{"id":49,"date":"2013-08-22T18:47:41","date_gmt":"2013-08-22T17:47:41","guid":{"rendered":"http:\/\/eggblog.invertedegg.com\/?p=49"},"modified":"2013-08-22T18:47:41","modified_gmt":"2013-08-22T17:47:41","slug":"tunneling-smtp-tcp-port-25-through-a-vpn","status":"publish","type":"post","link":"http:\/\/eggblog.invertedegg.com\/?p=49","title":{"rendered":"Tunneling SMTP (TCP port 25) through a VPN"},"content":{"rendered":"

I’ve recently switched providers (having moved countries), and am now reconstructing my services in a new location, using AT&T UVerse. \u00c2\u00a0I continue to have an account with StrongVPN that I use (I originally acquired it to give me a US IP for use when out of the US … side note, I’m really happy with StrongVPN).<\/p>\n

The problem is that UVerse blocks outbound SMTP (port 25) traffic, and doesn’t provide their own relay (or, more accurately, won’t relay mail that’s neither to nor from an AT&T address). \u00c2\u00a0I don’t have much mail to send (just what the kids generate, and the occasional system alert), so I don’t feel that I’m much of a threat to anyone’s traffic. \u00c2\u00a0It took me a while to figure this out (I’m not the world’s greatest IP routing guru), so I figured it might be of use to you.<\/p>\n

Many thanks to Lekensteyn<\/a> and the other contributors to the post “iptables – Target to Route Packet to Specific Interface<\/a>” on serverfault.com for key pointers.<\/p>\n

Objective: \u00c2\u00a0Running a postfix SMTP server on Ubuntu Linux, route all outbound SMTP through a VPN tunnel. \u00c2\u00a0We’re going to wind up not using a relay server, and just directly connecting to the target hosts.<\/p>\n

We’ll assume that your tunnel interface is TUN0 … replace this below as you see fit.<\/p>\n

1. Remove any relays from your postfix configuration<\/h4>\n

If you’re coming from a previous configuration, you were probably configured with a relay server. \u00c2\u00a0You need to remove it, so that you’re directly connecting to your target hosts (if you had a relay server, you probably don’t need to force the traffic anywhere! \u00c2\u00a0On the other hand, if you’re trying to route port 25 for some other reason, then skip this step.)<\/p>\n

a. Edit \/etc\/postfix\/main.cf<\/h5>\n

Edit this file to remove or comment out the line that established your relay host:<\/p>\n

# relayhost = smtp.mypreviousprovider.nl<\/pre>\n
2. Force SMTP Port 25 through the VPN<\/h4>\n
I have a very complex routing scheme, with a ton of subnets that I use for all sorts of things — for example, forcing a wifi AP out through the VPN (so that you can connect to a specific AP to auto-use the VPN), keeping the kids on a different subnet so that I can force them out a different Internet connection, and blackholing unknown devices so that the kids can’t hook anything up without me verifying the MAC address … drop me a comment if you’re interested in any of these things … so the long and short of it is that I already have a routing script that I use to set up all my routing tables.<\/p>\n
If you already have such a script, just add the additions below to that script. \u00c2\u00a0If not, then create a new script for these commands. \u00c2\u00a0It’s a somewhat separate exercise to hook it up so that it’s properly invoked whenever you bring an interface up or down (which I leave as a Google exercise for you, as it’s not fresh on my mind) … but in the worst case, you can just run it manually whenever your routing tables get rebuilt.<\/p>\n
Note that we’re going to use “7” as the mark for our rules. \u00c2\u00a0This is arbitrary.<\/p>\n
a. \u00c2\u00a0If you haven’t already, create a routing table for the VPN<\/h5>\n
I already had a routing table set up … if you do then just use that routing table, below. \u00c2\u00a0But if you don’t, here’s a quick and dirty routing table to push over your VPN (please note, I’m just typing this, and haven’t actually tested the exact lines below, as I don’t need them in my setup!!):<\/p>\n
# For clarity, clear anything that might have accumulated there. \u00c2\u00a0Ignore any error, here.<\/pre>\n
ip route flush table vpn_table<\/pre>\n
# Push all traffic that goes to this table out the VPN. \u00c2\u00a0Substitute your VPN's gateway for 99.99.99.99 below.<\/pre>\n
iproute add default via 99.99.99.99 table vpn_table<\/pre>\n
# And be sure to flush to pick it up<\/pre>\n
iproute flush cache<\/pre>\n
b. Now mark all SMTP port 25 packets with 7<\/h5>\n
iptables -t mangle -A OUTPUT -p tcp --dport 25 -j MARK --set-mark 7<\/pre>\n
c. Set the source IP to our ID on the VPN (substitute for 88.88.88.88) rather than our local network ID. \u00c2\u00a0Remember to use your correct interface if not TUN0, below.<\/h5>\n
iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 88.88.88.88<\/pre>\n
d. Send everything marked with 7 to the VPN table (to force out the VPN)<\/h5>\n
ip rule add fwmark 25 table vpn_table<\/pre>\n
e. Relax the reverse path source validation<\/h5>\n
(See the post for a discussion.)<\/p>\n
sysctl -w net.ipv4.conf.tun0.rp_filter=2<\/pre>\n
f. And flush for good measure<\/h5>\n
ip route flush cache<\/pre>\n
That should do it! \u00c2\u00a0Run your script, and all your port 25 traffic should be running out your VPN. \u00c2\u00a0Obviously, you can adapt the concepts here for other applications.<\/p>\n
\n
\n","protected":false},"excerpt":{"rendered":"
I’ve recently switched providers (having moved countries), and am now reconstructing my services in a new location, using AT&T UVerse. \u00c2\u00a0I continue to have an account with StrongVPN that I use (I originally acquired it to give me a US IP for use when out of the US … side note, I’m really happy with … Continue reading “Tunneling SMTP (TCP port 25) through a VPN”<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[6],"tags":[],"_links":{"self":[{"href":"http:\/\/eggblog.invertedegg.com\/index.php?rest_route=\/wp\/v2\/posts\/49"}],"collection":[{"href":"http:\/\/eggblog.invertedegg.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/eggblog.invertedegg.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/eggblog.invertedegg.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/eggblog.invertedegg.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=49"}],"version-history":[{"count":1,"href":"http:\/\/eggblog.invertedegg.com\/index.php?rest_route=\/wp\/v2\/posts\/49\/revisions"}],"predecessor-version":[{"id":50,"href":"http:\/\/eggblog.invertedegg.com\/index.php?rest_route=\/wp\/v2\/posts\/49\/revisions\/50"}],"wp:attachment":[{"href":"http:\/\/eggblog.invertedegg.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=49"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/eggblog.invertedegg.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=49"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/eggblog.invertedegg.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=49"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}