Rich Freeman on 27 Sep 2014 03:36:18 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] OpenVPN Question

On Fri, Sep 26, 2014 at 11:56 PM, John Kreno <> wrote:
> If you are trying to host services on the WAN, you can try doing source
> routing, but that will keep that host effectively going over the WAN for all
> connections. Maybe there's a way to catch only certain ports and or related
> traffic. I'm almost certain that IPtables isn't going to do this
> automatically. Even it has to rely on the ip routing table.

Yeah, I did find a few hints so far:

The first uses source routing and suggests giving hosts multiple IPs,
forward traffic from each interface to a particular IP, and then use
source routing to get the traffic back to the correct interface.  That
would actually work just fine for me, especially since I really only
have one host I forward to anyway.

The other uses some rules to theoretically track the connections and
send them to the right place, but it has been a while since I've used
iptables (pre-netfilter days I think) so I can't vouch for whether
this will work.

The other issue I'll have to deal with is how to properly configure
openwrt.  That would have been the advantage of building my own box -
at least I'd understand how the init system worked.  With OpenWRT I'm
going to end up with a mix of gui and hand-created config files and
the need to make sure things get loaded in the right order (the VPN
interface obviously won't exist pre-VPN), and I'd like the config to
survive upgrades and such.  That could take some trial and error.  The
same would be true if I used any distro other than Gentoo - nothing
wrong with them per-se but every distro has its way of doing config so
that the distro doesn't blow it all away on package updates.  Gentoo's
method is config protection - files in /etc (and other places) are
never overwritten in place and tools exist to merge changes.  There is
a bit of a trend to combining that with the Fedora approach of distro
in /usr, overrides in /etc.

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --