My provider YahooBB!, who does otherwise a good job, blocks outgoing SMTP (25/tcp) traffic. That is generally a good thing since it limits spam caused by infected home PCs, but you cannot opt-out even if you know what you are doing and have no infected PCs, and a need to send out email.
Sending out emails via email client is no issue of course. But sendmail/postfix/etc. need a relay and the YahooBB! relay only accepts emails with its own email address. I don’t even use that one.
Well, there is always a technical solution for a technical problem. In this case: my virtual server in Germany. That one can send out emails just fine, so all I need to do, is to let it relay my emails from home. I just need a VPN connection from home to that machine.
I wanted to do this many times anyway, so time to do this now.
One problem I did not expect: The virtual server I use uses OpenVZ (or something similar), which does not allow or have a tap interface for bridging. So I need to use tun (which luckily exists), and use a tunnel and a P2P or generally a routed access. Browsing along with Google searching for a rather simple example for a network-to-client connection, it turned out to be not that easy and my router which is using OpenWRT, needs the OpenVPN package first. So I build a new flash image…and lost Internet access completely. Router simply not responding anymore. It can be de-bricked via TFTP, but given the limited time I have, no time for that, so I replaced it with another spare router which already has the OpenVPN package installed. Configuring the router part was simple. Wireless performance sucked though and in the system log I found a lot messages like:
ath: DMA failed to stop in 10 ms
causing patcket loss of about 15% overall. So I ordered those. With the laggard Internet connection I now had for the time being I figured out that OpenWRT does not do a good job of making it easy to create a network-to-client VPN. Me never having done this (I used OpenSWAN long time ago, but apparently too long to remember much of it), did not help here either.
So in the end I used a point-to-point tunnel from my virtual server in Germany to my file server at home.
Turned out to be surprisingly simple with those really nice instructions I found here. While the example is for CentOS and I use Debian, but that’s easy to fix. Small minor fixes on the script side were needed. For my and everyone’s benefit, here my instructions which heavily lean on the ones from John Malkowski from vpsnoc.com.
# Quick and dirty OpenVPN install script
# Tested on Centos 5.x 32bit, openvz minimal CentOS OS templates
# Please submit feedback and questions at [email protected]
# John Malkowski vpsnoc.com 01/04/2010
# Adjusted and used as an example for Debian by Harald Kubota 2011-01-09
ip="the.ip.address.on.the.server"
aptitude install openvpn
cd /etc/openvpn/
cp -R /usr/share/doc/openvpn/examples/easy-rsa/ /etc/openvpn/
cd /etc/openvpn/easy-rsa/2.0/
chmod +rwx *
# Edit vars here. I like emacs.
emacs vars
. ./vars
./clean-all
source ./vars
echo -e "\n\n\n\n\n\n\n" | ./build-ca
./build-key-server server
./build-dh
cp keys/{ca.crt,ca.key,server.crt,server.key,dh1024.pem} /etc/openvpn/
# Repeat for every client, you can choose more meaningful names too
for i in client1 client2 client3 ; do
./build-key $i
cd keys/
client="
# client $i
log /tmp/openvpn.log
verb 3
client
remote $ip 1194
dev tun
comp-lzo
ca ca.crt
cert $i.crt
key $i.key
route-delay 2
route-method exe
#redirect-gateway def1
#dhcp-option DNS 10.8.0.1"
echo "$client" > $HOSTNAME.conf
tar czf $i-keys.tgz ca.crt ca.key $i.crt $i.csr $i.key $HOSTNAME.conf
mv $i-keys.tgz /root
done
opvpn='
log /tmp/openvpn.log
verb 3
dev tun
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
ca ca.crt
cert server.crt
key server.key
dh dh1024.pem
push "route 10.8.0.0 255.255.255.0"
#push "redirect-gateway"
comp-lzo
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
group nogroup
daemon'
echo "$opvpn" > /etc/openvpn/openvpn.conf
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o venet0 -j MASQUERADE
#iptables-save > /etc/sysconfig/iptables
#sed -i 's/eth0/venet0/g' /etc/sysconfig/iptables # dirty vz fix for iptables-save
#echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
/etc/init.d/openvpn start
That was the server part. For the client, copy the (e.g.) client1-keys.tgz package and extract into /etc/openvpn/ on the client.
A simple /etc/init.d/openvpn start
will then initiate the VPN connection.
Note that the default gateway is not changed. This is a strict P2P connection. Default traffic will be not re-directed. If you want to redirect all traffic to the VPN server, then un-comment the redirect-gateway related messages. You have most likely have to set up NAT on the VPN server too. Since this is not needed in my case, I leave this as an exercise to the reader.