Hi, I don't know, if this is a developer question, but it is too strange for the user list and maybe a possible bug. My setup is a little bit complicated, but I will try to explain as simple as possible. I've got 3 server: All Server: System: Debian 6 Interfaces on server1: eth0 tun0 tun1 $ ssh -v OpenSSH_5.5p1 Debian-6+squeeze1, OpenSSL 0.9.8o 01 Jun 2010 Server 1 is for connecting and tunneling via ssh, let's say public ip 123.1.1.1. If I connect to Server 1, I can surf the web with the server 1 ip - fine! Server 2 is in the same network, let's say public ip 123.1.1.2. It is connected on tun0 with server 1 - IP 10.1.0.1 (on server 2) and IP 10.1.0.6 (on server 1) I mark the traffic of the tunnel with the owner (me => uid 2000): iptables -t mangle -I OUTPUT -m owner --uid-owner 2000 -j MARK --set-mark 0x1 and add a rule on server 1 with iproute2: ip rule from 123.1.1.1 fwmark 0x1 lookup vpn_to_server2 This table sets the default gateway on tun0, so the traffic is redirected. I can connect to server 1 and surf the web with the ip of server 2 - fine! Server 3 is in a remote network, let's say public ip 132.1.1.3. It is connected on tun1 with server 1 - IP 10.2.0.1 (on server3) an IP 10.2.0.6 (on server 1) I change the ip rule to ip rule from 123.1.1.1 fwmark 0x1 lookup vpn_to_server3 Exactly the same settings as above with default gateway on tun1. I connect with with plink.exe -D 8888 me at server1.com on windows xp. I can connect and surf with the ip of server 3. Fine! Setup works! But ... I connect from arch (ssh -v => OpenSSH_6.0p1, OpenSSL 1.0.1a 19 Apr 2012) to server 1 with ssh -vvv -D 8888 me at server1.com and when I try to surf a page, I get these errors: debug1: Connection to port 8888 forwarding to socks port 0 requested. debug2: fd 9 setting TCP_NODELAY debug2: fd 9 setting O_NONBLOCK debug3: fd 9 is O_NONBLOCK debug1: channel 3: new [dynamic-tcpip] debug2: channel 3: pre_dynamic: have 0 debug2: channel 3: pre_dynamic: have 3 debug2: channel 3: decode socks5 debug2: channel 3: socks5 auth done debug2: channel 3: pre_dynamic: need more debug2: channel 3: pre_dynamic: have 0 debug2: channel 3: pre_dynamic: have 20 debug2: channel 3: decode socks5 debug2: channel 3: socks5 post auth debug2: channel 3: dynamic request: socks5 host www.google.de port 443 command 1 debug1: Connection to port 8888 forwarding to socks port 0 requested. debug2: fd 10 setting TCP_NODELAY debug2: fd 10 setting O_NONBLOCK debug3: fd 10 is O_NONBLOCK debug1: channel 4: new [dynamic-tcpip] debug2: channel 4: pre_dynamic: have 0 debug2: channel 4: pre_dynamic: have 3 debug2: channel 4: decode socks5 debug2: channel 4: socks5 auth done debug2: channel 4: pre_dynamic: need more debug2: channel 4: pre_dynamic: have 0 debug2: channel 4: pre_dynamic: have 20 debug2: channel 4: decode socks5 debug2: channel 4: socks5 post auth debug2: channel 4: dynamic request: socks5 host www.google.de port 443 command 1 channel 3: open failed: administratively prohibited: open failed debug2: channel 3: zombie debug2: channel 3: garbage collecting debug1: channel 3: free: direct-tcpip: listening port 8888 for www.google.de port 443, connect from 127.0.0.1 port 34502, nchannels 5 debug3: channel 3: status: The following connections are open: #2 client-session (t4 r0 i0/0 o0/0 fd 6/7 cc -1) #4 direct-tcpip: listening port 8888 for www.google.de port 443, connect from 127.0.0.1 port 34503 (t3 r-1 i0/0 o0/10 fd 10/10 cc -1) Can anybody tell me what I am doing wrong? regards Oliver