OpenVPN Service

[pratik]

Why is inbound 25 blocked? Can we get it unblocked on user basis? If not what is the solution to receive emails? I use outbound relay so that's not a problem. I read about fetchmail but would like bit more explanation. And how to set it up on router instead of individual devices

Thanks

[mediahound]

Why is inbound 25 blocked? Can we get it unblocked on user basis? If not what is the solution to receive emails? I use outbound relay so that's not a problem. I read about fetchmail but would like bit more explanation. And how to set it up on router instead of individual devices

Thanks

I'm not sure inbound email even runs on port 25: https://wiki.sonic.net/wiki/Quick_Reference_Guide

[pratik]

Sorry I should explain I'm running mail server. I'm not looking for client side setup.

[kgc]

Port 25 is blocked in both directions to prevent a dynamic IP address from being able to send "direct to mx" spam and/or be used in a triangular routing scheme to aid in the delivery of spam. This is consistent with all of our other access products and recognized BCP.

[pratik]

Port 25 is blocked in both directions to prevent a dynamic IP address from being able to send "direct to mx" spam and/or be used in a triangular routing scheme to aid in the delivery of spam. This is consistent with all of our other access products and recognized BCP.

Thanks can you please link me to fetchmail implementation and how to. I'll try that but first need to find a way to run these settings on my advanced tomato router.

[wa2ibm]

Port 25 is blocked in both directions to prevent a dynamic IP address from being able to send "direct to mx" spam and/or be used in a triangular routing scheme to aid in the delivery of spam. This is consistent with all of our other access products and recognized BCP.

I understand and agree with this restriction on outbound port 25.

However, inbound doesn't present that type of issue. Even Sonic Fusion FTTN (a.k.a. AT&T U-Verse) allows inbound 25 while blocking outbound 25, I presume for the same reason. This is also a dynamic IP service. I've been using the FTTN service ahead of my mail server since I converted to that service last year. It works just peachy in conjunction with DynDNS.

Bill

[forest]

I understand and agree with this restriction on outbound port 25.

However, inbound doesn't present that type of issue. Even Sonic Fusion FTTN (a.k.a. AT&T U-Verse) allows inbound 25 while blocking outbound 25, I presume for the same reason. This is also a dynamic IP service. I've been using the FTTN service ahead of my mail server since I converted to that service last year. It works just peachy in conjunction with DynDNS.

Bill

I think Kelsey is talking about a technique where a spammer infects a bunch of residential computers like ours (that have outbound port 25 blocked) with a bot, and then configures his own machine to send spam using spoofed source addresses that belong to our computers. The spammer's machine can then send boatloads of spam without tripping bulk sender alarms, because only a few messages appear to be coming from any single address. His TCP connections still work despite the spoofed source addresses because return packets sent to our residential machines are routed back to him (presumably not on port 25) by the bot running on our machines.

This technique can be disrupted by blocking our inbound port 25 from all hosts other than Sonic's mail server (which must remain unblocked in order for us to use that server). Unfortunately, that has the side effect of preventing customers like you and me from using port 25 for legitimate purposes; effectively crippling our internet service. Web-only users would never notice it, but it's a problem for those of us who run mail servers for our own domains, or develop mail software in our free time.

Looks like we need a way to prevent triangular spamming without crippling our service.

How about this:

In addition to allowing port 25 packets from Sonic's SMTP servers (as is done today), also allow them from hosts that have established a port 25 TCP connection with our machines. I think most decent routers can support this policy pretty easily. It would allow outside mail hosts to reach our personal servers, while blocking spammers' triangular routing return packets since they have no TCP connection with our machines. Our outbound port 25 would still be blocked, so that existing protection would still be in place, and a bot would not be able to trick our machines into establishing a connection for the sake of letting spam return packets through.

Off the top of my head, it seems like this would work nicely. Can anyone spot a hole in my idea?

[exile]

Bill, there's always the possibility that you could move to a fetchmail setup. There's pros and cons and depending on your needs it may not work. If we ever provide static IP on this service it would be completely unfiltered but this is otherwise being treated as a truly dynamic product.

Oh, so you have dropped plans to offer static IP through VPN? That is extremely disappointing as this is my entire interest in your VPN service.

[ashes]

@pratik Here's how to setup Tomato...

I'm a Sonic FFTN customer and I want the same level of privacy protection I had under my old Sonic ADSL service. I am VPNing my whole home network to Sonic's VPN server. If the VPN goes down, I want it to fail closed (not to simply route out on ATT's network).

I am running Tomato (Shibby) on an ASUS RT-AC68U v2; you will want router, like this one, with a reasonably fast CPU to handle VPN without impacting bandwidth. It is not DMZ'd since this VPN-only configuration does not double-NAT due to the VPN bypassing the Uverse gateway's NAT. I have another router DMZ'd providing a standard non-VPN NAT to a separate home network.

Step 1)
Log into ovpn.sonic.net I mean "Login" not "Connect". Note the drop-menu next to the "Go" button.


You'll see this screen, otherwise you didn't change the drop-menu to Login in the previous step. Hit the last link, "Yourself (user-locked profile)". It will download a file called client.ovpn open this in any text editor (e.g. Notepad, TextEdit, etc). You will need to copy some keys from this file later on.


Step 2)
On your router running Tomato, go VPN Tunneling->OpenVPN Client. Enter the following settings.
You could replace ovpn.sonic.net with it's IP address: 209.148.113.36
Enter your sonic username/password


The Exclusive DNS setting ensures that only Sonic's DNS servers are used when VPNing.


Here's where you want to copy-paste those keys from the client.ovpn file. Look for the correponding <tag> in the client.ovpn files and copy the whole alphanumeric string, including the BEGIN and END lines, excluding the <tag> </tag> lines




You should at this point be able to hit the "Start Now" button and the VPN will start, you can check it on the status tab or in the logfile. If it doesn't establish, check your settings and the log file.


Step 2) (Optional)

In Administration->Scripts->Firewall adding this will block all home network traffic is the VPN is down.
iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP


In Administration->Scheduler you can set the VPN to automatically restart on schedule or disconnect.
If you need to restart your VPN connection, then enable this. I was using this on the VPN beta server since it timed out OpenVPN connections after 24 hours, supposedly this doesn't happen on the production server (or the beta server anymore). I just switched to production today, so I haven't tested to be sure. Anyhow if you need it, it's here.


Also there we can have the VPN auto-reconnect if we lost the connection.
This sets it to try to establish the VPN every minute (at the 40 second mark, due the "wait 40;"). I offset this by 40 seconds for compatibility with the scheduled force-restart setting above. If your VPN is already established, then this does not disturb the existing link. You can test this yourself by disconnecting your WAN port on your router to force a loss of connection, then watch it re-establish on reconnect.

[netllama]

@kgc the production server (ovpn.sonic.net) is not working for me at all. I downloaded the new profile, and attempted to use it. However, I keep getting auth failures when attempting to connect using openvpn-2.3.10 from a Linux system:

Code: Select all

Feb 07 11:42:21 llamapi2 openvpn[998]: VERIFY OK: depth=0, CN=OpenVPN Server
Feb 07 11:42:25 llamapi2 openvpn[998]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Feb 07 11:42:25 llamapi2 openvpn[998]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 07 11:42:25 llamapi2 openvpn[998]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Feb 07 11:42:25 llamapi2 openvpn[998]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 07 11:42:25 llamapi2 openvpn[998]: Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES128-SHA, 2048 bit RSA
Feb 07 11:42:25 llamapi2 openvpn[998]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]209.148.113.36:1194
Feb 07 11:42:27 llamapi2 openvpn[998]: SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Feb 07 11:42:27 llamapi2 openvpn[998]: AUTH: Received control message: AUTH_FAILED
Feb 07 11:42:27 llamapi2 openvpn[998]: SIGTERM[soft,auth-failure] received, process exiting

I'm supplying the same username & password as I'm successfully using for the beta server. The beta service has worked fine for me for many months, and continues to work.

How do I troubleshoot this?