Can't send emails when in VPN (PIA)

[Smokin_Joe]

Hi
I used yorgi's instructions to setup PIA client on my RT-AC88U and it runs great.
Thank You yorgi..
Problem is when trying to send emails it can take a number of tries, from any of the devices accessing the internet, to successfully send an email.
I use Thunderbird and my hotmail is set for IMAP Mail Server.
I have no issues emailing, when I turn the VPN off.
For example if I am connected to a Seattle PIA server I can send an email after many attempts.
If I am connected to a Toronto server or a Vancouver server I often cannot send an email ...period...no matter how many attempts.
Currently the Seattle PIA server is having speed issues so...
Is there something I should be doing to my router settings for to correct this issue?
Is there something I should have done differently?
Joe

 

[Martineau]

Problem is when trying to send emails it can take a number of tries, from any of the devices accessing the internet, to successfully send an email.

I have no issues emailing, when I turn the VPN off.

Many ISPs do not allow access to their email servers from a different network.

If you know all of the IP addresses for your ISP's email server(s), you can add them to the VPN Client config as destination 'WAN' entries.

Alternatively, if your email client uses a specific port then it may be simpler (more reliable?) to implement Selective Port routing using the script technique Force secure email port via WAN when using VPN

 

[Smokin_Joe]

Hi Martineau
First thing I should point out is I am in over my head on this...lol
Sorry but true.
I did do a search looking for "email" etc in the SNB forums and did find many hits.
I focused on the VPN section since that is what I am working with.
Thank You for replying.
From your link I found the following instruction(s) that I am assuming would be added to the "custom configuration".
Replacing the 465 number with the port numbers for the two email programs, I use.
Since I don't understand the details of the lines themselves and am not prolific enough to comprehend all that it is doing...
Is there anything else in these lines I need to tailor or modify?
Joe
PS...my vpn setup is tunneling with UDP..
Again...I know ...nothing


iptables -t mangle -D PREROUTING -i br0 -p tcp -m multiport --dport 465 -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 465 -j MARK --set-mark 0x7000/0x7000

 

[Martineau]

From your link I found the following instruction(s) that I am assuming would be added to the "custom configuration"

No

Sadly it is not possible to simply use the GUI, a custom 'User Script' see Wiki/documentation for Asuswrt-merlin is required to implement the rules to bypass the VPN for the email client

Replacing the 465 number with the port numbers for the two email programs, I use.
Is there anything else in these lines I need to tailor or modify?

If port 465 is not used by your two email programs, then yes the port will need to be changed.
e.g. the complete script can be created as/jffs/scripts/firewall-start simply by copy'n'paste into the native nano editor on the router, or if using a windows laptop/PC then WinSCP and mini tutorial can be used.

#!/bin/sh

ip rule del fwmark 0x7000/0x7000 2> /dev/null
ip rule add fwmark 0x7000/0x7000 table 254 prio 9990
ip route flush cache

iptables -t mangle -D PREROUTING -i br0 -p tcp -m multiport --dport 465 -j MARK --set-mark 0x7000/0x7000
iptables -t mangle -A PREROUTING -i br0 -p tcp -m multiport --dport 465 -j MARK --set-mark 0x7000/0x7000

EDIT : Changed port to 465 (Hotmail SMTP)for easier copy'n'paste for OP

 

[Smokin_Joe]

Oh Boy...
Thanks Martineau
I will have a look at the rabbit hole later ...

 

[Smokin_Joe]

Many ISPs do not allow access to their email servers from a different network.

If you know all of the IP addresses for your ISP's email server(s), you can add them to the VPN Client config as destination 'WAN' entries.

I looked all over my RT-AC88U, especially in the VPN client I was using, and couldn't find any place to add destination "WAN" entries..

Alternatively, if your email client uses a specific port then it may be simpler (more reliable?) to implement Selective Port routing using the script technique Force secure email port via WAN when using VPN

I did read and try...really try to understand it...got caught in a loop going back to post #9...lol
Where do the "Code" entries go, Martineau?

 

[Smokin_Joe]

Ok Martineau
I found the Administration/system/jffs...switches and I ....
I think this is where "code" goes...lol
Do I format JFFS partition at next boot?
after reboot do I enable JFFS custom scripts and configs or enable it before reboot?
How about the SSH Daemon...leave disabled?
Joe
PS..getting tired.
Read your other posts..
and links...wiki...etc
Installed WinSCP.
I think I am grasping concept on hostname to be used for router...and credentials
Think I now know answers to all 3 questions above.
Stressed ....later
Ignore everything above Martineau..
Just tired...
I successfully logged in to router..
Done for now
I will copy and paste your hard work later
Thank You

 

[RMerlin]

No need to get fancy with scripting. Just create WAN rules under Policy Rules for the IP address of your ISP's SMTP (and Google's if you use GMail, for instance, same for any other provider).

 

[Martineau]

No need to get fancy with scripting. Just create WAN rules under Policy Rules for the IP address of your ISP's SMTP (and Google's if you use GMail, for instance, same for any other provider).

That's what I initially proposed in post #2 (with Selective Port scripting as more reliable alternative) but there has been no feedback for 3 weeks, until today where the OP has posted #6 disclosing his GUI difficulty and subsequent venture into the use of scripts.

 

[Martineau]

I looked all over my RT-AC88U, especially in the VPN client I was using,

and couldn't find any place to add destination "WAN" entries..

On the VPN Client GUI page:

then hit APPLY button at the bottom of the page.

 

[Smokin_Joe]

Getting ready for work...
Sorry to have created a stir
Thank you for the pictures Martineau
Sorry I took so long to get back to it, had to build courage...I guess...lol
As with life lots of other problems/distractions etc.
I promise I will look at it tonight when I get home
Joe

 

[Smokin_Joe]

I have looked at your post Martineau and a couple of things i will need pointers on for when i get home.
1. ip server addresses and
2. under policy rules (I believe that it is currently set to 'all')
If I specify something (correctly), under the rules, it will only affect that group and all other traffic will go through vpn...basically traffic will still default to all...
www.emailquestions.com/threads/what-are-hotmails-outgoing-mail-server-ip-addresses.5062/
Quick Google search revealed this list.
How should I look for hotmail server ip's?
I use thunderbird with a imap setting.
Outgoing server....
smtp-mail.hotmail.com
Joe

 

[Martineau]

Sorry I took so long to get back to it, had to build courage...I guess...lol
As with life lots of other problems/distractions etc.

No problem, real-life priorities should indeed take precedence.

Sadly, contemporary forum netiquette apparently no longer seems to include any obligation to provide (timely) feedback; consequently contributors must be gracious and presume that either their advice/suggestions worked or, to the chagrin or utter exasperation of the OP, simply failed abysmally.

​

www.emailquestions.com/threads/what-are-hotmails-outgoing-mail-server-ip-addresses.5062/

Quick Google search revealed this list.

How should I look for hotmail server ip's?​

Hmm, quite an old (circa 2008) list?

Consult the latest Microsoft documentation or you may obtain (some) of the current IP Addresses in real-time
e.g. issue

nslookup   smtp-mail.outlook.com

Server:    127.0.0.1
Address 1: 127.0.0.1 localhost.localdomain
Name:      smtp-mail.outlook.com

Address 1: 2603:1026:c06:1e::2
Address 2: 52.97.131.114
Address 3: 52.97.131.162
Address 4: 40.100.173.50
Address 5: 52.97.130.2

and the example above retrieved four IPv4 addresses which should be added to the GUI.

Hotmail   0.0.0.0  52.97.131.114  WAN
Hotmail   0.0.0.0  52.97.131.162  WAN
Hotmail   0.0.0.0  40.100.173.50  WAN
Hotmail   0.0.0.0  52.97.130.2    WAN

(NOTE: You can issue the nslookup command several times and note any new IPv4 additions)

2. under policy rules (I believe that it is currently set to 'all')

If I specify something (correctly), under the rules, it will only affect that group and all other traffic will go through vpn...basically traffic will still default to all...​

As you originally specified "Redirect Internet traffic=ALL", having changed to 'Redirect Internet traffic=Strict" to enable selective routing, you will need to explicitly add the following two entries to the GUI

Router 192.168.1.1      0.0.0.0   VPN
LAN    192.168.1.0/24   0.0.0.0   VPN

Hopefully you will understand the downside of using the GUI method, i.e. the responsibility will be on you to manually ensure that your list of target SMTP servers for 'smtp-mail.outlook.com' remains valid, whereas using the Selective Port Routing method (a single static iptables tag-marking rule), you don't have to worry about Microsoft removing/adding IPv4 addresses, as they will be correctly resolved by DNS and the single iptables rule simply redirects all mail traffic using the appropriate port for your SMTP server (25 or 465) to the WAN.

So before changing your current VPN set-up I suggest you simply copy and paste the three 'ip' commands from post #4 into the command window, then do the same for the two 'iptables' commands substituting 587 with 465 to see if the two '-I' commands solves your issue.

 

[Smokin_Joe]

Thank you Martineau
I will attempt to apply your instructions tonight.

 

[Smokin_Joe]

Hopefully you will understand the downside of using the GUI method,

I do..

whereas using the Selective Port Routing method (a single static iptables tag-marking rule), you don't have to worry about Microsoft removing/adding IPv4 addresses, as they will be correctly resolved by DNS and the single iptables rule simply redirects all mail traffic using the appropriate port for your SMTP server (25 or 465) to the WAN.

So before changing your current VPN set-up I suggest you simply copy and paste the three 'ip' commands from post #4 into the command window, then do the same for the two 'iptables' commands substituting 587 with 465 to see if the two '-I' commands solves your issue.

I am currently trying to understand where this particular command window is located...
I am familiar with the old school dos command window but I don't know where the one you are referring to is located.
I will be rereading your links trying to find it
I think I have found it...
Command in WinSCP...Terminal window...
But I am unsure as to the exact directory to use
/jiffs/scripts/...these folders exist...but/firewall-start...doesn't
Martineau I don't know where the nano editor on the router is located either..
Sorry for being such a putze...lol
Getting called away for supper but I am still workin on this for a bit yet..
Thank you for your patience Martineau..
I opened the terminal window and it says I am in jiffs/scripts so I was correct in my assumption.
I will wait for your further input.
Thanks again
Joe
PS...bed time
Well I am in trouble now...no joke...the vpn won't work anymore and I don't think I did anything to it...
Screwed
...I must have created CA file in Winscp...
From the log file
Jun 11 22:31:41 rc_service: httpd 560:notify_rc start_vpnclient3
Jun 11 22:31:43 openvpn[4053]: Options error: You must define CA file (--ca) or CA path (--capath)
Jun 11 22:31:43 openvpn[4053]: Use --help for more information.
I have done enough damage for one day
Bedtime...Definitely in the rabbit hole now...lol
Well all the certificates have disappeared....I will fix it tomorrow night.
Not the end of the world...don't know what I did to delete them though
Later
https://www.snbforums.com/threads/h...outbound-connections.38086/page-3#post-314828

 

[Smokin_Joe]

I am guessing that "format jffs partition at boot" option, erased the certificates. I thought it was required to create an area for the use of scripts.
I will get the vpn working again, hopefully and open the Winscp and see what I find...i am at work and won't be able to respond in timely manner.
Sorry for all the melodrama...lol

 

[Martineau]

I am currently trying to understand where this particular command window is located...
I am familiar with the old school dos command window but I don't know where the one you are referring to is located

To open a command prompt on the router use an SSH-capable client such as PuTTY, Xshell5 or MobaXterm etc. using the same method to establish a WinSCP connection.
(You can indeed open a command prompt using the WinSCP Terminal (CTRL+T) or if you have PuTTY installed (CTL+P), but you cannot run any full screen/interactive scripts/commands such as amtm/nano etc.)

I am unsure as to the exact directory to use
/jiffs/scripts/...these folders exist...but/firewall-start...doesn't

As per the wiki post #4, most custom scripts and config files reside in /jffs/scripts and /jffs/configs respectively.
NOTE: firewall-start is a script not a directory, and by default both /jffs/scripts and /jffs/configs will be empty
To use the router's native nano editor to create/edit say script /jffs/scripts/firewall-start
e.g.

cd /jffs/scripts
nano firewall-start

The 'nano' editor (and its horrible little cousin 'vi') are lacking in contemporary user friendly GUI features hence WinSCP's internal editor and/or 'notepad++' are preferred/recommended.

Well I am in trouble now...no joke...the vpn won't work anymore and I don't think I did anything to it

Well clearly I didn't ...all I suggested was that you open a command prompt and, as a test, simply copy'n'paste in the five commands before committing to using nano/WinSCP in order to ensure the scripted commands will be executed each time the router reboots (or the WAN restarts)

Screwed...I must have created CA file in Winscp...
From the log file
Jun 11 22:31:41 rc_service: httpd 560:notify_rc start_vpnclient3
Jun 11 22:31:43 openvpn[4053]: Options error: You must define CA file (--ca) or CA path (--capath)
Jun 11 22:31:43 openvpn[4053]: Use --help for more information.
I have done enough damage for one day

PEBKAC ?!

 

[Martineau]

I have done enough damage for one day​

Sorry for all the melodrama...lol

I am guessing that "format jffs partition at boot" option, erased the certificates.

Indeed, that would explain a lot! as I was extremely puzzled by your assumption that WinSCP was somehow surreptitiously creating certificates!

Yes, /jffs/ now holds important (if not critical) system information, although it rarely requires the 'nuclear option', but as you have found out the hard way, it is very useful to perform a full /jffs/ backup using the GUI option

on a regular basis, especially before a firmware update to preserve your scripts/configs (although you should use WinSCP to simply drag'n'drop files from the router to your laptop frequently during an editing session - just in case!)

So I guess the GUI method was dropped; simply in favour of you gaining scripting experience?

P.S. It really shouldn't be this difficult

 

[Smokin_Joe]

PEBKAC yep similar to a 10Tid error...

 

[Smokin_Joe]

Oh My Open Vpn router is working as it should.
I replaced the certificate authority(s) and it is working as before.
I also think I accidentally installed the certificate on my windows 10 machine as well ...
Anyone know how to undo that? When I click on the link it says "This Certificate is already installed as a certificate authority." with an OK key...doh!
I think I am taking the night off...might hide for a couple of days...I will try not to
Thanks Martineau...I will give it another try...just not tonight.
Probably just login with the winscp and copy and paste your commands...
I'll be back...