Email Server behind openVPN site-site



  • Dear All,

    I have setup a OpenVPN Site-Site for my Email server, and I also can access the Email Server(10.0.10.1) from Site Client(10.0.9.10).
    How can I access the Email Server from internet throught Site Client which I have already set NAT forward to 10.0.10.1.
    The Site Host's log appears that there are some successful connections from the WAN of Site Client, but the response is time out. I think the problem is the routing, how can solve this?

    Site Host
    –-----------------
    Local Network 10.0.10.0/24
    Tunnel Network 10.0.8.0/24
    Remote Network 10.0.9.0/24
    Gateway 10.0.10.254

    Email server 10.0.10.1

    Site Client

    Local Network 10.0.9.0/24
    Tunnel Network 10.0.8.0/24
    Remote Network 10.0.10.0/24
    Gateway 10.0.9.254

    PC 10.0.9.10

    Regards



  • Server        VPN Tunnel              Client           
    10.0.8.1  ============== 10.0.8.2

    <– SMTP SYN (Client NAT)
    SMTP SYN,ACK -->                         
                                                  Can't receive ACK

    Captured at 10.0.8.1

    02:52:58.347799 AF IPv4 (2), length 56: (tos 0x0, ttl 114, id 18806, offset 0, flags [DF], proto TCP (6), length 52)
        79.148.243.166.24460 > 10.10.10.10.25: Flags , cksum 0xa783 (correct), seq 4162653417, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
    02:52:58.348479 AF IPv4 (2), length 56: (tos 0x0, ttl 127, id 23924, offset 0, flags [DF], proto TCP (6), length 52)
        10.10.10.10.25 > 79.148.243.166.24460: Flags [S.], cksum 0x2098 (correct), seq 4036662737, ack 4162653418, win 8192, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
    02:53:01.357898 AF IPv4 (2), length 56: (tos 0x0, ttl 114, id 20244, offset 0, flags [DF], proto TCP (6), length 52)
        79.148.243.166.24460 > 10.10.10.10.25: Flags , cksum 0xa783 (correct), seq 4162653417, win 8192, options [mss 1350,nop,wscale 8,nop,nop,sackOK], length 0
    02:53:07.357775 AF IPv4 (2), length 52: (tos 0x0, ttl 114, id 20314, offset 0, flags [DF], proto TCP (6), length 48)
        79.148.243.166.24460 > 10.10.10.10.25: Flags , cksum 0xbb92 (correct), seq 4162653417, win 8192, options [mss 1350,nop,nop,sackOK], length 0
    02:53:07.364826 AF IPv4 (2), length 52: (tos 0x0, ttl 127, id 23926, offset 0, flags [DF], proto TCP (6), length 48)
        10.10.10.10.25 > 79.148.243.166.24460: Flags [S.], cksum 0x54a7 (correct), seq 4036662737, ack 4162653418, win 65535, options [mss 1460,nop,nop,sackOK], length 0
    02:53:19.364856 AF IPv4 (2), length 44: (tos 0x0, ttl 127, id 23927, offset 0, flags [DF], proto TCP (6), length 40)
        10.10.10.10.25 > 79.148.243.166.24460: Flags [R], cksum 0x8177 (correct), seq 4036662738, win 0, length 0



  • The return routing in such cases won't go back via the VPN and hence you break the TCP connection. You'll need to source NAT with manual outbound NAT to work around that.


  • Rebel Alliance Developer Netgate

    FYI- on 2.1 if you assign the openvpn interface and add a pass rule on its tab, that rule will get reply-to added so that the return traffic will flow back the right way without needing the extra NAT to mask the source address.


Log in to reply