> > Are you using tcpdump to determine that the packets are going out over > > the wrong interface? > > For the last test I only checked with lsof and conntrack: > > # lsof -i -n | grep openvpn > openvpn 21972 nobody 4u IPv4 129321 0t0 TCP > 115.146.92.84:51520->172.26.10.100:openvpn (ESTABLISHED) > > # conntrack -d 172.26.8.100 -L > tcp 6 431995 ESTABLISHED src=115.146.92.84 dst=172.26.10.100 > sport=51520 dport=1194 src=172.26.8.100 dst=115.146.92.84 sport=1194 > dport=51520 [ASSURED] mark=0 use=2 > conntrack v1.0.0 (conntrack-tools): 1 flow entries have been shown. > > But now using tcpdump, I see that packets ARE leaving via eth1. But > there is only outgoing packets, no incoming packets at all. Whereas on > the default gateway device, packets are only incoming, no outgoing > packets. The openvpn tunnel seems fine with that. So I need to change > the source address of the packets for it to come back on the correct > interface? >
Yes that's exactly what you need to do, or the other end will just reply with the original (wrong) destination address. Something like: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE you can use -j SNAT if you want to explicitly specify the source address (eg because you have several), but MASQUERADE should suffice. James _______________________________________________ luv-main mailing list [email protected] http://lists.luv.asn.au/listinfo/luv-main
