On 18 Sep 2013, at 01:55, Nikolaus Rath wrote: > Why not? For example, the VPN node also acts as my mailserver. So > whenever I encounter firewalls that e.g. block everything but port 443 > and 80, I have to establish a tunnel to be able to connect to port 25, > and then change the mail server name in my MUA to the internal name on > the VPN. Then, if I'm at a different location where I do not need the > VPN, I have to change it back to the public hostname. > > That is rather annoying, and I could avoid it if I somehow get > the smtp connections to use the VPN gateway as well. One possibility would be to add another interface, so you are using separate destination IP addresses for the end of the VPN tunnel and 'everything else'. Remember the 'everything else' IP address does not need to be public, as you'll only be reaching it by the VPN tunnel. Another is to use policy routing and only direct the VPN traffic down the /32 route. This is pretty much what you were suggesting re the marking etc. However, I would caution that this will mean (e.g.) ICMP goes the 'wrong' way for at least one session. This will make debugging hard, may affect pMTU discovery etc. etc., all of which will be bad news for reliable connections. -- Alex Bligh -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
