Just for laughs, I recently created a point-to-point VPN (a.k.a. gateway-to-gateway VPN) between my home and the office. At the office, the VPN endpoint is a LinkSys RV042, which, as far as I can tell, runs Freeswan VPN software. At home, the VPN endpoint is a LinkSys WRT54GL, which I hacked to run the OpenWrt linux distribution and OpenSwan VPN software. A future post will detail exactly how I did this but the purpose of this post is to discuss how I got my Windows file shares to work across the VPN.
When I first setup the VPN, I initially joined my home Windows XP Pro computer to the Active Directory domain at the office. That made it easy to share files back and forth. However, I didn’t like that other domain admins could have full access to my home computer. Therefore, I unjoined my home computer and reverted it back to workgroup mode.
After reverting back to workgroup mode, I could still access shares on office computers. Upon accessing a share on my office computer, I would be prompted to enter a username and password. I this case, I entered my domain username and password. I can’t remember if I put in the short username (e.g. myusername) or the fully qualified username (e.g. mydomainname\myusername) but the point is that it worked.
On the other hand, I couldn’t access any home shares from the office. Upon attempting access, I would either get an “access denied” error or a “credentials supplied conflict with an existing set of credentials” error.
The problem is, when you access a workgroup share from a domain computer, Windows assumes you want to login with your domain username and password and it doesn’t prompt you to enter your workgroup username and password. Since my domain username and password are different from my workgroup username and password, I couldn’t be authenticated and access was denied.
The solution was to set up a username and password on my home computer that was identical to my domain username and password. This solution works fine but the only problem is that the new user appears on the Windows XP Welcome Screen. Thankfully, there is a way to hide users from the Welcome Screen:
- Open the Registry Editor (i.e. run regedit).
- Navigate to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- Create a DWORD value where the name is the username of the user you want to hide from the Welcome Screen. For example, “myusername”.
- Set the value of the new registry entry to 0 (it should default to this value automatically).
- Close the Registry Editor.
- You might have to reboot but I didn’t have to.
You might be wondering how I accessed computers at the remote end of the VPN using Windows Explorer. Well, there are a few options. One way is to enable NetBios over TCP. If you do that, you should be able to automically see the computer names in “My Network Places”. I didn’t use that method but if you want to try it, see Can I use Network Neighborhood (Samba, NetBIOS) over IPsec? in the Openswan FAQ.
Another method is to register computers at both ends of the VPN with a DNS server at the office. If you do that, you should be able to enter “\\somecomputer” into Windows Explorer’s location bar to see a list of shares on a remote computer. I tried that and it worked great. In my case, I found dnsmasq’s “split DNS” feature to be particularly useful. For now, I’ll leave it as an exercise to the reader to find out more about this feature but for a hint, read about the “server” setting for the file “dnsmasq.conf” in the dnsmasq manpage.
Finally, you can also access the remote computers by IP address. In this case, enter “\\someaddress” (e.g. \\192.168.1.10) into Windows Explorer’s location bar.
I recently set up VPN between two offices using identical linksys RVS4000 routers. I am able to ping computers on either end. One office is X.X.8.1 and the other is X.X.9.1. I am able to run client software at remote office accessing server at main office(Remote Desktop is unexplainably faster but not practical) My problem is that I can’t figure out how to add printers (not network printers) from remote office, and I can’t see remote computers on either group’s network neighborhood. I have both offices setup as same Workgroup. Any advise would be appreciated
Two suggestions (I’m not sure if they’ll work but give them a try):
1) If the RVS4000 has a “enable netbios broadcast” setting in the vpn settings, try enabling it. The RV042 has such a setting but I’m not sure about the RVS4000.
2) If that doesn’t work, try creating an “lmhosts” file on each computer. You should find a sample, with comments, at C:\windows\system32\drivers\etc\lmhosts.sam
Hope that helps.
After browsing last night I looked into NetBios but not on router, I had it turned on on several computers(in advanced TCPIP properties) at both offices this morning and haven’t checked it out yet. I will look into LMHOSTS but I have no idea what it is although that kept popping up durinf my search.
Thanks for the help, I will let you know what worked
Aside from Remote Desktop, which can be a little tricky to get working between local networks across the internet, the answer has always been a vpn, or virtual private network. In fact, VPNs are the solution of choice for most large corporations whose employees need access to the corporate network from remote locations. VPNs are secure, allow for various types of authentication, and when they work … well, it’s just like being there.