On 11/4/2010 10:09 AM, Bart Schaefer wrote: > >>> Maybe the simplest thing is to change the question: How can I cause >>> packets forwarded from my LAN to avoid the VPN and go out via the >>> regular default route? >>> >> You can ad a line like: >> >> push "route 192.168.144.0 255.255.255.0" >> >> to the server's configuration file. > > Thanks for the suggestion, but (1) I don't have control of the server > configuration and (2) I'm not sure that would work anyway, as what I > want is for packets that come *from* network 192.168.144.0 to (not) be > routed over the VPN, except for those that originate from > 192.168.144.1. Normally routes work on the destination addresses, and if you don't want something to go there based on the source address, you block it with iptables. It is possible to route based on source addresses, but if you need to do that, you are probably doing something wrong. Can you explain what you are trying to accomplish as an end result? That is, is the 192.168.144.1 host a different machine than the one acting as the vpn gateway? And what you want to happen if some other machine tries to connect to the address(es) routed through the vpn? Normally the addresses routed through a vpn would be private so it doesn't make much sense to send them to your default internet gateway. If you are routing a public address through a vpn, then out some remote internet gateway, things get weird and will depend on appropriate NATing to work at all. > Do I misunderstand what that push command will > accomplish? push route is an openvpn config statement on your end that tells the remote side to add the specified route (typically your LAN range) back through the tunnel when it comes up. > Regarding (1) I do have a local openvpn-startup script that runs when > the VPN comes up, to which I could add my own route or iptables > commands. In fact it currently contains: > iptables -A FORWARD -i tun+ -j ACCEPT > which I should have mentioned before. Does this mean you have control of one side of the connection? Or that you have root access but someone else manages the openvpn config? -- Les Mikesell lesmikesell at gmail.com