On Tuesday 2012-11-13 18:02, Chris Wilson wrote: > > The VPN software may decide, based on configuration received from the remote > server, what traffic is routed. Almost all tunneled VPNs work this way; the > only exception I can think of is IPsec. OpenVPN and anything PPP-based (PPTP > and L2TP) all create an interface with a subnet and mask assigned by the > server, and the kernel automatically routes all traffic for that subnet through > the VPN. StrongSWAN (as a setup daemon for the kernel's IPsec) also supports dynamic address assignment. It's been some years since I did that; looking at ipsec.conf now would hint towards "leftsourceip=%config" being the magic option. Furthermore, also in the IPsec case does the kernel automatically route traffic for the rightsubnet properly - because Strongswan will add the required routes (in local table no. 220, if you care). > We could say "you must know which subnet will be assigned in order to write > your policy" which is technically correct, but not user friendly. I'm digressing here, but I'll throw it in nevertheless. Allowing the tunnel traffic is pretty much the same: openvpn: iptables -A OUTPUT -d 1.2.3.4 ... ipsec: iptables -A OUTPUT -m policy --tunnel-dst 1.2.3.4 ... -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html