On 29/05/18 18:41, Yuri Kanivetsky wrote: > On Tue, May 29, 2018 at 11:09 AM, Antonio Quartulli <a...@unstable.cc> wrote: >> Hi, >> >> On 29/05/18 13:44, Yuri Kanivetsky wrote: >> >> [cut] >> >>> >>> These two commands make it work: >>> >>> $ ip rule add from srv.eth0.ip table 1 >>> $ ip route add table 1 default via srv.eth0.gw >>> >>> More details can be found here: >>> https://lists.debian.org/debian-user/2018/05/msg00780.html >>> >>> Can you explain what's going on here? Thanks in advance. >>> >> >> Once you connect to the VPN and set a default route to the VPN server >> IP, packets flowing back over the SSH connection do not go over eth0 >> anymore, but they follow the new default route. > > From my experience, SSH packets from my local computer reach server's > eth0, but disappear when kernel makes a routing decision: > https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
Yes, they disappear on the way back to the SSH client, when the server decides how to route them back. [cut] > > And why does this not work then? > > $ iptables -t mangle -A PREROUTING -i eth0 -m conntrack --ctstate NEW > -j CONNMARK --set-mark 1 > $ iptables -t mangle -A OUTPUT -m connmark --mark 1 -j MARK --set-mark 2 > $ ip rule add fwmark 2 table 3 > $ ip route add table 3 default via srv.eth0.gw well, this is entirely another topic, but I guess this is not working as you expected and only *some* packets end up being marked with 2. > > Are there any other ways I can investigate the issue? > what issue are you talking about? If you want to see the "lost" packets, you can easily use tcpdump on the VPN tunnel while SSH is active and you will see the SSH packets going out that way. Cheers, -- Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
