Had a lot of difficulties binding my Samba server to OpenVPN's TUN0 with the settings "interfaces = 10.0.0.0/24 tun0" and "bind interfaces only = yes".
It refused to work: no one could connect on any interface.
So, I removed "interfaces" and "bind interfaces only" from smb.conf and I used my firewall to block Windows share ports (135, 137, 138, 139, 445) on eth0. However, when I got Fail2Ban going, I discarded some of the old firewall rules. Not a problem.
Until...
In my new dual router home config, I accidentally left my server in a DMZ (DeMilitarized Zone: open access). Lots of attempts on my Samba server, trying to access my Windows shares. So far I haven't found any successful attempts, but must do more auditing.
This is unacceptable, so I found another configuration parameter that helps solve the issue without having to have iptables firewall rules:
In smb.conf, add these lines:
Solved it for me. Whew.