Jerry Vonau wrote: > Tom Eastep wrote: >> Jerry Vonau wrote: >> >>> The openvpn tunnel, based on the masq entries, appears to be to >>> 201.221.xx.xx or 200.40.xx.xx *on the firewall*, that is supported by >>> the tunnels file entry. >>> >>> Based on the masq entries "eth1 10.8.0.0/24 201.221.xx.xx" it appears >>> that Nico wants to have the traffic from the vpn client to 74.53.205.xxx >>> appear to come from the fw/vpn-server's 201.221.xx.xx. >>> address, that would explain the push route in openvpn. >>> >>> I think this is what Nico wants: >>> >>> from the vpn-client to 74.53.205.xxx: >>> vpn-client (with host route) -> tunnel -> fw/vpn-server -> >>> masq to 201.221.xx.xx -> eth1gw -> 74.53.205.xxx >>> >>> from 74.53.205.xxx to the vpn-client: >>> 74.53.205.xxx -> eth1gw -> fw/vpn-server -> de-masq -> >>> tunnel -> vpn-client >>> >>> Nico: >>> >>> Could you clarify this for us please. >>> >> If that is indeed the case then your tip about the route_rules example in >> the Multi-ISP doc should solve the problem. The cause of the failure is that >> return traffic from 74.53.205.xxx is mis-routed. >> > > I agree, but there would be no route in the providers table for tun0. If > I recall correctly, no route in the ip table, no traffic, otherwise we > would not have to list the masq lan in the copy column.
Placing tun0 in the COPY column would require that OpenVPN be started before Shorewall; the distributions start Shorewall before OpenVPN. By routing all traffic to the VPN network using the main routing table (using an entry in route_rules), we avoid that dependency. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
