Marcin Kabiesz <marcin.kabiesz@xxxxxxxxxxxx> wrote: > is it possible that with the OpenVPN interface tun0 every now and then some > packets with a private source address are visible and forwarded to the > router? Yes, NAT is only applied to packets that conntrack considers sane/valid. You can e.g. add a drop rule for INVALID packets.
