Sounds like you want to use Shorewall's multi-ISP facility
(https://shorewall.org/MultiISP.html). Make tun0 the 'primary'
provider
and eth0 the 'fallback' provider.
-Tom
_______________________________________________
I think I was looking at that document earlier. I am not currently
running shorewall on the RPi. I will go back over the documentation
and
see if I can apply it to my situation.
I may have to post a picture somewhere, to make the infrastructure
clearer.
Is the VPN endpoint on the RPi? I understood it to be on the Shorewall
Box.
-Tom
Yes. The RPi is providing a wireless access point whose internet
connection is through VPN, hence providing VPN access to wifi devices
(so the RPi has a wifi interface and an eth0 interface -- physically,
and a tun0 interface through OpenVPN which ultimately goes through the
eth0 interface which is connected to shorewall box via LAN network). So
no VPN on the shorewall server.
I wanted to provide wireless devices the capability of having VPN access
if the device does not natively support it (think IoT devices). Which
all works fine. With the problem being inbound internet from shorewall
box being forwarded to RPi on LAN (RPi eth0; tcpdump showing that
working); but then return traffic instead of going through eth0 back to
shorewall box, out to internet, the return traffic goes out tun0
interface on the RPi, which is not correct path for that particular
traffic. Besides being the wifi access point, I want the RPi to also
act as a web server accessible via the outside internet.
I want all traffic that originates on RPi wifi to go out tun0 (which is
does today), but Internet traffic coming from shorewall box and entering
RPi eth0 to go back that same path (like it does if I do not have a rule
on the RPi server to send traffic through VPN tun0).
I know how to get the RPi to act as web server to the internet, or how
to have the RPi be a wireless access point who creates VPN tunnel for
connected wifi devices, but I have not figured out to have the RPi do
both things at the same time.
Sorry for being so confusing, and this certainly not being a critical
issue. I found one article on the interwebs of someone trying to do the
exact same thing, but it was a thread that did not have a solved
conclusion.
Thank You.
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users
