-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/15/2017 12:35 PM, Mike Dillinger wrote: > (I'm re-posting without using HTML - apologies for doing that) > > Hello, > > I have a very basic 3 interface setup - no packet marking, load > balancing, etc (this might need to change though). My three > interface setup is like so: net/eth0 ISP loc/eth1 LAN vpn0/tun0 > OpenVPN client tunnel on eth0 > > I'm trying to achieve two things and I'm unable to figure out how > to do this. > > > 1. I lose all incoming traffic on eth0 when tun0 is up. So for > instance, I'd like external SSH access, I have a Plex Media Server > that I'd like external access to, and a few other things. I do not > believe it's a routing issue. Observe: > > # without vpn $ ip route ls default via 72.x.x.x dev eth0 > 72.x.x.x/22 dev eth0 proto kernel scope link src 72.x.x.x > 192.168.122.0/23 dev eth1 proto kernel scope link src > 192.168.123.1 > > # with vpn $ ip route ls 0.0.0.0/1 via 10.y.y.y dev tun0 default > via 72.x.x.x dev eth0 10.y.y.y/24 dev tun0 proto kernel scope link > src 10.y.y.y 72.x.x.x/22 dev eth0 proto kernel scope link src > 72.x.x.x 128.0.0.0/1 via 10.y.y.y dev tun0 142.z.z.z via 72.x.x.x > dev eth0 # 142.z.z.z = vpn gateway 192.168.122.0/23 dev eth1 proto > kernel scope link src 192.168.123.1 >
It is a routing issue caused by your OpenVPN config. You configured OpenVPN to be the default gateway; the 0.0.0.0/1 and 128.0.0.0/1 routes are created by OpenVPN and, between the two, cover the entire IPv4 address space. So check your OpenVPN config and delete the redirect-gateway setting. - -Tom - -- Tom Eastep \ Q: What do you get when you cross a mobster with Shoreline, \ an international standard? Washington, USA \ A: Someone who makes you an offer you can't http://shorewall.net \________________________________________________ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJY8tKoAAoJEJbms/JCOk0QHasQAL2qNerkHbnhxGjvHcH0dGIQ kHRvXXxjGzRA7fAW3HJdZILtavR/MaNQL4/WZk5qwjoUNcIF2de+zo+wkqeyXK68 HFoYFbIXMtWEUFn50pmU+6vMFs1lcRoKggkhwHM3AI9R/nTW4MnAMSuX+L1yIhaZ Mnl+fqvtfDbFtHkC1dJlQqNx+hiqsPbeyo2d7pI+rrE6eJN3vfRr74NtNvCyqDAj j4IXKfqyiEUqgwMy2xCF/Z/QeGhR4nUTQ46BCXgfrWs8nHwe+w4UWITQx8DGnOPb J0rfpEP882k7buQnnvX5iQSGacrxoUEAvtPmsSDJRYAP9JWo6N8wpHQ2Y2f/ODmf Nf/7hZU5gJba+xlZnjAhsThyHYfCwhbw7UH2gZTWqm6rvs/+rz3Mq1hYCmkpvNJQ C10wT/6ZYjFt9oPiRIo/yBr3lqS5EfjWDMJ4+ioeQzT+Ry7PZ2zIlIYNO0T/GZim 7NMPASspaeEsP4PPL4jEQMRMi6QuZ8y74MvnDIYs2ALNYbUDhe4Gx/fB69Nq5U5j d/YaDWKPXiQckjO8D4Bxb/mMWyWjCBSUid+I0AFAbyzXH4HKe0bX7/eJmp7Cf7nS WuLGZjT2bJTAsLQWSk1R12cIqzo+21SmqNd1cE5ccQn+7G1SRwfLZXI0nNzImKIL xFIlnKbcjIsrjS2Wut+2 =ubGD -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
