[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

[Openvpn-users] openvpn on linux, netfilter traversal

  • Subject: [Openvpn-users] openvpn on linux, netfilter traversal
  • From: Sebastian Pein <pein@xxxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 29 Dec 2004 13:00:09 +0100

hi list.

some days ago i posted this already, but the issue still rides my brain.

there is a linux box running as firewall. it is connected to two isp's and to
one lan. ppp0 is the default gateway, eth0 is connected to the lan and eth1 is
connected to the second isp's router. on the box there is openswan running
fine, i want to add openvpn.

i'm about to fiddle out a working setup with policy based routing. since ppp0
the default gateway and connected to a asymmetric line, i want the vpn traffic
to travel over the second isp on eth1. openswan implements its own routing
scheme and i can tell it to use a specific device (eth1) and a specific gateway
(ip of the 2nd isp's router). this works pretty good.

so far i did not found something similar in openvpn, so the kernel (2.6.9)
should be my friend with iproute2 and iptables.

this is my plan: packets for openvpn will come in on eth1. openvpn does listen
on this device only. so incoming packets should not be a problem. outgoing
packets generated by openvpn should go out on eth1 and NOT the default gateway
ppp0. this can be done with iproute2. i want to mark packets generated locally
on a given port (5000 udp, the old one) with a iptables-mark. a kernel rule
would then send packets with this mark to the right device with the right
gateway. testing this setup with netcat works perfectly. but it does not with
openvpn. searching with iptraf and tcpdump it seems like the openvpn packets
vanish. but where do they go? is there any form of documentation how openvpn
packets travel across netfilter and devices? for sure the setup with openvpn is
not working correctly because i did not set it up correctly.

i'm not sure if this question is more a kernel/iptables/other mailing lists
specific issue, but maybe someone can help.




  sebastian pein
  infinity networks gmbh

  web: www.infinity-networks.de
  fon: +49-6104-68363-0
  fax: +49-6104-68363-199
  mob: +49-163-68363-01

Openvpn-users mailing list