E-mail routing over VPN

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
I'm sitting at a T-Mobile hotspot, and for the second time in a week
it's causing me no end of trouble with e-mail.  Apparently, as an "anti-
spam" measure, T-Mobile intercepts all SMTP traffic, no matter what
server you're trying to use, and shoves it through its own SMTP relay
server.  Problem is, T-Mobile's SMTP relay server has been on a major
spam block list for weeks!  So, anything sent through it vanishes into
the ether, never to be seen again.

I have a working VPN connection between my laptop (running SoftNet
Remote) and my home office (using a Linksys BEFVP41).  Works great - I
can see all the local systems at home, access the printer there,
retrieve files from my servers, everything you'd want.  

My mail servers are hosted externally, not on my home office network.

What I'd like to do is route my inbound (POP) & outbound (SMTP) mail
over the VPN (POP also because the SMTP servers "authenticate" by seeing
a connection to the incoming box first).  But I'm having trouble with
the configuration ... ROUTE PRINT isn't showing me any sort of gateway
or interface associated with the VPN (so, no idea how the VPN is
successfully routing traffic but it is!), and any ROUTE ADD attempts I
make tell me that "the interface index is wrong or the gateway doesn't
lie on the same network as the interface".  

How can I specify that I want all traffic to 38.118.142.x to go through
my VPN instead of directly over the T-Mobile internet connection?

Thanks!

-- Chris
              ________*________ Chris Barnabo, chris@spagnet.com
____________  \\_______________/ http://www.spagnet.com
\\__________/      / /
     __\\ \\_______/ /__         "The heck with the Prime Directive,
     \\_______________/(-        let's destroy something!"

Re: E-mail routing over VPN
Chris Barnabo schrieb:

Quoted text here. Click to load it

What kind of vpn software do You use that allows split tunneling in the
first place?

Good VPN Software routes *all* traffic through the vpn tunnel without
You having to configure anything!


--
Martin Bodenstedt

(www.die-bodenstedts.de / www.maboko.de)

Re: E-mail routing over VPN
says...
Quoted text here. Click to load it

Hello Martin,

I'm using SafeNet's SoftRemote VPN product.  It allows you to specify
which range of IP addresses should be directed down the VPN path,
everything else goes down the direct pipe to the internet provider.  

When I was working at IBM the SINE and AT&T MTS remote access products
did a similar split, directing only the IBM internal traffic down the
VPN path and leaving everything else on the internet path - otherwise
the internet traffic simply congested the internal network (in through
the VPN, then back out through the SOCKS servers ...)

As it happens, I've resolved the immediate problem by pumping the POP
and SMTP traffic through OpenSSH to a server at home, and I may even
tear down the VPN entirely in favor of SSH at some point - but I'm still
curious how to setup the split tunnel properly.

-- Chris
              ________*________ Chris Barnabo, chris@spagnet.com
____________  \\_______________/ http://www.spagnet.com
\\__________/      / /
     __\\ \\_______/ /__         "The heck with the Prime Directive,
     \\_______________/(-        let's destroy something!"

Re: E-mail routing over VPN
Chris Barnabo schrieb:
Quoted text here. Click to load it

How in this case do You prevent malicious software downloaded from the
internet frim infecting the corporate network through the VPN?



--
Martin Bodenstedt

(www.die-bodenstedts.de / www.maboko.de)

Re: E-mail routing over VPN
says...
Quoted text here. Click to load it

Bear in mind that I'm a VPN user, not a network engineer ... :-)

I can't speak for SafeNet's capabilities in this regard, but the other
products I've used that provide for split tunneling are supposed to
block any routing of traffic from the internet pipe to the VPN pipe (and
vice-versa).  Of course, that only works presuming that the person at
the keyboard isn't trying to actively subvert it, but then if they were
planning to do that you're already exposed by virtue of them having
access to the network at all.

The VPN network would also be exposed to the posibility of malware
infection through the connected machine - someone could pick up bad code
down the internet path that turns around and tries to connect down the
VPN path.  But that risk could also exist if the user were solely
connected to the VPN - e.g. the user could surf to a site which installs
malicious code by going through the VPN and out through that network's
proxy servers, etc.  A clear case where defense in depth is needed -
reliable code on the user workstation to prevent infections, AND
reliable mechanisms within the VPN network to defend against problems.  
Too many folks think that the firewall is going to protect their
internal network, only to have it compromised when they plug an infected
machine into it from the inside.
 
-- Chris
              ________*________ Chris Barnabo, chris@spagnet.com
____________  \\_______________/ http://www.spagnet.com
\\__________/      / /
     __\\ \\_______/ /__         "The heck with the Prime Directive,
     \\_______________/(-        let's destroy something!"

Re: E-mail routing over VPN
Martin Bodenstedt wrote:
Quoted text here. Click to load it
I think you mean "Inflexible" rather than "Good" here. There are times
when sending everything over the vpn is the right thing to do, but in
many cases you are trying to access remote system, not use some remote
site as your one and only connection.

OpenVPN allows specification of the routing it provides, as an example.
It allows multiple offices to connect seamlessly while not pushing
outside traffic over the vpn and then out a single WAN pipe to the net
in general. At least with Linux I have the ability to put firewall rules
in place on each vpn, to provide the level of access needed.

--
   CTO TMR Associates, Inc
   Doing interesting things with small computers since 1979

Re: E-mail routing over VPN
If you are doing split-tunnel, normally you can specify how to route
things out. If you dont have a route for it, then it defaults to your
gateway.

Whats the platform you are using?


Martin Bodenstedt wrote:
Quoted text here. Click to load it


Site Timeline