Forward smtp packets via VPN

kukulo · August 15, 2023, 11:46am

I am not sure whether this has been asked previously, but my aim is to forward smtp packets (port 25) via openvpn tunnel as the outgoing connection to smtp servers. I know that redirect_local_def1 might solve the problem, but my aim is to redirect only smtp traffic.

trendy · August 15, 2023, 12:56pm

You need to do Policy Based Routing and you have 3 options:

mwan3 package
pbr package
a set of rules/routes for each internet connection.

egc · August 15, 2023, 1:12pm

@trendy can you make a config rule with sport 25 in uci instead of an ip source?

trendy · August 15, 2023, 1:33pm

It is tricky, but yes you can.
Mark on firewall packets from port 25, then make uci ip rule with that marking.

egc · August 15, 2023, 1:46pm

I have not been very successful with fwmark and source port so I just use the iprule with sport but I use it via a custom pbr rule.
But I have been looking if this was possible with uci but it does not accept something like list option 'sport xxx'.

But I am going off topic sorry

trendy · August 15, 2023, 2:06pm

We have requested to include s/dport in uci rules, so that might help you.

kukulo · August 15, 2023, 2:21pm

Let me describe it more precisely. The problem is the outgoing connection headed towards any server port 25. This is being filtered after wan. But I do have site to site vpn connection where I would like to route the outgoing connection. So far the rules in Luci and prerouting rule in nftables have been not successful. The connection has a destination port 25 and single IP address as a source. When I use forwarding the destination IP needs to be provided. I do have experience with mwan, but that would mean to reconfigure the complete router with uncertain result. Is there possible a rule with nftables that incorporates the destination port and source IP address and then forwards the packets to OpenVPN server?

egc · August 15, 2023, 3:02pm

You could try @trendy 's solution no 3.

something like (for dev use your vpn tunnel interface I just use tun1 as example):
ip route add default dev tun1 table 200
ip rule add sport 25 table 200

You can make the latter more restrictive by adding an IP address from the server or only in-interface e.g.
ip rule add iif br-lan sport 25 table 200
ip rule add from 192.168.1.12/32 sport 25 table 200

kukulo · August 15, 2023, 5:14pm

So the right commands were slightly modified and these are working:

ip route add default dev tun1 table 200
ip rule add dport 25 table 200

I had to modify the outgoing rule from sport to dport, since the port 25 was the destination port.

Are these rules persistent after reboot?

egc · August 15, 2023, 5:34pm

Great to hear it works, unfortunately those are not persistent.

Not sure what the best place is to add the rules.
Maybe just adding those to the startup command via LuCi would work?

I would personally add the rules to the up) command of the openvpn hotplug script but that is probably a bit overdone.

kukulo · August 15, 2023, 5:52pm

For the sake of completness I am putting the two scripts for the hotplug event:

root@OpenWrt:~# cat /etc/hotplug.d/iface/99-ifuptun1 
[ "$ACTION" = "ifup" -a "$INTERFACE" = "tun1" ] && {
ip route add default dev tun1 table 200
ip rule add dport 25 table 200
}

root@OpenWrt:~# cat /etc/hotplug.d/iface/99-ifdowntun1 
[ "$ACTION" = "ifdown" -a "$INTERFACE" = "tun1" ] && {
ip route del default dev tun1 table 200
ip rule del dport 25 table 200
}

Gonna test it later.

egc · August 15, 2023, 6:13pm

I am not 100% sure if it works as the Openvpn interface is made on the fly by the openvpn software.
Lets wait and see.

Alternatively you can add a script to up and down in the openvpn config

kukulo · August 16, 2023, 4:09am

You were right, the correct script is:

root@OpenWrt:~# cat /etc/openvpn/ovpn-connected.sh
#!/bin/sh
ip route add default dev tun1 table 200
ip rule add dport 25 table 200

And the additional line in the openvpn config is:

option up '/etc/openvpn/ovpn-connected.sh'

egc · August 16, 2023, 6:05am

Great
The up scripts have the benefit that they can use the openvpn environment variables (which you do not need in this case) e.g. gateway of WAN and OpenVPN, pushed DNS servers etc.

For the record, OpenWRT uses a very sophisticated cascade of scripts to incorporate their own hotplug actions in to the OpenVPN --up, --down, --route-up-, --route-pre-down and --ipchange (only client) events.
In the end /etc/hotplug.d/openvpn/01-user is executed:

# Wrap user defined scripts on up/down events
case "$ACTION" in
	up) command=$user_up ;;
	down) command=$user_down ;;
	*) command= ;;
esac

the command=$user_up is what executes the script you have set with the up event in the OpenVPN config file, you could also have altered the 01-user script with e.g.:

# Wrap user defined scripts on up/down events
case "$ACTION" in
	up) 
		ip route add default dev tun1 table 200
		ip rule add dport 25 table 200
		command=$user_up ;;
	down) 
		ip rule del dport 25 table 200
		ip route flush table 200
		command=$user_down ;;
	*) command= ;;
esac

Note that --route-up-, --route-pre-down and --ipchange are missing in this 01-user script, I recently have made a pull request to add this

system · August 26, 2023, 6:06am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.