Email Server behind openVPN site-site

dman

Dear All,

I have setup a OpenVPN Site-Site for my Email server, and I also can access the Email Server(10.0.10.1) from Site Client(10.0.9.10).
How can I access the Email Server from internet throught Site Client which I have already set NAT forward to 10.0.10.1.
The Site Host's log appears that there are some successful connections from the WAN of Site Client, but the response is time out. I think the problem is the routing, how can solve this?

Site Host
–-----------------
Local Network 10.0.10.0/24
Tunnel Network 10.0.8.0/24
Remote Network 10.0.9.0/24
Gateway 10.0.10.254

Email server 10.0.10.1

Site Client

Local Network 10.0.9.0/24
Tunnel Network 10.0.8.0/24
Remote Network 10.0.10.0/24
Gateway 10.0.9.254

PC 10.0.9.10

Regards

dman

Server        VPN Tunnel              Client           
10.0.8.1  ============== 10.0.8.2

<– SMTP SYN (Client NAT)
SMTP SYN,ACK -->                         
                                              Can't receive ACK

Captured at 10.0.8.1

02:52:58.347799 AF IPv4 (2), length 56: (tos 0x0, ttl 114, id 18806, offset 0, flags [DF], proto TCP (6), length 52)
    79.148.243.166.24460 > 10.10.10.10.25: Flags , cksum 0xa783 (correct), seq 4162653417, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
02:52:58.348479 AF IPv4 (2), length 56: (tos 0x0, ttl 127, id 23924, offset 0, flags [DF], proto TCP (6), length 52)
    10.10.10.10.25 > 79.148.243.166.24460: Flags [S.], cksum 0x2098 (correct), seq 4036662737, ack 4162653418, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:53:01.357898 AF IPv4 (2), length 56: (tos 0x0, ttl 114, id 20244, offset 0, flags [DF], proto TCP (6), length 52)
    79.148.243.166.24460 > 10.10.10.10.25: Flags , cksum 0xa783 (correct), seq 4162653417, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
02:53:07.357775 AF IPv4 (2), length 52: (tos 0x0, ttl 114, id 20314, offset 0, flags [DF], proto TCP (6), length 48)
    79.148.243.166.24460 > 10.10.10.10.25: Flags , cksum 0xbb92 (correct), seq 4162653417, win 8192, options [mss 1350,nop,nop,sackOK], length 0
02:53:07.364826 AF IPv4 (2), length 52: (tos 0x0, ttl 127, id 23926, offset 0, flags [DF], proto TCP (6), length 48)
    10.10.10.10.25 > 79.148.243.166.24460: Flags [S.], cksum 0x54a7 (correct), seq 4036662737, ack 4162653418, win 65535, options [mss 1460,nop,nop,sackOK], length 0
02:53:19.364856 AF IPv4 (2), length 44: (tos 0x0, ttl 127, id 23927, offset 0, flags [DF], proto TCP (6), length 40)
    10.10.10.10.25 > 79.148.243.166.24460: Flags [R], cksum 0x8177 (correct), seq 4036662738, win 0, length 0

cmb

The return routing in such cases won't go back via the VPN and hence you break the TCP connection. You'll need to source NAT with manual outbound NAT to work around that.

jimp

FYI- on 2.1 if you assign the openvpn interface and add a pass rule on its tab, that rule will get reply-to added so that the return traffic will flow back the right way without needing the extra NAT to mask the source address.