Shorewall users - Feb 2007 - routing all traffic over openvpn

I have an OpenVPN roadwarrior setup as described here:
http://shorewall.net/OPENVPN.html#id2451785

I want to make one modification, but thus far have been unsuccessful.
I''d like to be able to route all traffic from the roadwarrior machine
over the openvpn link.

I believe I accomplished half of this by enabling redirect-gateway on
the openvpn server (the shorewall box).

The problem is internet traffic does not route properly as such.  I
can connect from roadwarrior->shorewall LAN and roadwarrior->shorewall
box and shorewall LAN->internet, but roadwarrior->shorewall
box->internet fails.  I already use the masq file to translate
LAN->internet in the standard way.  I tried adding a masq entry for
the tun+ interface, and it passes restart, but doesn''t seem to work.
The policy is set to allow tun+ zone to all.

So, perhaps easier than troubleshooting my failure, I can just ask
directly: How could the roadwarrior setup be modified to pass internet
traffic in addition to LAN traffic (assuming the LAN uses a standard
masq setup)?

Thanks

-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV

Cyber Dog wrote:
> 
> So, perhaps easier than troubleshooting my failure, I can just ask
> directly: How could the roadwarrior setup be modified to pass internet
> traffic in addition to LAN traffic (assuming the LAN uses a standard
> masq setup)?
a) Add a masq entry but don''t specify ''tun+'' in the
SUBNET column; specify
the subnet used for the roadwarrior vpn instead.

b) Set the vpn->net policy to ACCEPT.

c) If you have a multi-ISP setup, add an entry to route_rules to use the
''main'' table for all traffic destined for the vpn subnet.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net''s Techsay panel and you''ll get the chance
to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV