Hi Justin, Many thanks for getting back to me. I actually think I've managed to sort it out myself. What I did to get it working was (after changing USE__DEFAULT_RT to yes) to add another provider for my VPN connection. so that my providers file now looks like this:
VPS 1 1 - tun4 - track - TT 2 2 - enp5s5f1 my.external.ip track,balance - Then I needed to stop specifying the gatewayin my OS network config, remove redirect-gateway def1 (as you suggest below) from my openvpn client config and add some extra entries in my mangle file so that (using the example I gave before), it would now look like this: MARK(1):O $FW 0.0.0.0/0 MARK(2):O $FW ip.of.the.other.end.of.my.vpn MARK(1):P 0.0.0.0/0 0.0.0.0/0 MARK(2):P 192.168.4.11 0.0.0.0/0 I'm not 100% sure that this is necessarily the correct way to do this, but it certainly seems to work now. Thanks again, Ben On 09/09/18 22:00, Justin Pryzby wrote: > On Sun, Sep 09, 2018 at 08:30:36PM +0100, Ben Webber wrote: >> I have a connection to the internet (talktalk) and an openvpn connection to >> a provider that uses redirect-gateway def1 to add entries to the main >> routing table > [...] > >> Currently I have USE_DEFAULT_RT=No set in shorewall.conf. I then have an >> entry in providers as follows (where the external IP of my internet >> connection has been replaced with my.external.ip): >> >> TT 2 2 main enp5s5f1 my.external.ip >> track wlp5s6,wlp5s6_0,enp5s5f0,virbr1,tun1,tun3 >> >> My openvpn connection uses tun4 as an interface. In mangle, I have several >> entries to tell certain traffic to go via the ISP, here is an example of one >> of the entries: >> >> MARK(2):P 192.168.4.11 0.0.0.0/0 >> This configuration works fairly well, but I would like to be able to set >> USE_DEFAULT_RT=Yes in shorewall.conf, however so far, no matter what I do I >> can't seem to get the configuration right for this to work in the way I want. > What doesn't work about it ? > > I think you'll want to disable openvpn's "def1" stuff: > http://shorewall.org/MultiISP.html#USE_DEFAULT_RT > | 5. You should disable all default route management outside of Shorewall. > If a default route is inadvertently added to the main table while > | Shorewall is started, then all policy routing will stop working except > for those routing rules in the priority range 1-998. > > Note also: > | 2. The balance option is assumed for all interfaces that do not have the > loose option. When you want both balance and loose, both must be > | specified. > > > Further: > > shorewall.net/manpages/shorewall-interfaces.html > | There are certain cases where routefilter cannot be used on an interface: > | · If USE_DEFAULT_RT=Yes in shorewall.conf[12](5) and the interface is > listed in shorewall-providers[18](5). > > Justin _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
