On 08/29/12 08:57, I wrote: > - second, ICMP messages triggered by traffic of that user (or the user > running "ping") don't go through the tunnel. For example, using tcpdump > -n -i $publicinterface I'm seeing some ICMP traffic when closing an SSH > connection in the clear, being sent to the target IP of the host that > ssh was connected to. That latter case wasn't ICMP, but just ACKs. Still, my question about how to fix this stands. My guess is that those packets are made after the process issues close, and there's no user anymore at that point. I've tried using CONNMARK instead of MARK but that didn't work at all. > [1] https://github.com/pflanze/openvpn-tunnel-setup Since I couldn't figure out a solution, I've now changed the script to forward all traffic *except* DHCP and openvpn's own encrypted traffic through the VPN, which works cleanly (this has a couple other drawbacks, like needing hooks to stop routing traffic over the VPN automatically if the host network device (where the encrypted traffic passes through) goes down to avoid loops, maybe I'll figure out another workaround for this); but anyway it can be neat to selectively encrypt traffic by user only, and I'm still interested how I could make it work. This variant of the script now lives on in a separate branch, at: https://github.com/pflanze/openvpn-tunnel-setup/tree/selective Thanks for any feedback Christian. -- To unsubscribe from this list: send the line "unsubscribe lartc" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
