Hi Bo,

On 11/02/22 13:29, Bo Berglund wrote:
On Fri, 11 Feb 2022 08:03:05 +0100, Gert Doering <g...@greenie.muc.de> wrote:

Hi,

On Fri, Feb 11, 2022 at 01:02:18AM +0100, Bo Berglund wrote:
sudo mount 192.168.119.216:/home/bosse/www/VIDEO /mnt/video
mount.nfs: access denied by server while mounting
192.168.119.216:/home/bosse/www/video
"access denied" means "they have connectivity, but the server config
is disallowing access" -> /etc/exports on the server

My server side /etc/exports file looks like this:

/nfs/pi_share  192.168.119.0/24(rw,sync,no_subtree_check)
#Let the IP mask cover 1024 addresses rather than 256:
/home/bosse/www/VIDEO 192.168.116.0/22(rw,sync,no_subtree_check)

And here is what is shown as shared:

$ showmount -e
Export list for ubuntuserv:
/home/bosse/www/VIDEO 192.168.116.0/22
/nfs/pi_share         192.168.119.0/24

The video share was defined like this before I widened it to 1024 addresses to
cover both the 119 and 117 networks (on a single line, the newsreader wraps):
/home/bosse/www/VIDEO -rw,sync,no_subtree_check  192.168.119.0/24
192.168.117.251

Here I just added a specific client IP for the remote device

But it also did not work...

For devices on the 119 LAN there are no problems to connect to the share on the
OVPN server, it is just a problem for devices on the 117 LAN via the OpenVPN
client connection. Always the "access denied" message.

So the share itself must be OK, hence my questioning the OpenVPN functionality.
Clients on the 117 LAN connect through the VPN tunnel and I assume exit from the
server on to the 119 LAN, but with which IP address???

Are they exiting on to the 119 LAN with a tunnel address so that is why it won't
work?
Do I need to add the VPN tunnel addresses as allowed clients too?

EXPERIMENT
----------
I installed the nfs server on a RaspberryPi on the 119 LAN and used the same
kind of exports entry:

/mnt/nfs 192.168.116.0/22(rw,sync,no_subtree_check)

After the setup was done:
$ showmount -e
Export list for rpi4-dev:
/mnt/nfs 192.168.116.0/22

Then on the *remote* device which is unable to connect to the nfs share on the
OVPN server I did this:

sudo mount 192.168.119.164:/mnt/nfs /mnt/nas
cd /mnt/nas/
touch kalle
ls -l
-rw-rw-r-- 1 bosse bosse 0 Feb 11 13:07 kalle

So this connect succeeds!

Definitely an OpenVPN server problem here, why cannot remote clients mount the
nfs share on the OVPN server itself when they can connect to other nfs servers
on the home LAN using the exact same export directive?


accessing stuff on the Openvpn server via the VPN itself is tricky: keep in mind that OpenVPN needs to add a route *bypassing* the VPN from the client to the VPN server. If OpenVPN did not do that, then the openvpn traffic itself, intended for the OpenVPN server process, might get sent out via the VPN interface, causing a "biting your own tail" problem.

If you need to be able to access other services on the OpenVPN server then you will need to set up source routing or policy routing (not sure if Windows supports this) to ensure that

  UDP traffic over port 1194 from client to VPN server ->  send out over the pre-VPN gateway/LAN   all other traffic from client to VPN server -> send out over the VPN tunnel interface

HTH,

JJK



_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users

Reply via email to