DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Access ports via dial-in VPN (Vigor 2862)

jezaustin
Topic Author
User

19 Mar 2020 10:28 #1 by jezaustin

Access ports via dial-in VPN (Vigor 2862) was created by jezaustin

Hi guys,
I've been trying to provide my colleages with remote access to the office LAN through the Vigor router. I guess I'm naive when it comes to VPN, cos I expected my dial-in presence to be identical to physically being on the LAN. However, it seems only some ports are available through the tunnel: eg. I can access the default (port 80) web service on our main server, but not any of the other web services (eg. port 10080). Also, I can't access shared folders: I can get a list of the shares in the file explorer or from the command line, but I can't actually get on to any of them.

I need these things to work, can any of you point me in the right direction?

Dunno if it matters, but the router is not set up to provide DHCP or DNS, these are provided independently on the LAN.

thanks, Jez.

Please Log in or Create an account to join the conversation.

hornbyp
User

19 Mar 2020 16:45 #2 by hornbyp

Replied by hornbyp on topic Re: Access ports via dial-in VPN (Vigor 2862)

jezaustin wrote:
I guess I'm naive when it comes to VPN, cos I expected my dial-in presence to be identical to physically being on the LAN.

A reasonable expectation, but one that often isn't realised :cry:

mainly because there is a Router involved ... i.e. you aren't really on the LAN - even if you have the same IP address.
Some services, mainly those that use broadcasts to track things down (I'm thinking I.O.T. devices, Sky Q boxes etc) don't work (and would need some sort of Proxy/gateway adding). You can set the "Pass" option for 'Netbios Naming Packet' and 'Multicast via VPN' and see if it helps at all.

and he wrote:
...but not any of the other web services (eg. port 10080).

Can you detail the nature of the failure? What happens if you 'telnet' to the port - does it connect?

then he wrote: Also, I can't access shared folders: I can get a list of the shares in the file explorer or from the command line, but I can't actually get on to any of them.

Nbtstat is the tool for diagnosing NetBIOS over TCP/IP issues, but I suspect the error is up a level from here - possibly a mismatch of credentials, between client and server.

Are the VPN clients using Active Directory?

If not, the client (assuming Windows) will send the local 'username/password' combination that they logged on with - which almost certainly will be rejected by the server (have a look in 'eventvwr' ).

If this is the case, you could add all the remote users as local ones, with matching passwords (ugh!), or presumably they all have credentials on the server that they can supply?

I thought Windows Explorer would prompt, but you could try using the "Net Use" command line option:-



Code:
net use \\ServerName\IPC$ /user:UserName PassW0rd

(Substituting ServerName, UserName and PassW0rd as appropriate).
If you omit the password, it will prompt for it.

[The connection to the hidden share IPC$ normally happens transparently, when the first network resource on the server is accessed)]

What error do you get trying to access the shares from a CMD prompt? (i.e. C:\> dir \\server\share). "Error 5 Access is denied" would be quite common, in this scenario...

Please Log in or Create an account to join the conversation.

jezaustin
Topic Author
User

20 Mar 2020 11:28 #3 by jezaustin

Replied by jezaustin on topic Re: Access ports via dial-in VPN (Vigor 2862)

Thank you for replying! This has pointed me in a useful direction I think.

hornbyp wrote:
Some services, mainly those that use broadcasts to track things down (I'm think I.O.T. devices, Sky Q boxes etc) don't work (and would need some sort of Proxy/gateway adding). You can set the "Pass" option for 'Netbios Naming Packet' and 'Multicast via VPN' and see if it helps at all.

That's interesting about broadcasts. Are broadcasts involved in cifs file-sharing?
I had the first option set but not the second, I'm trying that now.

Can you detail the nature of the failure? What happens if you 'telnet' to the port - does it connect>

Telnet does connect, but I don't get successful responses. One of them (gogs in a container) returns a 400 Bad RequestConnection, and another (wekan in another container) just times out. This is actually the same both on the LAN and from a remote dial-up.
The difference is, that `curl` works (ie returns an HTML payload) in the LAN but not for remote users.

Are the VPN clients using Active Directory?

no, running an AD on the lan is a short-term aspiration (but not immediate-term).

If not, the client (assuming Windows) will send the local 'username/password' combination that they logged on with - which almost certainly will be rejected by the server (have a look in 'eventvwr' ).

OK. I'm running a samba server on a linux box, I'll see what happens if I add the VPN users with`smbpasswd`.

I thought Windows Explorer would prompt, but you could try using the "Net Use" command line option:-

Code: net use \\ServerName\IPC$ /user:UserName PassW0rd (Substituting ServerName, UserName and PassW0rd as appropriate). If you omit the password, it will prompt for it.

[The connection to the hidden share IPC$ normally happens transparently, when the first network resource on the server is accessed)]

This looks like a really useful trick to force windows to take credentials after it's given up asking for them (so frustrating!).

What error do you get trying to access the shares from a CMD prompt? (i.e. C:\> dir \\server\share). "Error 5 Access is denied" would be quite common, in this scenario...

I don't get that error, I can `net view \\ServerName` and list the shares, but `dir \\server\share` just hangs for over a minute, then finally returns 'File Not Found'.

Please Log in or Create an account to join the conversation.