Will Nat only be required for PC connection? For site/subnet routing why would you need Nat? Just need a return route. On Jul 8, 2012 9:06 PM, "Pascal Hambourg" <[email protected]> wrote:
> Hello, > > Onur Aslan a écrit : > > > > I want to use my VPN for outgoing port 80 connections in my Debian > router. > > > > tap0 is my virtual VPN device created by openvpn. > > > > Now, I want to use an alternate route for only port 80 outgoing > > traffic. I create a table and set default gateway for this table with: > > > > # echo 10 alter >> /etc/iproute2/rt_tables > > # ip route add default via 192.168.4.1 table alter > > > > And I create a fwmark and mark OUTPUT requests with: > > > > # ip rule add fwmark 0x10 table alter > > # iptables -t mangle -A OUTPUT -p tcp --dport 80 -j MARK \ > > --set-mark 0x10 > > Looks fine so far. > > > In my theory this should work, but it's not working. When I use that I am > > not able to connect any website. What I am missing here? What should I > add > > to my alternate routing table to make it work? > > In the routing tables, nothing. > > 1) You need a SNAT/MASQUERADE iptables rule for traffic going through > the VPN so that it goes out with the address assigned to the VPN > interface as the source address, otherwise the packets will have the > default source address, i.e. the one assigned to the default internet > interface. > > 2) You may need to disable/soften source validation on the VPN interface > (i.e. max(net.ipv4.conf.all.rp_filter,net.ipv4.conf.all.rp_filter)=0 or > 2, but not 1) in order to accept return traffic through the VPN. > > > -- > To UNSUBSCRIBE, email to [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > Archive: http://lists.debian.org/[email protected] > >
