[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Google
 
Web openvpn.net

Re: [Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing problem

  • Subject: Re: [Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing problem
  • From: "Remus" <rmocius@xxxxxxxxxxxxxx>
  • Date: Wed, 6 Apr 2005 12:54:53 +0100
Hi Wang,

We specialy got two Internet connections, one is only for the OpenVPN (it is heavily used) and second for everthing else.
I will give a try to PREROUTING stuff right away.

What do mean : But I don't think you need to use MARK to do policy routing. It's a little overkill.

Do you another suggestion than iptables/MARK?

Regards

Remus


----- Original Message ----- From: "Wang Jian" <lark@xxxxxxxxxxxx>
To: <lartc@xxxxxxxxxxxxxxx>
Cc: "Remus" <rmocius@xxxxxxxxxxxxxx>; <openvpn-users@xxxxxxxxxxxxxxxxxxxxx>
Sent: Wednesday, April 06, 2005 12:23 PM
Subject: [Openvpn-users] Re: [LARTC] UDP port 1194 marking/routing problem


Hi Remus,

It seems that

iptables -t mangle -A POSTROUTING -o eth0 -p udp --dport 1194 -j MARK \
   --set-mark 0x990

will not take effect. (didn't you typo -A as -D?)

POSTROUTING is looked up after routing decision is made. Because the
default route is dev eth1, the output device is eth1, -o eth0 will not
match.

You should use

iptables -t mangle -A PREROUTING -p udp --destination <your openvpn \
   peer> --dport 1194 -j MARK ....

But I don't think you need to use MARK to do policy routing. It's a
little overkill.

Why not simply route all traffic to your openvpn peer via device eth0?


On Wed, 6 Apr 2005 11:51:16 +0100, "Remus" <rmocius@xxxxxxxxxxxxxx> wrote:


Hi folks,

I have OpenVPN (respect for it developers) running on my FW.
Is has two external NICs and on internal everything is fine, except
I want OpenVPN (UDP port 1194) going not via default route/network interface.

I use such commands:

iptables -t mangle -D POSTROUTING -o eth0 -p udp --dport 1194 -j MARK --set-mark 0x990
ip rule add fwmark 0x990 table openvpn1
ip route add default via $P2 dev eth0 table openvpn1

eth0 is FW's not default external NIC.

I have in use very similar iptables rules for my email server (TCP ports) and etc.
Everything works fine.
What I'm doing wrong with marking/routing the UDP port?

Regards

Remus




--
 lark



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users





____________________________________________
Openvpn-users mailing list
Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
https://lists.sourceforge.net/lists/listinfo/openvpn-users


Warning: require_once(../../../archive_common.php) [function.require-once]: failed to open stream: No such file or directory in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-04/msg00073.html on line 242

Fatal error: require_once() [function.require]: Failed opening required '../../../archive_common.php' (include_path='/usr/local/lib/php') in /home/openvpn/domains/openvpn.net/public_html/archive/openvpn-users/2005-04/msg00073.html on line 242