Selective VPNing

Posted on 2006-04-13
Last Modified: 2008-02-01
Is it possible for a VPN server to be configured to reroute traffic destin for some port to go out the client's external internet connection instead of the VPN? Here's my predicament - in outlook and outlook express, you can configure it to use the VPN connection, but it can only be configured to use the VPN for everything. I only want outlook to use the VPN for POP3 and IMAP, but all SMTP stills to go out the regular unVPNed internet connection. Another option would be to leave outlook's configuration to use the regular connection, but have the VPN client intercept port 110 and route that through the VPN. Basically, I'm trying to get all POP3 and IMAP traffic to go through our corporate proxy, but all SMTP traffic still need to go to the ISP's server without first going through our VPN. Does anyone know how anything like this would be possible? I'm currently attempting this with OpenVPN

Question by:dancablam
    LVL 3

    Expert Comment

    The easiest way is via DNS/IP range.

    If you set the clients' POP3/IMAP as an internal IP range/DNS name that is only accessible via the VPN, and the outbound SMTP server as the user's ISP's SMTP server, traffic should route as you intend.

    Just to clarify:
    POP3/IMAP --> directly off internal mail server over VPN
    SMTP --> out thru ISP to be routed as normal mail

    LVL 9

    Assisted Solution

    or use a hardware vpn ..00..
    LVL 20

    Assisted Solution

    Assuming your OpenVPN server is allowing "split-tunneling", then j_h_o 's suggestion about using the POP3/IMAP servers' internal IPs in your Outlook settings & SMTP via the ISP should work.
      Split-tunneling is the ability for a VPN client to simultaneously access network resources over the VPN tunnel, as well as send unencrypted traffic over their local Internet connection - less secure than locking them into only using the VPN tunnel, but is more convenient for some people.

    LVL 2

    Accepted Solution

    In OpenVPN this is a default configuration:

    Extract of the OpenVPN howto manual:

    "Routing all client traffic (including web-traffic) through the VPN
    By default, when an OpenVPN client is active, only network traffic to and from the OpenVPN server site will pass over the VPN. General web browsing, for example, will be accomplished with direct connections that bypass the VPN.

    In certain cases this behavior might not be desirable -- you might want a VPN client to tunnel all network traffic through the VPN, including general internet web browsing. While this type of VPN configuration will exact a performance penalty on the client, it gives the VPN administrator more control over security policies when a client is simultaneously connected to both the public internet and the VPN at the same time."

    Here is the link:

    This is called split DNS, it is less secure which is quite obvious why.
    I am a little confused with your description though. You say, you want only smtp to not go via VPN and pop3 and IMAP to go via VPN is this correct?

    Can't the proxy act as a relay ? How is the corporate access configured, does it allow SMTP outbound ?
    If yes then there is no need to split the traffic and it can all go via the VPN, you just need to configure it this the link on howto achieve this.


    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    Join & Write a Comment

    If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now