Jump to content
Sign in to follow this  
d3athsd00r

Confused about how VPNs work

Recommended Posts

Here is my setup: I have an exchange server hosted at my house. AT&T blocks outgoing SMTP (port 25) so I have my exchange server setup with a VPN that allows port 25. My exchange server can send email all day with no problem, but it can't receive.

 

If I try to telnet to my AT&T ip address over port 25 from external while the VPN tunnel is down, I can get through and connect to my exchange. However, if the tunnel is up, my router won't forward the port 25 traffic to my exchange server, but if I telnet from internal (192.168.0.x) to my exchange server, I can connect to SMTP.
 

Can anyone explain why my router won't forward packets to my exchange server while the tunnel is up? I've tried to wireshark it, but my router Exchange server doesn't respond with anything, it just drops the SYN and I can't find any logs on it that says why it dropped the handshake.

 

Thanks.

Edited by razerfanboi

Share this post


Link to post
Share on other sites

I'm assuming that you have the port forwarding properly configured in your router configuration settings?  What router are you using?

Share this post


Link to post
Share on other sites

I'm assuming that you have the port forwarding properly configured in your router configuration settings?  What router are you using?

Yeah I do. Its a D-Link DIR-655. As long as the VPN tunnel isn't up, I can receive email, so I'm pretty confused. I thought it would still listen on the local 192.168.0.x

Share this post


Link to post
Share on other sites

There are multiple kinds of VPN's. What kind are you using and how is it configured. We would need a lot more information to be able to help. Can you post a diagram of your design? Also keep in mind that in Exchange you have to tell it what networks it can send/receive on. For example if your primary network is 192.168.1.0/24 and your VPN network is 192.168.2.0/24 then both of those have to be configured as allowed send/receive in Exchange.

Share this post


Link to post
Share on other sites

Sorry, I didn't really know what you would need to help. I'm pretty new to this whole exchange and VPN thing.

 

My server is a Windows Server 2012R2 running exchange 2013 (ip 192.168.0.242) and sitting behind my D-Link router (192.168.0.1). My network is nothing fancy, so I don't have V-Lans or anything like that. It's using a PPTP tunnel from the built-in Windows VPN connector. As I said before, it will accept port 25 connections from internal while the tunnel is up, but if I try to come from external, it won't accept the connection or finish the TCP handshake. I only see the SYN being sent by the host, but the ACK is never sent by the Exchange server. However, it will accept external connections while the tunnel is down. I'm at a loss for what is going on. I can attach a PCAP if you need.

 

I've looked at all of my receive connectors and they are as open as I can make them (a terrible security practice) but I'm mainly looking for something that works before I secure it. They are listening on all connections from all IPs.

 

Here is the output of my "Get-ReceiveConnector"

 

 

Identity                                Bindings                                Enabled
--------                                --------                                -------
EXCHANGE\Default EXCHANGE               {0.0.0.0:2525, [::]:2525}               True
EXCHANGE\Client Proxy EXCHANGE          {[::]:465, 0.0.0.0:465}                 True
EXCHANGE\Default Frontend EXCHANGE      {[::]:25, 0.0.0.0:25}                   True
EXCHANGE\Outbound Proxy Frontend EXC... {[::]:717, 0.0.0.0:717}                 True
EXCHANGE\Client Frontend EXCHANGE       {[::]:587, 0.0.0.0:587}                 True
Edited by razerfanboi

Share this post


Link to post
Share on other sites

Oooooooooooooooooooooooh, ok.....First the port 25 forwarding will not work on the router when the VPN tunnel is up because that is the purpose of a VPN. A VPN is a private tunnel that traverses other networks between two end points. This means that the forwarding would have to take place at the other end point of the tunnel. I know you mentioned it is a PPTP but what is it tunneling to? Is it tunneling to another office/home, online VPN service, etc? On another note a PPTP VPN is not an ideal choice for this setup, may I ask why you chose it?

Share this post


Link to post
Share on other sites

So I was thinking the same thing about the tunnel and port forwarding not working, but what confused me is that it will accept local connections from my desktop, 192.168.0.205, directly to the exchange server, 192.168.0.242. But it won't accept anything forwarded by the router (externally routable IPs) to the exchange server.

 

The VPN tunnel is to Torguard. They have opened up port 25 outbound on one of the VPN servers so I can use it to send email, and I was trying to use my standard AT&T IP address as my receiving IP address.

 

I chose PPTP because that is what is built into Windows and doesn't require any extra software to connect. Torguard also has L2TP and OpenVPN, but from what I can tell, Windows only supports PPTP without extra software.

Share this post


Link to post
Share on other sites
So I was thinking the same thing about the tunnel and port forwarding not working, but what confused me is that it will accept local connections from my desktop, 192.168.0.205, directly to the exchange server, 192.168.0.242. But it won't accept anything forwarded by the router (externally routable IPs) to the exchange server.

 

 

Because local connections are well "local". The forwarding has to be applied to the traffic traversing the VPN tunnel.

 

The VPN tunnel is to Torguard. They have opened up port 25 outbound on one of the VPN servers so I can use it to send email, and I was trying to use my standard AT&T IP address as my receiving IP address.

 

 

Your public domain MX record would then need to point to Torguard so that it can then be forwarded across the VPN tunnel (see above). 

 

I chose PPTP because that is what is built into Windows and doesn't require any extra software to connect. Torguard also has L2TP and OpenVPN, but from what I can tell, Windows only supports PPTP without extra software.

 

For something like this I wouldn't recommend any software based VPN honestly.

 

 

Without a diagram and configs of everything involved there isn't a lot of advice I can give. With what I gather so far though if this scenario is your only option then it might be best to configure it so that incoming is on your local network and just use the VPN tunnel for outgoing.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

×
×
  • Create New...