Just for laughs, I recently created a point-to-point VPN (a.k.a. gateway-to-gateway VPN) between my home and the office. At the office, the VPN endpoint is a LinkSys RV042, which, as far as I can tell, runs Freeswan VPN software. At home, the VPN endpoint is a LinkSys WRT54GL, which I hacked to run the OpenWrt linux distribution and OpenSwan VPN software. A future post will detail exactly how I did this but the purpose of this post is to discuss how I got my Windows file shares to work across the VPN.
When I first setup the VPN, I initially joined my home Windows XP Pro computer to the Active Directory domain at the office. That made it easy to share files back and forth. However, I didn’t like that other domain admins could have full access to my home computer. Therefore, I unjoined my home computer and reverted it back to workgroup mode.
After reverting back to workgroup mode, I could still access shares on office computers. Upon accessing a share on my office computer, I would be prompted to enter a username and password. I this case, I entered my domain username and password. I can’t remember if I put in the short username (e.g. myusername) or the fully qualified username (e.g. mydomainname\myusername) but the point is that it worked.
On the other hand, I couldn’t access any home shares from the office. Upon attempting access, I would either get an “access denied” error or a “credentials supplied conflict with an existing set of credentials” error.
The problem is, when you access a workgroup share from a domain computer, Windows assumes you want to login with your domain username and password and it doesn’t prompt you to enter your workgroup username and password. Since my domain username and password are different from my workgroup username and password, I couldn’t be authenticated and access was denied.
The solution was to set up a username and password on my home computer that was identical to my domain username and password. This solution works fine but the only problem is that the new user appears on the Windows XP Welcome Screen. Thankfully, there is a way to hide users from the Welcome Screen:
- Open the Registry Editor (i.e. run regedit).
- Navigate to the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
- Create a DWORD value where the name is the username of the user you want to hide from the Welcome Screen. For example, “myusername”.
- Set the value of the new registry entry to 0 (it should default to this value automatically).
- Close the Registry Editor.
- You might have to reboot but I didn’t have to.
You might be wondering how I accessed computers at the remote end of the VPN using Windows Explorer. Well, there are a few options. One way is to enable NetBios over TCP. If you do that, you should be able to automically see the computer names in “My Network Places”. I didn’t use that method but if you want to try it, see Can I use Network Neighborhood (Samba, NetBIOS) over IPsec? in the Openswan FAQ.
Another method is to register computers at both ends of the VPN with a DNS server at the office. If you do that, you should be able to enter “\\somecomputer” into Windows Explorer’s location bar to see a list of shares on a remote computer. I tried that and it worked great. In my case, I found dnsmasq’s “split DNS” feature to be particularly useful. For now, I’ll leave it as an exercise to the reader to find out more about this feature but for a hint, read about the “server” setting for the file “dnsmasq.conf” in the dnsmasq manpage.
Finally, you can also access the remote computers by IP address. In this case, enter “\\someaddress” (e.g. \\192.168.1.10) into Windows Explorer’s location bar.