Hello I've written a script to easily set up a VPN tunnel using openvpn. [1] It uses iptables -m owner and fwmark to force traffic by selected users through the VPN. I've encountered two problems with this: - first, there seems to be a bug handling iptables --gid-owner: this only matches the given group id if the process has that group as its primary group; secondary groups are ignored. That makes it useless, of course, as the whole utility of groups comes from secondary group assignments. I'm working around this by resolving groups to user ids before calling iptables and using --uid-owner instead. I'm running Linux 3.5.2 (kernel.org) plus iptables 1.4.8-3 (Debian stable). - second, ICMP messages triggered by traffic of that user (or the user running "ping") don't go through the tunnel. For example, using tcpdump -n -i $publicinterface I'm seeing some ICMP traffic when closing an SSH connection in the clear, being sent to the target IP of the host that ssh was connected to. So this means both that I'm revealing the hosts I've been connected to in the clear, and that ICMP probably doesn't make it to the recipient correctly (since the recipient sees them coming in from a different IP than the normal traffic). How can I fix this? Thanks, Christian. [1] https://github.com/pflanze/openvpn-tunnel-setup -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
