangle server then have a look here.
http://forums.untangle.com/showthread.php?t=3343

If you are talking about on one of the other servers then, which one?

[igpf]

I need some assistance please. I'm still a noob.
Overview: Trying to view windows network shares over VPN

Status:
*- I'm able to connect VPN, no problems. Setup a bypass rule to allow traffice.
*- Once connected, i'm able to RemoteDesktop others pc's by ip address.
*- Not able to ping machines, or resolve names.

vpn defaults where 172.16.16.x and local are 192.168.0.x

any ideas? please help.

[sky-knight]

Name resolution won't happen unless you have a DNS server to do so, broadcasts don't traverse the router. As for the lack of icmp traffic or anything else directed by IP? You need a packet filter rule to pass ICMP on the VPN interface and either more packet filter rules to pass what specific traffic, or a series of firewall rules to do the same.