[MlMt] VPN conflicts

[Scott]

Hi Peter,


On 24 September 2019, at 0427, Peter Borsella wrote:

> Hello, Shoshanna,
>
> I’ve gone ahead and submitted the whitelisting requests to PIA, but 
> while waiting for that I also ran a quick experiment of simply 
> changing the VPN server, and voila, my email went out!
>
> Thanks again.  More reinforcement is needed, but that’s in progress.


Whilst we're slightly veering off course from MailMate, I will chime in 
here as I went through a similar headache and it might be useful for 
those trawling the archives in the future to have something else to 
check.

 From what you've reported, Peter, my sense is that you MAY have 
encountered the same issue I did with PIA, and is part of why I ceased 
using them and will not use them again in the future.

PIA does not route all of your packets via the same path.

The destination port plays a part in the routing decisions that PIA 
makes for which exit-node to send your VPN'd packets through.

What this means in very simple terms is that even if you're connected to 
a PIA endpoint in, say, Ontario, Canada, not all of your network traffic 
will *actually* go through PIA's Ontario locations.

Depending on the destination *port* of the activity you are generating, 
you may find that PIA will route your traffic via Europe or some other 
unexpected destination.

Many of the most popular ports, such as 80 and 443 for web traffic will 
definitely go via the advertised endpoint, but, other ports, including 
those which may be associated with SMTP and IMAP (such as for email), or 
anything running on "non standard" ports, may not be.

I had a very long, and very frustrating, back and forth discussion with 
PIA about this, but, this is a feature of their platform.

 From what I gathered, it's also somewhat dependent upon the VPN 
endpoint you may select...in other words, not all endpoints may do this 
destination-port based re-routing of your packets.

Therefore, your disconnecting and reconnecting to another VPN server 
could well fit in with the above.

It was actually using MailMate which helped me figure this out about 
PIA...whilst trying to connect to some private mail servers, and running 
into connectivity and authentication woes, I noticed that the IP address 
of the inbound connection was NOT the IP address of my VPN connection.

If you have your own Internet accessible server, this is pretty trivial 
to test yourself - I just ran a tcpdump on my destination server, and 
from my PIA VPN'd machine, ran a series of nmap sessions, for all ports, 
1-65535, TCP and UDP.

The results were shocking (horrifying for me), with loads of traffic 
being routed via AS43350 (NForce, Netherlands) even though my chosen VPN 
endpoint was on the other side of the world - but, again, it wasn't all 
ports, but certainly a huge number of them.

Anyway, reading your symptoms made me recall this experience with PIA.

Glad you have a working solution and your email is flowing!

Regards,

Scott