OpenVpn weird error with SMPT25 port

Hi, Im newbie by the way. I have this weird error where I configured the openvpn of our IPFIRE, well it works really well even without any rules. Our small company have on Premise Exchange Server. I first, created a rule .
Source: Red Desti.NAT: Automatic Destination: 192.168.201.3(ip of the exchange server) protocol:tcp Desti_port:443. Well it is fine as well. I can connect openvpn and can also use the outlook mail through web browser anywhere. But as soon As I created the rule for SMTP25, as below rule settings:
Source: RED NAT:Desti.NAT:Auto Destination:192.168.201.3 Protocol:Preset Sevices:SMPT

Once everything created and applied, We still able to access the outlook from web browser and now we can also send and receive email using outlook app or thunderbird. But, I cant seem to connect the openVPN.
error:
2022-08-23 10:19:22 MANAGEMENT: >STATE:1661242762,WAIT,
2022-08-23 10:20:23 TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
2022-08-23 10:20:23 TLS Error: TLS handshake failed
2022-08-23 10:20:23 SIGUSR1[soft,tls-error] received, process restarting
2022-08-23 10:20:23 MANAGEMENT: >STATE:1661242823,RECONNECTING,tls-error,

If I dissable the Rule where 25port is created, I can connect to vpn but cannot send or receive email using mailApps. It is so weird or maybe I need to create separate rules? I cant seems to understand why. What I am doing right now or my solution at the moment is to disable the rule smtp25 and connect to openvpn and activate rule smt25 and the openVPN will never be disconnected. But this is really bad.

By the way, The router already open the port 25,443 and 1149 so I think no issue with the router. Please somebody help a newbie like me.
sorry for my english.

92.168.201.3 is in which zone? Orange?

EDIT: The OpenVPN logs are from the client side? Is it possible that for some bizarre reason the SMTP rule redirect the OpenVPN traffic to the exchange server?

Hello, Oh, Sorry. Forgot to give some more details.

Our Firewall only have two zones.
Green: 192.168.201.x
Red:192.168.10.x

192.168.201.3 The ip of our Exchange server also in Green.

The OpenVPN logs are from the client side? Is it possible that for some bizarre reason the SMTP rule redirect the OpenVPN traffic to the exchange server?

Yes. its the log from the client side.
I am not pretty sure though. Never encounter like this before. And maybe my networking knowledge cant comprehend whats happening right now. :sob: :sob:

Very strange
Try changing Protocol: 25

Grasping at straws here.

I would ssh to ipfire and issue the following command:

tail -f /var/log/messages

this will show you the logs from the server side in real time (control c to exit). Then, with the smpt25 rule activated you connect with openvpn from one of your clients (from the red side) and see if it is openvpnserver to answer the call on the server side.

If you cannot do it in real time, you can always search the logs with this command:

grep openvpnserver /var/log/messages 

My hypothesis is that when you activate the rule smtp25, the OpenVPN traffic ends up on your exchange server, for some reason I cannot even guess.

I already did. Still the same issue. super strange

OH. Thank you so much, ill try it and give update after.

Aug 23 12:48:03 ipfire kernel: FORWARDFW IN=red0 OUT=green0 MAC=38:f7:cd:c2:16:14:c8:0e:14:14:54:7a:08:00 SRC=x.x.x.x DST=192.168.201.219 LEN=82 TOS=0x00 PREC=0x00 TTL=121 ID=42119 PROTO=UDP SPT=62295 DPT=1194 LEN=62
Aug 23 12:48:05 ipfire kernel: DROP_INPUT IN=red0 OUT= MAC=01:00:5e:00:00:01:c8:0e:14:14:54:7a:08:00 SRC=192.168.10.1 DST=224.0.0.1 LEN=36 TOS=0x00 PREC=0xC0 TTL=1 ID=60200 DF PROTO=2
Aug 23 12:48:05 ipfire kernel: DNAT IN=red0 OUT= MAC=38:f7:cd:c2:16:14:c8:0e:14:14:54:7a:08:00 SRC=120.31.229.100 DST=192.168.10.216 LEN=52 TOS=0x02 PREC=0x00 TTL=113 ID=5139 DF PROTO=TCP SPT=35545 DPT=25 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0
Aug 23 12:48:05 ipfire kernel: FORWARDFW IN=red0 OUT=green0 MAC=38:f7:cd:c2:16:14:c8:0e:14:14:54:7a:08:00 SRC=120.31.229.100 DST=192.168.201.219 LEN=52 TOS=0x02 PREC=0x00 TTL=112 ID=5139 DF PROTO=TCP SPT=35545 DPT=25 WINDOW=8192 RES=0x00 CWR ECE SYN URGP=0

Is this enough info? My mistake, The exchange ip is 192.168.201.219 not 192.168.201.3(not assign atm). Im sorry.

The packets destined to port 1194 are dropped, while there is traffic coming from x.x.229.100 (you should obscure that address by editing your message) in NAT toward your exchange server. Are they from the same source? Do you have any rule activated in the firewall that could justify those packets dropped?

Oh thanks, For some reason that x.x.229.100 I donno where it came from though. Its not even our public address of client or the server. Anyway, These are the rules I created until now. The 3rd one, I created it so I can use anydesk incase Icant connect to vpn.

What is the second rule?

I did not notice that the destination of the port 1194 (openvpn) goes to your exchange IP address, as I suspected. That’s why is dropped. Possibly, rule number 2 is the reason.

Oh. I just created that just now. Just for an experiment. Even if I delete that 2nd rule, still the 25 and 1194 cant just co exist in our firewall. :sob: :sob: :sob: :sob: :sob:

You should check again the kernel logs without that rule.

What happened if you change rule 2 and 4
To source any.
Perhaps a firewall rule to allow vpn traffic to any port 25

Edit:

Oh thanks, For some reason that x.x.229.100 I donno where it came from though. Its not even our public address of client or the server.

IP address is recognized as e-mail attacker

@bent0t

  1. How is the Internet <–> RED connection implemented ?
  2. Is RED’s IP address from your ISP’s subnet ?
  3. What is the subnet of the OpenVPN connection?
  4. Please draw what your network and Internet connection looks like.
    edit
  5. Are you sure you want to use port 25 for SMTP?