OpenVPN Service

Advanced feature discussion, beta programs and unsupported "Labs" features.
65 posts Page 2 of 7
by pratik » Thu Feb 04, 2016 8:58 am
Why is inbound 25 blocked? Can we get it unblocked on user basis? If not what is the solution to receive emails? I use outbound relay so that's not a problem. I read about fetchmail but would like bit more explanation. And how to set it up on router instead of individual devices

Thanks
by mediahound » Thu Feb 04, 2016 9:04 am
pratik wrote:
Why is inbound 25 blocked? Can we get it unblocked on user basis? If not what is the solution to receive emails? I use outbound relay so that's not a problem. I read about fetchmail but would like bit more explanation. And how to set it up on router instead of individual devices

Thanks


I'm not sure inbound email even runs on port 25: https://wiki.sonic.net/wiki/Quick_Reference_Guide
by pratik » Thu Feb 04, 2016 9:24 am
Sorry I should explain I'm running mail server. I'm not looking for client side setup.
by kgc » Thu Feb 04, 2016 3:35 pm
Port 25 is blocked in both directions to prevent a dynamic IP address from being able to send "direct to mx" spam and/or be used in a triangular routing scheme to aid in the delivery of spam. This is consistent with all of our other access products and recognized BCP.
Kelsey Cummings
System Architect, Sonic.net, Inc.
by pratik » Thu Feb 04, 2016 6:38 pm
kgc wrote:
Port 25 is blocked in both directions to prevent a dynamic IP address from being able to send "direct to mx" spam and/or be used in a triangular routing scheme to aid in the delivery of spam. This is consistent with all of our other access products and recognized BCP.


Thanks can you please link me to fetchmail implementation and how to. I'll try that but first need to find a way to run these settings on my advanced tomato router.
by wa2ibm » Fri Feb 05, 2016 11:20 am
kgc wrote:
Port 25 is blocked in both directions to prevent a dynamic IP address from being able to send "direct to mx" spam and/or be used in a triangular routing scheme to aid in the delivery of spam. This is consistent with all of our other access products and recognized BCP.


I understand and agree with this restriction on outbound port 25.

However, inbound doesn't present that type of issue. Even Sonic Fusion FTTN (a.k.a. AT&T U-Verse) allows inbound 25 while blocking outbound 25, I presume for the same reason. This is also a dynamic IP service. I've been using the FTTN service ahead of my mail server since I converted to that service last year. It works just peachy in conjunction with DynDNS.

Bill
by forest » Fri Feb 05, 2016 1:20 pm
wa2ibm wrote:
I understand and agree with this restriction on outbound port 25.

However, inbound doesn't present that type of issue. Even Sonic Fusion FTTN (a.k.a. AT&T U-Verse) allows inbound 25 while blocking outbound 25, I presume for the same reason. This is also a dynamic IP service. I've been using the FTTN service ahead of my mail server since I converted to that service last year. It works just peachy in conjunction with DynDNS.

Bill


I think Kelsey is talking about a technique where a spammer infects a bunch of residential computers like ours (that have outbound port 25 blocked) with a bot, and then configures his own machine to send spam using spoofed source addresses that belong to our computers. The spammer's machine can then send boatloads of spam without tripping bulk sender alarms, because only a few messages appear to be coming from any single address. His TCP connections still work despite the spoofed source addresses because return packets sent to our residential machines are routed back to him (presumably not on port 25) by the bot running on our machines.

This technique can be disrupted by blocking our inbound port 25 from all hosts other than Sonic's mail server (which must remain unblocked in order for us to use that server). Unfortunately, that has the side effect of preventing customers like you and me from using port 25 for legitimate purposes; effectively crippling our internet service. Web-only users would never notice it, but it's a problem for those of us who run mail servers for our own domains, or develop mail software in our free time.

Looks like we need a way to prevent triangular spamming without crippling our service.

How about this:

In addition to allowing port 25 packets from Sonic's SMTP servers (as is done today), also allow them from hosts that have established a port 25 TCP connection with our machines. I think most decent routers can support this policy pretty easily. It would allow outside mail hosts to reach our personal servers, while blocking spammers' triangular routing return packets since they have no TCP connection with our machines. Our outbound port 25 would still be blocked, so that existing protection would still be in place, and a bot would not be able to trick our machines into establishing a connection for the sake of letting spam return packets through.

Off the top of my head, it seems like this would work nicely. Can anyone spot a hole in my idea?
by exile » Fri Feb 05, 2016 6:18 pm
kgc wrote:
Bill, there's always the possibility that you could move to a fetchmail setup. There's pros and cons and depending on your needs it may not work. If we ever provide static IP on this service it would be completely unfiltered but this is otherwise being treated as a truly dynamic product.


Oh, so you have dropped plans to offer static IP through VPN? That is extremely disappointing as this is my entire interest in your VPN service.
by ashes » Sat Feb 06, 2016 6:50 pm
@pratik Here's how to setup Tomato...

I'm a Sonic FFTN customer and I want the same level of privacy protection I had under my old Sonic ADSL service. I am VPNing my whole home network to Sonic's VPN server. If the VPN goes down, I want it to fail closed (not to simply route out on ATT's network).

I am running Tomato (Shibby) on an ASUS RT-AC68U v2; you will want router, like this one, with a reasonably fast CPU to handle VPN without impacting bandwidth. It is not DMZ'd since this VPN-only configuration does not double-NAT due to the VPN bypassing the Uverse gateway's NAT. I have another router DMZ'd providing a standard non-VPN NAT to a separate home network.

Step 1)
Log into ovpn.sonic.net I mean "Login" not "Connect". Note the drop-menu next to the "Go" button.
Image

You'll see this screen, otherwise you didn't change the drop-menu to Login in the previous step. Hit the last link, "Yourself (user-locked profile)". It will download a file called client.ovpn open this in any text editor (e.g. Notepad, TextEdit, etc). You will need to copy some keys from this file later on.
Image

Step 2)
On your router running Tomato, go VPN Tunneling->OpenVPN Client. Enter the following settings.
You could replace ovpn.sonic.net with it's IP address: 209.148.113.36
Enter your sonic username/password
Image

The Exclusive DNS setting ensures that only Sonic's DNS servers are used when VPNing.
Image

Here's where you want to copy-paste those keys from the client.ovpn file. Look for the correponding <tag> in the client.ovpn files and copy the whole alphanumeric string, including the BEGIN and END lines, excluding the <tag> </tag> lines
Image

Image

You should at this point be able to hit the "Start Now" button and the VPN will start, you can check it on the status tab or in the logfile. If it doesn't establish, check your settings and the log file.
Image

Step 2) (Optional)

In Administration->Scripts->Firewall adding this will block all home network traffic is the VPN is down.
iptables -I FORWARD -i br0 -o `nvram get wan_iface` -j DROP
Image

In Administration->Scheduler you can set the VPN to automatically restart on schedule or disconnect.
If you need to restart your VPN connection, then enable this. I was using this on the VPN beta server since it timed out OpenVPN connections after 24 hours, supposedly this doesn't happen on the production server (or the beta server anymore). I just switched to production today, so I haven't tested to be sure. Anyhow if you need it, it's here.
Image

Also there we can have the VPN auto-reconnect if we lost the connection.
This sets it to try to establish the VPN every minute (at the 40 second mark, due the "wait 40;"). I offset this by 40 seconds for compatibility with the scheduled force-restart setting above. If your VPN is already established, then this does not disturb the existing link. You can test this yourself by disconnecting your WAN port on your router to force a loss of connection, then watch it re-establish on reconnect.
Image
by netllama » Sun Feb 07, 2016 11:50 am
@kgc the production server (ovpn.sonic.net) is not working for me at all. I downloaded the new profile, and attempted to use it. However, I keep getting auth failures when attempting to connect using openvpn-2.3.10 from a Linux system:

Code: Select all

Feb 07 11:42:21 llamapi2 openvpn[998]: VERIFY OK: depth=0, CN=OpenVPN Server
Feb 07 11:42:25 llamapi2 openvpn[998]: Data Channel Encrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Feb 07 11:42:25 llamapi2 openvpn[998]: Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 07 11:42:25 llamapi2 openvpn[998]: Data Channel Decrypt: Cipher 'AES-128-CBC' initialized with 128 bit key
Feb 07 11:42:25 llamapi2 openvpn[998]: Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Feb 07 11:42:25 llamapi2 openvpn[998]: Control Channel: TLSv1, cipher TLSv1/SSLv3 ECDHE-RSA-AES128-SHA, 2048 bit RSA
Feb 07 11:42:25 llamapi2 openvpn[998]: [OpenVPN Server] Peer Connection Initiated with [AF_INET]209.148.113.36:1194
Feb 07 11:42:27 llamapi2 openvpn[998]: SENT CONTROL [OpenVPN Server]: 'PUSH_REQUEST' (status=1)
Feb 07 11:42:27 llamapi2 openvpn[998]: AUTH: Received control message: AUTH_FAILED
Feb 07 11:42:27 llamapi2 openvpn[998]: SIGTERM[soft,auth-failure] received, process exiting


I'm supplying the same username & password as I'm successfully using for the beta server. The beta service has worked fine for me for many months, and continues to work.

How do I troubleshoot this?
65 posts Page 2 of 7

Who is online

In total there are 3 users online :: 0 registered, 0 hidden and 3 guests (based on users active over the past 5 minutes)
Most users ever online was 422 on Sat May 26, 2012 5:28 am

Users browsing this forum: No registered users and 3 guests