Posted: Fri Mar 03, 2023 4:13 Post subject: [SOLVED]Wireguard & NordVPN Email
After many hours of stuffing around and readding everything I could find on the internet, special mention to user DSVF (https://gist.github.com/bluewalk/7b3db071c488c82c604baf76a42eaad3?permalink_comment_id=4189557#gistcomment-4189557) i was successful in extracting my information from NordVPN so I could set up wireguard via the GUI in DD-WRT router R7000 (Latest version R51855)
Everything seems to be working fast compared to my openvpn connection using the same server. Now the problem.....I have 5 email accounts, 4 out of 5 work fine, my primary email address is not downloading or sending any emails, the error I get is cannot connect to the server.
With open vpn all email accounts were working fine. I contacted my internet provider and everything at their end seem to be fine i.e. no ports are blocked. I contacted NordVPN and the same everything seemed to be fine at their end to.(had to be careful as they dont support wireguard on routers)
If I use my android phone with the NordVPN app with NordLynx my email accounts work. Whilst on the VPN i tried to ping my mail server which is mail.internode.on.net and I get a timed out reply. Is there any kind of routing I can do within the GUI that can bypass VPN for my mail server? and information that can help would be great. I dont want to go back to openvpn after seeing the speed improvements wireguard have provided.
Yes, there are a few ways you can do what you are asking.
I have not tried this one - but if works - could be the easiest: In the tunnel settings page, use "Destination Routing" and "route selected by vpn", in there specify the ip address of the mail server with the "NOT" notation, ie !x.x.x.x , meaning all addresses other than that one to go via the vpn.
An other way is by using iptables commands, using "-d x.x.x.x" and then just route that via your regular WAN, as opposed to the VPN tunnel. Then u also need "destination routing" set to "default routes" in the tunnel setting.
That said - maybe the original problem can be fixed rather than bypassing it. Does your mail server use unusual ports for smtp or imap ?? and maybe you are routing those ports, or the mail server ip address, explicitly ? I would check that first..
In Destination routing you can add the IP address of the mail server and then select "route via WAN".
For your original problem it might be MTU related, so try with lowering MTU (setting in the WireGuard interface ! )
Start with 1280 and if it does not work try even lower.
Ive read the sticky several times, I did try the PBR and entered the ip of the mailserver, made no difference. I tried the ip address and also the domain mail.internode.on.net. In saying that i dont even get a ping reply with VPN disconnected so maybe my provider is doing something else.
I even tried giving ports 993 and 465 wan access, made no difference, that was a long short because my other accounts use these ports and they work. I will try lowering the MTU as suggested.
Driven me nuts, thanks for your responses I appreciate them.
PBR - to define which local addresses use the tunnel. So that is NOT what to use.
"Destination Routing" - can be it , but there are multiple ways to configure it. This is for "traffic going to where (destination) should USE the tunnel or use the WAN". There are options - the one that egc pointed out is the one to use .. "selected addressed by WAN".
It is HOW you define it... I always use ADDRESS and SUBNET MASK. Forget about "mail.internode.on.net" that is not an IP address. Use the ip address and then put a "/32" after it.. like "x.x.x.x/32" that is CIDR notation specifying ONE ONLY address.
But I agree with egc - I think the original problem can also be fixed. First step is to find out what is going on with that.
I use multiple Wireguard Nord servers on my router without any email issues. Imap ports 465, 933 for a few hosted domains, as well as Gmail & Hotmail etc.
FYI, I was unable to get a response back from pinging mail.internode.on.net on my WAN. _________________ Netgear R7800 PPPoE Main Router
Network IPV4 - Isolated Vlan's with IoT Devices. Unifi AC-Pro x 3 AP's, Router Wi-Fi Disabled. OVPN Server With Paid Commercial Wireguard Client's. Gateway Mode, DNSMasq, Static Leases & DHCP, Pi-Hole DNS & Running Unbound.
No one can build you the bridge on which you, and only you, must cross the river of life!
Joined: 18 Mar 2014 Posts: 12917 Location: Netherlands
Posted: Fri Mar 03, 2023 11:16 Post subject:
shb wrote:
PBR - to define which local addresses use the tunnel. So that is NOT what to use.
"Destination Routing" - can be it , but there are multiple ways to configure it. This is for "traffic going to where (destination) should USE the tunnel or use the WAN". There are options - the one that egc pointed out is the one to use .. "selected addressed by WAN".
It is HOW you define it... I always use ADDRESS and SUBNET MASK. Forget about "mail.internode.on.net" that is not an IP address. Use the ip address and then put a "/32" after it.. like "x.x.x.x/32" that is CIDR notation specifying ONE ONLY address.
But I agree with egc - I think the original problem can also be fixed. First step is to find out what is going on with that.
Small addition, recent builds like the one the OP is using can use domain names in the Destination based routing (the domain names are resolved when the tunnel starts).
A sub net mask is not necessary when using an IP address, although users are encouraged to use one, if no subnet mask is specified /32 is used and to avoid confusion it is better to use a subnet mask.
So in this case /32
Could the MTU cause my sonos system not to connect? Just realised that's not connected when on VPN? I tried using MTU 1412, made no difference.This could be little more problematic as these are several single devices all connected together
EDIT Looks like it's come online again
Last edited by crows on Fri Mar 03, 2023 12:13; edited 1 time in total