NethServer Version: 7.9.2009
I have a DSL line with a dynamic IP but want to host an SMTP and other services which need a fixed IP. So I want to use a cheap VPS and install Wireguard oder OpenVPN on it and route certain ports (or all traffic) to another red interface of Nethserver.
Anyone tried to realize this and could help?
The wireguard support uses a seperate zone? Should I have a separate zone or another red interface?
Why use a VPN connection when you can configure your VPS server as a mailserver?
They might not trust the VPS for hosting their data but instead as a transport mechanism. For examply my RP4 at home cannot accept inbound mail due to my ISP blocking specific ports but I can establish a VPN connection & then route all mail through the VPN.
Because I don’t trust the VPS provider in total. As royceb said: With traffic forwarding I just have to trust them for transport like any other untrusted internet hop. The TLS private key is on my private server and never leaves it. If the key would be on the VPS, it could be stolen by anyone having admin or physical access to the VPS.
Most important: I already have a mail server, i.e. Nethserver. I just have the problem, that I have onyl a dynamic address. Until now I used a POP3 connector but this is not ideal especially because multidrop POP3 is not supported out of the box by Nethserver and it has seveal other problems.
Hello Carsten
For another german friend from this Forum I have set up what you want:
A hosted NethServer with static IP.
An OpenVPN connection as RoadWarrior (For Management) with Port 1194 (Standard OpenVPN)
An OpenVPN Site2Site VPN. The Site2Site is ALWAYS initialized from the client side (Due to dynamic IP makes more sense), but also for security reasons. No one at the hoster can initialize any form of VPN to a dynamic IP, especially as the destination changes daily… 
You need to set up a typical NethServer (Over Centos 7 minimal), and do not forget to add a bogus NIC, as “LAN” or endpoint of the VPN. See this, but adapt the IPs and such:
https://wiki.nethserver.org/doku.php?id=virtual_network_interface&s[]=dummy
The HowTo works very well, but I adapted a lot as to my requirements…
In your case, your NethServer at your site would init the OpenVPN Site2Site as a Client, the Server is the hosted NethServer.
OpenVPN site2site are never equals, unlike IPsec, where both are equals and both can init a VPN connection… In OpenVPN site2site VPNs, one side is always the server (waiting for a client to connect) and the other side is a Client (initializes the connection).
As additional motivation: The external NethServer has 10 of 10 points when doing a mailcheck!
On the NethServer, I use users like smtp-client1 for the smarthost function. (Outgoing mails from your local site)
For incoming (From Internet to your local NethServer) there are a few options, most elegant and simplest would be NethServer forwarding mails per Domainname to the specified IP…
TIP: Just forward the ports you need. If you forward all, you’ll just get a lot of unwanted and unneeded traffic, making your internet slower for no real reason. Ports are added easily later, if needed!
Hope this helps
My 2 cents
Andy
Incoming:
Base the transport of email on the VPN connection IMVHO is create a nasty mechanism.
With a small dimension of disk, VPS could be used as POP3S email server by your “domestic” mailserver, which will be the archive of all messages, and when you’ll have issues with your server or connection, will act as relay and postbox for all the mailboxes. When your domestic installation/ISP will be be running again, the mailboxes will be drained by getmail.
Also… OpenVPN use TLS as SMTPS, IMAPS and POP3S. Using the proper protocol you’ll have quite the same privacy provided by OpenVPN/Wireguard, without the performance loss. Gaining static IP address (always welcome from Antispam systems) stable connection, UPS and backup… The same things are a bit harder to provide 24/7 on a home setup.
The VPS will act like… hold mail, waiting for your domestic server as customer.
Downside: you have to deal with double userbase… A nice text document can help you to avoid errors 
Just for the record: A static IP in Germany isn’t cheap. And varys a lot depending on region. Sure, in cities like Munich or Frankfurt easily possible, but other towns?..
Also, as a private user, “bridging” the modem is a very difficult issue, because german telecom will only allow the “Bridge” using a specific vLAN. Not all firewalls can handle that.
That’s also a reason OpenVPN is used a lot in germany, hardly any IPsec…
(You can use a port forward for OpenVPN, but not for IPsec…)
I think they invented “red tape”…
My 2 cents
Andy
Except two, all IPSec tunnels i’ve made are NAT-T and they working as port forward (except clients). You meant that OpenVPN port can be changed or translated?
NAT-T is not a problem, as long as you have a full connection at least on one side.
Usually also entails using “Agressive Mode”, which is VERY insecure!
See the Wiki article here:
Furthermore, IPsec VPNs using “Aggressive Mode” settings send a hash of the PSK in the clear. This can be and apparently is targeted by the NSA using offline dictionary attacks.
For the sake of quietness i will answer again, but i think we should get back to the topic
Currently i have only 1 tunnel which negotiation is aggressive and not main mode
No, on the contrary:
I’m really sorry, carsten but I think that your whole analysis does not stand.
I dont think that the solution is simpler, because the routing table of your current server (and of the “relay”) is quite to be verified. It involves less software and less “things” to be configured, but the interdipendency of every component makes the solution less robust.
Also, if any issue will occur to your local email server, local ISP, tunnel, all the messages directed to you will be lost (or hold) from the relays of the senders. There’s an RFC for the amount of time but i don’t think that all mail services will honor 4 days of “on hold”. Also, the latency and the overhead of all the traffic will be present, with all the issues of timeouts
TLS certificates for email services will be transported anyway through public networks (internet) so this is not that much something you can control. And the tunneling of TLS protocols into a TLS tunnel won’t ease the performance loss. Don’t forget that email messages could be also transported via unencrypted connections.
Bottom line, your local email server is perfectly fine and will be (in my proposal) the “most loyal customer” of your VPS MailServer.
Which will made by only userbase, postfix, dovecot, rspamd (always useful), sieve. Only if you want, something like roundcube as “remote client” for double checking and if you use NethServer, Cockpit.
My analysis is not made to disrespect yours, i hope that my evaluations will make you think again about the solution you choose. Maybe it won’t change a bit of what you’ll do for your setup, but i hope that it will help to think from a different perspective for your setup.
I’ll keep myself tuned on the evolutions of your project.
Sorry, I strongly disagree with your analysis. As already explained, I don’t want to host emails on an half-trusted server. Even if you don’t share my analysis (I don’t share yours either ), I would suggest, that we don’t divert in this discussion but try to solve the problem.
There are several other applications, e.g. having on VPN provider to route all internet traffif via this provider for privacy reasons.
I could also use PPTP which is already included in Nethserver to create an internet connection, so I would have to set up a PPTP server on the VPS.
My questions are:
Hi Carsten
My 2 cents
Andy
Yes, that is my intent. My questions are around the front end Nethserver. For SMTP I agree, just the traffic for SMTP, IMAP und POP3 have to go via this interface.
For the other application “privacy” however, the ability to route all traffic via VPN would also be an interesting thing.
The question is now: How to do this?
How to declare an OpenVPN interface as red ,orange, blue or black?
How to setup the service?
You CAN use the “hosted” NethServer as a “Global upstream Proxy”.
Your Local Servers would use that server as upstream Proxy.
Might need a bit of tuning, but should work!
This is how using an “Internal” IP helps routing on a Single NIC hosted Neth.
The NIC has a Public IP, not really suitable for a VPN targrt…
But the Internal IP let’s routing be possible, using eg the Internal Network IP or the VPN Network IPs…
Upstream proxy is just for http/https and there is no hosted Nethserver just a simple LXC container.
Squid can run in a LXC…
That are all totally different problems which I don’t seek solutions for. I dont’ want ot install ANYTHING on the VPS but only a VPN server. I have a server up, resp. bough a VPN solution with fixed IP from some provider. My ONLY questions are how to connect to it from Nethserver.
I can’t really help here, as I use OPNsense firewalls, and they do have the needed options…
It even has GUI Options for Wireguard…
A LXC would mean you’ld need to replicate a lot of routing, this depends on what you’re using there for mail, etc…
Sorry, I misunderstood the question.
Andy
