Score:0

Can't send or receive mails when connected to OpenVPN server (on which also the mail server is running)

in flag

I'm a bit stuck here at the moment and will appreciate every push towards the right direction to solve this issue.

My two goals are to get an OpenVPN server running on a remote VM (Digital Ocean Droplet) and also run my postfix server on that VM. The OpenVPN connection is routing my DNS queries to a Pihole which provides me with proper ad blocking when I am not at home (where there is a pihole on an actual rpi running).

This setup working almost perfectly fine but with one exception. Once connected to the OpenVPN, I cannot receive or send emails anymore. Nothing pops up in my mail log (postfix and dovecot are running and logging) at all. Neither postfix nor dovecot is logging any connection attempt from my copmuter (which then is connected to the VPN). Once I disconnect from the VPN sending and receiving mails is working again.

I have ufw running and logging but nothing pops up in its logs neither.

I assume it has something to do with postfix running on localhost and once connected to the VPN interface there is a bridge I somehow have to build. But I got to be honest with you guys, I have no idea where to start with this, as I can't find anything online where exactly this issue is discussed.

What would you say where should I start looking? Firewall, VPN config, mailserver config? I'm a bit lost.

$ ip address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 8a:0c:da:93:21:88 brd ff:ff:ff:ff:ff:ff
    inet XXXXXXXXXXX/20 brd XXXXXXXXXXXX scope global eth0
       valid_lft forever preferred_lft forever
    inet 10.19.0.5/16 brd 10.19.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 XXXXXXXXXXXXXXXXXXXXXX/64 scope global
       valid_lft forever preferred_lft forever
    inet6 XXXXXXXXXXXXXXXXXXXXXX/64 scope link
       valid_lft forever preferred_lft forever

[...]

21: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
    link/none
    inet 10.8.0.1 peer 10.8.0.2/32 scope global tun0
       valid_lft forever preferred_lft forever
    inet6 XXXXXXXXXXXXXXXXXXXXXX/64 scope link stable-privacy
       valid_lft forever preferred_lft forever


$ cat /etc/openvpn/server.conf
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "route 192.168.10.0 255.255.255.0"
push "route 192.168.20.0 255.255.255.0"
push "redirect-gateway def1 bypass-dhcp"
push "dhcp-option DNS 10.8.0.1"
keepalive 10 120
tls-auth ta.key 0
cipher AES-256-CBC
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
verb 3
explicit-exit-notify 1

OpenVPN logs the connection of my computer

Sat Dec 25 09:10:51 2021 macbook/XXXXXXXXX:59001 MULTI: primary virtual IP for macbook/XXXXXXXXX:59001: 10.8.0.10
Sat Dec 25 09:10:51 2021 macbook/XXXXXXXXX:59001 SENT CONTROL [macbook]: 'PUSH_REPLY,route 192.168.10.0 255.255.255.0,route 192.168.20.0 255.255.255.0,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 10.8.0.1,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.10 10.8.0.9,peer-id 0,cipher AES-256-GCM' (status=1)
in flag
I'd start with making sure that packets are received from and sent back to the correct IPs. `tcpdump -nni any port 25` could help.
in flag
The mail server setup itself works fine. Using tcpdump it logs incoming mails. The issue is, that once my client is connected to the openvpn server (that is on the same server), it can't connect to the mail server. My client is trying to connect but will eventually timeout. When I disconnect my client from the openvpn server it receives and sends mails again. On the server side nothing pops up in mail.log
in flag
I meant checking tcpdump while you are trying to connect...
in flag
check `ip route` on both server and client, try and understand which path the packets will take, while also consider the external path of the VPN service.
in flag
It will probably be a routing issue. But I think I really need to educate myself on network routing first, because right now I have not a good idea where to start. One thing came up and could be related. When my client tries to connect to my mailserver using telnet and while being connected to the OpenVPN-Server, it kind of doesn't resolve the mailserver DNS correctly. It runs through 127.0.1.1 and gets stuck doing this. Once disconnected from the OpenVPN Server, it resolves the DNS entry correctly and connects to the mailserver. Is this something we can work with?
in flag
`# connected to openvpn server telnet mail.MAILSERVER.de 25 Trying 127.0.1.1... # not connected to openvpn server`
in flag
`telnet mail.MAILSERVER.de 25 Trying XX.XXX.XXX.XXX... Connected to mail.MAILSERVER.de. Escape character is '^]'. 220 mail.MAILSERVER.de ESMTP Postfix`
in flag
So when connected to the OpenVPN server, the client tries to resolve the DNS entry of my mailserver and for a reason I don't fully understand, tries to connect to 127.0.1.1. If I try to connect directly to the IP of my mailserver, telnet can connect properly. $ telnet XX.XXX.XXX.XXX 25 Trying XX.XXX.XXX.XXX... Connected to NAMEOFLOCALHOST. Escape character is '^]'. 220 mail.MAILSERVER.de ESMTP Postfix
in flag
So how to I get OpenVPN to not resolve the DNS entry to my local IP but to the public IP? I'm assuming this will solve this.
Score:0
aq flag
MTG

VPN configuration can be very tricky as it changes your system's normal default route to that of the VPN server. The server in turn, may do some sort of source routing for incoming traffic from vpn client, as well as changing your outgoing IP addresses.

In summary:

  1. The mail server maybe be sensitive to that address change.

  2. VPN service may direct your traffic to its public or physical interface, effectively blocking you from VM's internal services, including postfix suite.

  3. Ad blocking features may also cause issues with e-mail services.

You better look for related configuration options of Pihole, or try other VPN services for good, e.g. native Linux VPN services for starters.

in flag
VPNs can be configured to become default route, but it that is configuration, and not default.
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.