MAIB over a OVPN tunnel


#1

I have a pfSense router running on a VPS. I also have a MAIB server running on a different VPS (everything works as expected).

Now, I would like to move the MAIB server to my house and run it in a VM. I was trying to create a OVPN connection from the MAIB VPS to my pfSense server and use that IP address as my MAIB address with port forwarding. (This was for testing).

This setup did not work for me. I was able to get DNS working with port forward but the MAIB box complaints that a lot of the necessary ports are closed (53, 25, 22, 443, 993 and more). however, I can confirm that the web server that is running on the MAIB is accessible from the internet. so is the SSH tunnel to the MAIB VPS
NOTE: I use custom DNS entries as dynamic DNS is a key feature for me.

It looks like the issue is that the MAIB stack is using the wrong gateway for communications. Is there a way I can set up MAIB to use OVPN tunnel as its internet gateway?

This is very helpful for me because, in theory I can run the server from anywhere as long as I can create a OVPN tunnel to my pfSense VPS. And having the server internal to my network will make things easier for rsync backups. And I would like to pay for 1 VPS instead of the 2 I am paying for now.

The solution of using MAIB as a VPN server is not going to work for because the pfSense VPS is the server for 4 of my other pfSense site2site connections and I use it as a central hub to traffic routing.


#2

Are you trying to use MIAB over the openvpn tunnel or using openvpn to tunnel outside traffic to it?


#3

I’m trying to use MIAB over OVPN.


#4

You can tell OpenVPN to direct ALL traffic over the VPN. Below are two example configurations. Essentially, the client needs to have “redirect-gateway def1” in it’s config. Note, that on the server, while clients are connected, they wont be able to get internet access without some iptables rules (see bottom)

[client.ovpn]

client
dev tun
proto udp
# THE IP OF THE REMOTE OPENVPN SERVER:
remote ip_address port
resolv-retry infinite
nobind
persist-key
persist-tun
# THE CSR FILE:
pkcs12 certificate.p12
ns-cert-type server
cipher AES-256-CBC
comp-lzo
redirect-gateway def1 # This is the configuration option you want.
verb 3

[server.ovpn]

port 1194
proto udp
dev tun

dh /etc/openvpn/easy-rsa/keys/dh1024.pem
ca /etc/openvpn/easy-rsa/keys/ca.crt
# ENSURE THE DOMAIN NAME/FILENAME IS CORRECT:
cert /etc/openvpn/easy-rsa/keys/cert.crt
key /etc/openvpn/easy-rsa/keys/cert.key

server 10.5.3.0  255.255.255.0
# YOUR LOCAL SERVER IP HERE:
client-config-dir ccd
route 10.5.3.0 255.255.255.0
ifconfig-pool-persist ipp.txt
cipher AES-256-CBC
comp-lzo
persist-key
persist-tun

status log/openvpn-status.log 5
status-version 2
log-append log/openvpn.log
verb 3  # verbose mode
management localhost port /etc/openvpn/management-password

# ROUTE THE CLIENT'S INTERNET ACCESS THROUGH THIS SERVER:
push "redirect-gateway def1" # This is the option you wan t
push "remote-gateway vpn_server_ip" # And also this
push "dhcp-option DNS 8.8.8.8"
keepalive 10 60

[IPTABLES rules to forward VPN traffic to Internet]

iptables -I FORWARD -i tun0 -o eth0 -s 10.5.3.0/24 -m conntrack --ctstate NEW -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -o eth0 -s 10.5.3.0/24 -j MASQUERADE

#5

The traffic out is going through the OVPN.

even with this the status page shows that a bunch of ports are blocked.

push “remote-gateway vpn_server_ip” is the only option I have not tried. is this super critical? what does it do exactly?


#6

Take a look at OpenVPN docs: https://openvpn.net/community-resources/how-to/#redirect

Once the internet traffice is doing MIAB -> VPN -> Internet

You need to set up a NAT rule in IPTABLES on the VPN server so that say port 25 (VPN:25) goes to MIAB:25, so on and so on.


#7

Here is my server config

dev ovpns5
verb 1
dev-type tun
dev-node /dev/tun5
writepid /var/run/openvpn_server5.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp4
cipher AES-256-CBC
auth SHA512
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
client-connect /usr/local/sbin/openvpn.attributes.sh
client-disconnect /usr/local/sbin/openvpn.attributes.sh
learn-address "/usr/local/sbin/openvpn.learn-address.sh x.x.x"
multihome
engine rdrand
tls-server
server 192.168.40.0 255.255.255.0
client-config-dir /var/etc/openvpn-csc/server5
username-as-common-name
plugin /usr/local/lib/openvpn/plugins/openvpn-plugin-auth-script.so /usr/local/sbin/ovpn_auth_verify_async user yyyy= false server5 9797
tls-verify "/usr/local/sbin/ovpn_auth_verify tls 'ZZZZ' 1"
lport 9797
management /var/etc/openvpn/server5.sock unix
max-clients 1
push "redirect-gateway def1"
ca /var/etc/openvpn/server5.ca 
cert /var/etc/openvpn/server5.cert 
key /var/etc/openvpn/server5.key 
dh /etc/dh-parameters.2048
tls-auth /var/etc/openvpn/server5.tls-auth 0
ncp-ciphers AES-128-GCM
topology subnet

Here is my client config

dev tun
persist-tun
persist-key
cipher AES-256-CBC
ncp-ciphers AES-128-GCM
auth SHA512
tls-client
client
resolv-retry infinite
remote vpn.x.x.x 9797 udp
verify-x509-name "OVPN Cloud MailServ" name
auth-user-pass user-pass.txt
remote-cert-tls server

<ca>
-----BEGIN CERTIFICATE-----
## Cert
-----END CERTIFICATE-----
</ca>
<cert>
-----BEGIN CERTIFICATE-----
## Cert
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
## cert
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
## key
-----END OpenVPN Static key V1-----
</tls-auth>

#8

Perfect, now you need IPTABLES rules to forward traffic that is INBOUND to the VPN server to the MIAB’s VPN IP ADDRESS. :slight_smile:


#9

I have done that too. I can ssh into the mailbox through the VPN server and also get the the admin page. but the status page still shows me that both HTTPS and SSH ports are closed and inaccessible. I am lost.


#10

Ah I see the problem now.

OK If you can access everything, and everything is still working, I would just ignore those. I suspect the script that is checking those ports are going to the wrong external IP address (which is probably different than the VPN IP.


#11

I tried that too. but the mail delivery fails both in and out of the device (over the public internet). but the Imap sync works fine.


#12

That’s actually pretty weird. Does local mail work? (internal user <–> internal user)


#13

You are using OpenvpnServer built into Pfsense? MIAB is connected as a client? How many subnets on Pfsense router? Is http and smtp traffic reaching the openvpn server firewall rules? Should be easy to check.


#14

I actually just realized, you need a route added to your MIAB server so it knows about the other subnet which your VPN server is on for proper packet management too.


#15

This makes sense.

Can you help me with this? How do I do this?
I do not want to block myself out of the VPS(before I move this home) if the VPN connection fails.


#16

just add
push "route {LAN SUBNET WHERE VPN SERVER IS AT} 255.255.255.0"

Example: push "route 192.168.1.0 255.255.255.0" (192.168.1.0 stands in as a route to ALL IPs on the subnet, effectively “192.168.1.0/24”)

To your Server’s VPN config.


#17

There is

In my server config. Isn’t this the same as what you asked me to add?

If not, what does Push route do different?


#18

That is the VPN subnet, you need to add your LOCAL LAN subnet using push “route …”


#19

So, here is the current status.

I am still seeing the same errors

However, all systems are fully functional. IMAP, mail delivery, HTTPS, SSH everything works as expected.

here is the image for ip route


closed #20

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.