Alex Bligh a écrit : > > I don't think you need iptables. The way I've always done it is: > * Default route to the VPN device > * /32 route for the VPN endpoint out the physical interface to > the previous default route This does not meet the following OP's requirement : >> The hard part is to also tunnel non-VPN connections to the VPN node >> itself. In other words how do I make sure that every connection to the >> external ip of the VPN node is tunneled through its internal ip -- >> except for the packets that form the tunnel itself? However I am not sure this is a sensible requirement. >> My idea was install a default route to the internal ip of the VPN node, >> use iptables to mark the VPN connections and then set up a special >> routing table for those. Sounds good. Make sure that packets related to the VPN connection (e.g. ICMP error messages) are routed outside the tunnel too. I guess that can be done with connmark (connection mark). -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
