Alex Bligh <alex@xxxxxxxxxxx> writes:
> On 18 Sep 2013, at 01:55, Nikolaus Rath wrote:
>
>> Why not? For example, the VPN node also acts as my mailserver. So
>> whenever I encounter firewalls that e.g. block everything but port 443
>> and 80, I have to establish a tunnel to be able to connect to port 25,
>> and then change the mail server name in my MUA to the internal name on
>> the VPN. Then, if I'm at a different location where I do not need the
>> VPN, I have to change it back to the public hostname.
>>
>> That is rather annoying, and I could avoid it if I somehow get
>> the smtp connections to use the VPN gateway as well.
>
> One possibility would be to add another interface, so you are using
> separate destination IP addresses for the end of the VPN tunnel
> and 'everything else'. Remember the 'everything else' IP address
> does not need to be public, as you'll only be reaching it by
> the VPN tunnel.
Hmm. I don't get it. Could you explain in more detail?
> Another is to use policy routing and only direct the VPN traffic
> down the /32 route. This is pretty much what you were suggesting
> re the marking etc. However, I would caution that this will mean
> (e.g.) ICMP goes the 'wrong' way for at least one session. This
> will make debugging hard, may affect pMTU discovery etc. etc.,
> all of which will be bad news for reliable connections.
I think I could live with the debugging problems, but at the moment it
is not working at all because of the source ip issues (see my very first
mail that started this thread).
Best,
Nikolaus
--
Encrypted emails preferred.
PGP fingerprint: 5B93 61F8 4EA2 E279 ABF6 02CF A9AD B7F8 AE4E 425C
»Time flies like an arrow, fruit flies like a Banana.«
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
