Re: [Openvpn-users] ipset based police routing not works with openvpn.

2015-10-15 Thread Hongyi Zhao
On Wed, 14 Oct 2015 12:52:19 -0400, Selva Nair wrote: > To test, keep it simple -- try with just one IP directly specified in > the rule > > # iptables -t mangle -I OUTPUT -d 8.8.8.8/32 -j MARK --set-mark 200 > > (to work locally this has to be in the OUTPUT chain -- see below) > > # ip rule

Re: [Openvpn-users] ipset based police routing not works with openvpn.

2015-10-15 Thread Hongyi Zhao
On Wed, 14 Oct 2015 12:52:19 -0400, Selva Nair wrote: > The manpage is probably referring to routing of received and forwarded > packets, not outgoing packets. > > As far as I know, PREROUTING chain is traversed by packets coming in > from the network, not by locally generated packets. So if

Re: [Openvpn-users] ipset based police routing not works with openvpn.

2015-10-15 Thread Selva Nair
On Thu, Oct 15, 2015 at 8:20 AM, Hongyi Zhao wrote: > 2- With the route in table openvpn: > > $ ip route show table openvpn > default via 10.211.1.34 dev tun-gfwlist > > This time the following command will give nothing: > > > $ traceroute 8.8.8.8 > traceroute to 8.8.8.8

Re: [Openvpn-users] ipset based police routing not works with openvpn.

2015-10-14 Thread Selva Nair
On Wed, Oct 14, 2015 at 4:42 AM, Hongyi Zhao wrote: > On Wed, 14 Oct 2015 02:05:38 -0400, Selva Nair wrote: > > > This should work for forwarded packets, but for locally generated > > traffic you will need to mangle them in the OUTPUT chain. > > I've tried with the OUTPUT

Re: [Openvpn-users] ipset based police routing not works with openvpn.

2015-10-14 Thread Selva Nair
On Tue, Oct 13, 2015 at 10:23 PM, Hongyi Zhao wrote: > > 2- Using iptables to set the mark value 200 for all of the traffic > which are destinated to google.com: > > $ sudo iptables -t mangle -A PREROUTING -m set --match-set > openvpn-test dst -j MARK --set-mark 200 >

Re: [Openvpn-users] ipset based police routing not works with openvpn.

2015-10-14 Thread Hongyi Zhao
On Wed, 14 Oct 2015 02:05:38 -0400, Selva Nair wrote: > This should work for forwarded packets, but for locally generated > traffic you will need to mangle them in the OUTPUT chain. I've tried with the OUTPUT chain, but still it failed for me to access google.com via openvpn. The traceroute to

Re: [Openvpn-users] ipset based police routing not works with openvpn.

2015-10-14 Thread Gert Doering
Hi, On Wed, Oct 14, 2015 at 08:42:08AM +, Hongyi Zhao wrote: > I've tried with the OUTPUT chain, but still it failed for me to access > google.com via openvpn. I think your approach is a bit too complicated - why bother with marking anyway? "ip rule" can apply directly to destination