[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] openvpn on linux, netfilter traversal

  • Subject: Re: [Openvpn-users] openvpn on linux, netfilter traversal
  • From: Leonard Isham <leonard.isham@xxxxxxxxx>
  • Date: Wed, 29 Dec 2004 07:05:13 -0500

On Wed, 29 Dec 2004 13:00:09 +0100, Sebastian Pein
<pein@xxxxxxxxxxxxxxxxxxxx> wrote:
> hi list.
> some days ago i posted this already, but the issue still rides my brain.
> there is a linux box running as firewall. it is connected to two isp's and to
> one lan. ppp0 is the default gateway, eth0 is connected to the lan and eth1 is
> connected to the second isp's router. on the box there is openswan running
> fine, i want to add openvpn.
> i'm about to fiddle out a working setup with policy based routing. since ppp0
> is
> the default gateway and connected to a asymmetric line, i want the vpn traffic
> to travel over the second isp on eth1. openswan implements its own routing
> scheme and i can tell it to use a specific device (eth1) and a specific gateway
> (ip of the 2nd isp's router). this works pretty good.
> so far i did not found something similar in openvpn, so the kernel (2.6.9)
> should be my friend with iproute2 and iptables.
> this is my plan: packets for openvpn will come in on eth1. openvpn does listen
> on this device only. so incoming packets should not be a problem. outgoing
> packets generated by openvpn should go out on eth1 and NOT the default gateway
> ppp0. this can be done with iproute2. i want to mark packets generated locally
> on a given port (5000 udp, the old one) with a iptables-mark. a kernel rule
> would then send packets with this mark to the right device with the right
> gateway. testing this setup with netcat works perfectly. but it does not with
> openvpn. searching with iptraf and tcpdump it seems like the openvpn packets
> vanish. but where do they go? is there any form of documentation how openvpn
> packets travel across netfilter and devices? for sure the setup with openvpn is
> not working correctly because i did not set it up correctly.
> i'm not sure if this question is more a kernel/iptables/other mailing lists
> specific issue, but maybe someone can help.
> regards
> sebastian

I suspect that the problem is the packets are from the TUN/TAP 
interface and that is not allowed with your iptables rules.

Leonard Isham, CISSP 
Ostendo non ostento.

Openvpn-users mailing list