This is similar to FAQ 2, but (I think) subtly different. Shorewall version 4.4.8.1 on a dedicated firewall that also serves as an OpenVPN endpoint. Road warriors can establish an OpenVPN connection without problem. The Ethernet interfaces on the firewall include: eth0: standard ''net'' zone eth1: standard ''loc'' zone eth2: standard ''dmz'' zone eth7: ''guest'' zone The guest zone exists only to allow that company''s visitors to get Internet access; there is no access to the loc or dmz zones. However, occasionally a company employee will connect via the guest lan and attempt to establish an OpenVPN connection in order to get access to the internal resources (loc, dmz). The OpenVPN connection file specifies the OpenVPN server by its public IP. The guest lan uses an RFC1918 subnet. Problem: packet goes from user on guest lan to external IP of firewall successfully, but the return packet source address is the firewall''s guest lan interface address. OpenVPN complains "Incoming packet rejected from 192.168.209.251:1194[2], expected peer address: $PUBLIC_IP:1194" I would prefer not to use split zone DNS as that entails a replication of the company''s external DNS save for one change, the VPN destination (and, at the moment, the OpenVPN conf files specify the OpenVPN server by address anyway). I''ve tried combinations of the sort mentioned in FAQ 2, but have not solved the problem. Yes, it can be fixed by using OpenVPN ''float'', but is there a way of having Shorewall set the source address as the public IP? I hope the above is clear, but apologies if it isn''t...questions welcome. ------------------------------------------------------------------------------ Xperia(TM) PLAY It''s a major breakthrough. An authentic gaming smartphone on the nation''s most reliable network. And it wants your games. http://p.sf.net/sfu/verizon-sfdev