Is it Possible to Bypass VPN Gateway for sending Mail

kiekar · Jan 12, 2016, 10:25 PM

Hello,

I just recently purchased a 3 month service with a VPN provider (PIA) and completed the setup. Currently all my traffic like web browsing is passing through the PIA VPN gateway and all is working fine except for sending out mail through my mail server. Is it possible to bypass the vpn gateway by creating a lan rule and passing it through the wan pppoe gateway? If possible a rule example would be much appreciated

Thanks

Karl

Derelict · Jan 12, 2016, 10:30 PM

Yes. Just figure out how to identify the traffic (all traffic to all hosts on the proper ports would probably be sufficient) and put the rule above the one that routes to the VPN with no gateway set (will use whatever is marked as the default gateway) or, if you have your VPN set to pull a default route fronm the VPN provider, set the proper gateway on the rule.

GoldsteinPIA · Jan 12, 2016, 10:44 PM

Hey kiekar,

Because we do not keep logs of your activity when connected to our VPN, we are unable to monitor the VPN servers for email spam. Because of this, we need to block the connection ports used by outgoing mail servers, to ensure that the VPN network remains usable and does not become dominated by Spam.

Please refer to this article on how to have your mail server whitelisted to allow email to send while using the VPN: https://support.privateinternetaccess.com/KnowledgeBase/Article/View/33

Cheers,
PIA

kiekar · Jan 12, 2016, 11:00 PM

Please refer to this article on how to have your mail server whitelisted to allow email to send while using the VPN

I had my domain name whitelisted but I was still unable to send my email. I also received a response today from a Tier II technical support person that I would need to disconnect the VPN in order to send out email. I had supplied by email my mail server log.

Regards

Karl

Derelict · Jan 13, 2016, 12:08 AM

You don't need to disconnect. You run pfSense.

What I would do is check Don't pull routes in your VPN client config. That will cause NO traffic to be routed over the VPN unless you tell it to.

Then create a firewall rule passing all traffic to mail ports with no gateway set (so it will use the default gateway) and send everything on the pass any any rule to the OpenVPN gateway. You have to assign an interface to the OpenVPN client instance to get a gateway created. Lots of examples in the various walkthroughs.

Or here:

https://www.infotechwerx.com/blog/Creating-OpenVPN-Assigned-Interface

ETA: Actually, you're already using NAT so you have already created an interface.

kiekar · Jan 13, 2016, 1:47 AM

Hello Derelict,

Thank you for your help. Your suggestions worked. I'm able now to send email outbound but after running the DNS test, the IP address displayed from my ISP provider. Probably need to modify the rules.

Derelict · Jan 13, 2016, 1:59 AM

What are you talking about?

Sounds like you didn't properly route all traffic out the VPN.

kiekar · Jan 13, 2016, 8:22 PM

I'm still getting a DNS leak when using the extended test at dnsleaktest.com. when accessing the site home page the server IP address is the PIA server but when I run the extended test I get my ISP IP address. For the time being I'm only using a simple rule and with Don't Pull Routes checked off.

If I uncheck the Don't Pull Routes with the simple rule I only get the PIA IP for both the home page and extended test.

Derelict · Jan 13, 2016, 8:40 PM

You have to make sure you are using external name servers on the clients behind the VPN.

Or you might try leaving don't pull routes unchecked and forcing the SMTP traffic out your WAN gateway in a rule above the pass any any default.

Do you leave this VPN up all the time or do you only want it active when it's manually brought up?

kiekar · Jan 13, 2016, 11:26 PM

Or you might try leaving don't pull routes unchecked and forcing the SMTP traffic out your WAN gateway in a rule above the pass any any default.

Tried it but unable to send mail out.

You have to make sure you are using external name servers on the clients behind the VPN.

Added the PIA DNS servers to the client which worked. I'm able to send emails out, ran the dns leak test which showed the PIA host IP and PIA's DNS server IP but I'm not able to login to pfSense using the host domain name no longer. I must now use the gateway IP.

Do you leave this VPN up all the time or do you only want it active when it's manually brought up

Yes I do