Jerry Vonau wrote: > > It's not the "to the VPN network" that will be the issue, it's the "from > the vpn network to the net" that will be the issue. > > If you don't use the copy column at all, traffic flows, but you end up > with the "martian issue" and other strangeness.
If you don't route filter traffic from tun*, there shouldn't be any problems. > > If you don't list your "to be masq'd interfaces" in the copy column no > traffic flows from the "to be masq'd" to the net. > > Sounds like a catch22 to me, unless you have the openvpn init script add > that route to the provider's table. > I currently include 'tun*' in my COPY column but I didn't always. I have a requirement similar to Nico in that some sites at my ISP can only be accessed when the SOURCE IP is owned by the ISP. The first time that I tried routing one of those sites through OpenVPN it didn't work; a few minutes with tcpdump showed me that traffic was leaving my system OK but return packets were being routed back out to the net interface rather than through the OpenVPN tunnel. Adding the route rule solved the problem without adding tun0 to the COPY column. Note: Although I only have one Internet connection, I use a Multi-ISP configuration so that I exercise that part of Shorewall on my own setup. -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
