Hi, We have Shorewall setup in a small corp lan. Openvpn is running on the firewall. We are moving to a new provider so we added a new interface and setup Shorewall according to the docs. currently we just want to route all traffic to the old provider. Later we will move services over to the new one. After adding providers and updating the config, restarted Shorewall and everything works except Openvpn. VPN clients can connect to the router and establish a VPN tunnel but traffic is not flowing from the VPN. I have removed routefilter from the interfaces file but still no luck. This is a live system so I can''t do a dump until tonight but here are the config files: # # Shorewall version 4 - Interfaces File # # For information about entries in this file, type "man shorewall-interfaces" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-interfaces.html # ############################################################################### #ZONE INTERFACE BROADCAST OPTIONS net eth0 detect tcpflags,logmartians,nosmurfs net eth4 detect tcpflags,logmartians,nosmurfs corp eth1 detect tcpflags,nosmurfs dmz eth2 detect tcpflags,nosmurfs kvm eth3 detect tcpflags,nosmurfs road tun+ #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # # Shorewall version 4 - Masq file # # For information about entries in this file, type "man shorewall-masq" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-masq.html # ############################################################################### #INTERFACE SOURCE ADDRESS PROTO PORT(S) IPSEC MARK eth0 145.155.111.129 22.147.114.147 eth4 22.147.114.147 145.155.111.129 eth0 eth1 22.147.114.147 eth0 eth2 22.147.114.147 eth0 172.16.189.0/24 22.147.114.147 eth0 172.16.191.0/24 22.147.114.147 eth4 eth1 145.155.111.129 eth4 eth2 145.155.111.129 eth4 172.16.189.0/24 145.155.111.129 eth4 172.16.191.0/24 145.155.111.129 #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE # # Shorewall version 4 - Policy File # # For information about entries in this file, type "man shorewall-policy" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-policy.html # ############################################################################### #SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL # Policies for traffic originating from the corp LAN (corp) # # on your firewall, change the corp to net policy to REJECT info. net net DROP # If you want to force clients to access the Internet via a proxy server # on your firewall, change the corp to net policy to REJECT info. corp net ACCEPT corp dmz ACCEPT corp road ACCEPT corp kvm ACCEPT corp $FW REJECT info corp all REJECT info # Policies for traffic originating from the DMZ LAN (dmz) dmz net ACCEPT dmz $FW REJECT info dmz corp REJECT info dmz kvm REJECT info dmz all REJECT info # Policies for traffic originating from the kvm kvm net REJECT kvm $FW REJECT info kvm corp REJECT info kvm all REJECT info # # Policies for traffic originating from the firewall ($FW) # # If you want open access to the Internet from your firewall, change the # $FW to net policy to ACCEPT and remove the ''info'' LOG LEVEL. # This may be useful if you run a proxy server on the firewall. $FW net ACCEPT $FW corp REJECT info $FW dmz REJECT info $FW kvm REJECT info $FW all REJECT info # Policies for traffic originating from VPN # road net ACCEPT road corp ACCEPT road dmz ACCEPT road kvm ACCEPT road $FW ACCEPT road all DROP info # # Policies for traffic originating from the Internet zone (net) # net $FW DROP info net corp DROP info net dmz DROP info net kvm DROP info net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- DO NOT REMOVE # # Shorewall version 4 - Providers File # # For information about entries in this file, type "man shorewall-providers" # # For additional information, see http://shorewall.net/MultiISP.html # ############################################################################################ #NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE ISP1 1 1 main eth0 145.155.111.254 track,balance eth1,eth2,eth3,tun+ ISP2 2 2 main eth4 22.147.114.254 track,balance eth1,eth2,eth3,tun+ # # Shorewall version 4 - route_rules File # # For information about entries in this file, type "man shorewall-route_rules" # # For additional information, see http://www.shorewall.net/MultiISP.html ############################################################################## #SOURCE DEST PROVIDER PRIORITY eth1 - ISP1 1000 eth1 - ISP1 1000 - 172.16.189.0/24 ISP1 1000 - 172.16.191.0/24 ISP1 1000 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # # Shorewall version 4 - Routestopped File # # For information about entries in this file, type "man shorewall-routestopped" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-routestopped.html # # See http://shorewall.net/starting_and_stopping_shorewall.htm for additional # information. # ############################################################################### #INTERFACE HOST(S) OPTIONS eth1 172.16.10.0/24 eth2 172.16.20.0/24 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # # Shorewall version 4 - Rules File # # For information on the settings in this file, type "man shorewall-rules" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-rules.html # ############################################################################################################################ #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/ MARK # PORT PORT(S) DEST LIMIT GROUP # Accept DNS connections from the firewall to the network DNS/ACCEPT $FW net # Accept SSH connections SSH/ACCEPT corp $FW # Accept dhcp connections ACCEPT corp $FW udp 67 ACCEPT dmz $FW udp 67 ACCEPT kvm $FW udp 67 # Allow Ping from the corp network Ping/ACCEPT corp $FW # Reject Ping from "bad" net zone.. and prevent your log from being flooded.. #Ping/REJECT net $FW ACCEPT $FW corp icmp ACCEPT $FW net icmp # DNAT net dmz:172.16.20.34:8080 tcp 8080 - 145.155.111.129 DNAT net dmz:172.16.20.34:80 tcp 80 - 145.155.111.129 DNAT net dmz:172.16.20.34:5222 tcp 5222 - 145.155.111.129 DNAT net dmz:172.16.20.34:5223 tcp 5223 - 145.155.111.129 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE ############################################################################### # /etc/shorewall/shorewall.conf V4.0 - Change the following variables to # match your setup # # This program is under GPL # [http://www.gnu.org/licenses/old-licenses/gpl-2.0.txt] # # This file should be placed in /etc/shorewall # # (c) 1999,2000,2001,2002,2003,2004,2005, # 2006,2007 - Tom Eastep (teastep@shorewall.net) # # For information about the settings in this file, type "man shorewall.conf" # # Additional information is available at # http://www.shorewall.net/Documentation.htm#Conf ############################################################################### # S T A R T U P E N A B L E D ############################################################################### STARTUP_ENABLED=Yes ############################################################################### # V E R B O S I T Y ############################################################################### VERBOSITY=1 ############################################################################### # C O M P I L E R # (setting this to ''perl'' requires installation of Shorewall-perl) ############################################################################### SHOREWALL_COMPILER ############################################################################### # L O G G I N G ############################################################################### LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGRATE LOGBURST LOGALLNEW BLACKLIST_LOGLEVEL MACLIST_LOG_LEVEL=info TCP_FLAGS_LOG_LEVEL=info RFC1918_LOG_LEVEL=info SMURF_LOG_LEVEL=info LOG_MARTIANS=No ############################################################################### # L O C A T I O N O F F I L E S A N D D I R E C T O R I E S ############################################################################### IPTABLES PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin SHOREWALL_SHELL=/bin/sh SUBSYSLOCK=/var/lock/subsys/shorewall MODULESDIR CONFIG_PATH=/etc/shorewall:/usr/share/shorewall RESTOREFILE IPSECFILE=zones LOCKFILE ############################################################################### # D E F A U L T A C T I O N S / M A C R O S ############################################################################### DROP_DEFAULT="Drop" REJECT_DEFAULT="Reject" ACCEPT_DEFAULT="none" QUEUE_DEFAULT="none" NFQUEUE_DEFAULT="none" ############################################################################### # R S H / R C P C O M M A N D S ############################################################################### RSH_COMMAND=''ssh ${root}@${system} ${command}'' RCP_COMMAND=''scp ${files} ${root}@${system}:${destination}'' ############################################################################### # F I R E W A L L O P T I O N S ############################################################################### IP_FORWARDING=On ADD_IP_ALIASES=Yes ADD_SNAT_ALIASES=No RETAIN_ALIASES=No TC_ENABLED=Internal TC_EXPERT=No CLEAR_TC=Yes MARK_IN_FORWARD_CHAIN=No CLAMPMSS=No ROUTE_FILTER=No DETECT_DNAT_IPADDRS=No MUTEX_TIMEOUT=60 ADMINISABSENTMINDED=Yes BLACKLISTNEWONLY=Yes DELAYBLACKLISTLOAD=No MODULE_SUFFIX DISABLE_IPV6=Yes BRIDGING=No DYNAMIC_ZONES=No PKTTYPE=Yes RFC1918_STRICT=No MACLIST_TABLE=filter MACLIST_TTL SAVE_IPSETS=No MAPOLDACTIONS=No FASTACCEPT=No IMPLICIT_CONTINUE=Yes HIGH_ROUTE_MARKS=No USE_ACTIONS=Yes OPTIMIZE=0 EXPORTPARAMS=Yes EXPAND_POLICIES=Yes KEEP_RT_TABLES=No DELETE_THEN_ADD=Yes MULTICAST=No DONT_LOAD ############################################################################### # P A C K E T D I S P O S I T I O N ############################################################################### BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT TCP_FLAGS_DISPOSITION=DROP #LAST LINE -- DO NOT REMOVE # # Shorewall version 4 - Tunnels File # # For information about entries in this file, type "man shorewall-tunnels" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-tunnels.html # ############################################################################### #TYPE ZONE GATEWAY GATEWAY # ZONE openvpnserver:tcp:1194 net 0.0.0.0/0 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE # # Shorewall version 4 - Zones File # # For information about this file, type "man shorewall-zones" # # The manpage is also online at # http://www.shorewall.net/manpages/shorewall-zones.html # ############################################################################### #ZONE TYPE OPTIONS IN OUT # OPTIONS OPTIONS fw firewall net ipv4 corp ipv4 dmz ipv4 kvm ipv4 road ipv4 #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE TIA Pete ______________ ______________ ______________ ______________ Sent via the KillerWebMail system at petefleming.com ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Pete wrote:> Hi, > > We have Shorewall setup in a small corp lan. Openvpn is running on the firewall. We are moving to a new provider so we added a new interface and setup Shorewall according to the docs. currently we just want to route all traffic to the old provider. Later we will move services over to the new one. > > After adding providers and updating the config, restarted Shorewall and everything works except Openvpn. VPN clients can connect to the router and establish a VPN tunnel but traffic is not flowing from the VPN. I have removed routefilter from the interfaces file but still no luck.CAREFULLY read the documentation about route_rules at http://www.shorewall.net/MultiISP.html looking for the word ''OpenVPN''. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Hi all, I Wish to route all fw traffic to ISP1 But the rule gets ignored .... In my tcrules file I have only one rule. 0x100 $FW - with high route marks . Then after executing a ping from fw->net I found out that successive pings get routed interchanged to both isp providers. my providers file is NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 0x100 main eth0 10.10.10.1 track,balance eth2,br0 ISP2 2 0x200 main eth1 10.0.12.1 track,balance eth2,br0 shorewall show mangle shows traffic getting marked ok. Shorewall 3.4.8 Mangle Table at fw - Wed Dec 10 13:46:04 UTC 2008 Counters reset Wed Dec 10 13:44:30 UTC 2008 Chain PREROUTING (policy ACCEPT 1408 packets, 169K bytes) pkts bytes target prot opt in out source destination 111 92876 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 connmark match !0x0/0xff00 CONNMARK restore mask 0xff00 43 6182 routemark all -- eth0 * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xff00 0 0 routemark all -- eth1 * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xff00 107 95942 tcpre all -- eth0 * 0.0.0.0/0 0.0.0.0/0 0 0 tcpre all -- eth1 * 0.0.0.0/0 0.0.0.0/0 1228 68313 tcpre all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xff00 Chain INPUT (policy ACCEPT 1178 packets, 64120 bytes) pkts bytes target prot opt in out source destination 1152 62768 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0xff Chain FORWARD (policy ACCEPT 230 packets, 105K bytes) pkts bytes target prot opt in out source destination 230 105K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0xff 230 105K tcfor all -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 17103 packets, 3148K bytes) pkts bytes target prot opt in out source destination 0 0 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 connmark match !0x0/0xff00 CONNMARK restore mask 0xff00 1201 205K tcout all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x0/0xff00 Chain POSTROUTING (policy ACCEPT 1434 packets, 312K bytes) pkts bytes target prot opt in out source destination 1408 308K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK and 0xff 1408 308K tcpost all -- * * 0.0.0.0/0 0.0.0.0/0 Chain routemark (2 references) pkts bytes target prot opt in out source destination 43 6182 MARK all -- eth0 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x100/0xffffffff 0 0 MARK all -- eth1 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x200/0xffffffff 43 6182 CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 mark match !0x0/0xff00 CONNMARK save mask 0xff00 Chain tcfor (1 references) pkts bytes target prot opt in out source destination Chain tcout (1 references) pkts bytes target prot opt in out source destination 1201 205K MARK all -- * * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x100/0xffffffff Chain tcpost (1 references) pkts bytes target prot opt in out source destination 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 0.0.0.0/0 mark match 0x1/0xff CLASSIFY set 1:11 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 0.0.0.0/0 mark match 0x2/0xff CLASSIFY set 1:12 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 0.0.0.0/0 mark match 0x3/0xff CLASSIFY set 1:13 0 0 CLASSIFY all -- * eth0 0.0.0.0/0 0.0.0.0/0 mark match 0x4/0xff CLASSIFY set 1:14 0 0 CLASSIFY all -- * eth1 0.0.0.0/0 0.0.0.0/0 mark match 0x1/0xff CLASSIFY set 2:11 0 0 CLASSIFY all -- * eth1 0.0.0.0/0 0.0.0.0/0 mark match 0x2/0xff CLASSIFY set 2:12 0 0 CLASSIFY all -- * eth1 0.0.0.0/0 0.0.0.0/0 mark match 0x3/0xff CLASSIFY set 2:13 0 0 CLASSIFY all -- * eth1 0.0.0.0/0 0.0.0.0/0 mark match 0x4/0xff CLASSIFY set 2:14 Chain tcpre (3 references) pkts bytes target prot opt in out source destination 1228 68313 MARK all -- br0 * 0.0.0.0/0 0.0.0.0/0 MARK xset 0x100/0xffffffff however when I add a rule from Loc->net and mark packets to go through a particular provider it also looked like both ISPs where used. Then I replaced the balance option with loose and it the fw->net traffic got routed through the ISP1 but I am not sure that this package will do balance for packets that have no specific mark on them :-\ shorewall version 3.4.8 kernel 2.6.25 Thanks for your suggestions Harry. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Harry Lachanas wrote:> however when I add a rule from Loc->net and mark packets to go through a > particular provider it also looked like both ISPs where used. > > Then I replaced the balance option with loose and it the fw->net traffic > got routed through the ISP1 but I am not sure that this package will do > balance for packets that have no specific mark on them :-\ > > shorewall version 3.4.8 > kernel 2.6.25 > > Thanks for your suggestionsI personally am not going to spend any time on this without seeing ''shorewall dump'' output. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
OK I''ve just included a shorewall dump in the mail The update on this is that ... Indeed the ping gets routed to ISP1 I also can see the reply comming in ( tcpdump ) however ping or fping lies there dead .... Mean while #ip route get IP_ADDRESS shows the particular address I was pinging as it was supposed to be routed through ISP2 My interfaces file is ----------------------------------------------------------- net eth0 detect net eth1 detect dmz eth2 detect loc br0 detect routeback ----------------------------------------------------------- I Wish to route all fw traffic to ISP1 But the rule gets ignored .... In my tcrules file I have only one rule. 0x100 $FW - 0x100 br0 0.0.0.0 with high route marks . Then after executing a ping from fw->net I found out that successive pings get routed interchanged to both isp providers. my providers file is NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY ISP1 1 0x100 main eth0 10.10.10.1 track,balance eth2,br0 ISP2 2 0x200 main eth1 10.0.12.1 track,balance eth2,br0 shorewall show mangle shows traffic getting marked ok. however when I add a rule from Loc->net and mark packets to go through a particular provider it also looked like both ISPs where used. Then I replaced the balance option with loose and it the fw->net traffic got routed through the ISP1 but I am not sure that this package will do balance for packets that have no specific mark on them :-\ shorewall version 3.4.8 kernel 2.6.25 ------------ ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Harry Lachanas wrote:> Indeed the ping gets routed to ISP1 > I also can see the reply comming in ( tcpdump ) > however ping or fping lies there dead ....Probably being dropped as martians -- but you''ll never know it since you haven''t enabled martian logging.> > I Wish to route all fw traffic to ISP1 > But the rule gets ignored ....Which is described as a possible problem in the Shorewall Multi-ISP documentation in the section entitled "Applications Running on the Firewall".> > > In my tcrules file I have only one rule. > > 0x100 $FW - > 0x100 br0 0.0.0.0 > > with high route marks . > > Then after executing a ping from fw->net I found out that successive > pings get routed interchanged to both isp providers. > > my providers file is > NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY > OPTIONS COPY > ISP1 1 0x100 main eth0 10.10.10.1 > track,balance eth2,br0 > ISP2 2 0x200 main eth1 10.0.12.1 > track,balance eth2,br0 > > shorewall show mangle shows traffic getting marked ok. > > > however when I add a rule from Loc->net and mark packets to go through a > particular provider it also looked like both ISPs where used. > > Then I replaced the balance option with loose and it the fw->net traffic > got routed through the ISP1 but I am not sure that this package will do > balance for packets that have no specific mark on them :-\The only thing that ''loose'' does is that it causes one routing rule per external interface to be omitted (the rule that allows applications to bind to a particular interface''s address to force the application use that interface). Specifying ''loose'' is an alternative to the technique of configuring your applications themselves to use a specific interface. It should work fine provided that you don''t need to use that technique. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
> > The only thing that ''loose'' does is that it causes one routing rule per > external interface to be omitted (the rule that allows applications to > bind to a particular interface''s address to force the application use > that interface). Specifying ''loose'' is an alternative to the technique > of configuring your applications themselves to use a specific interface. > It should work fine provided that you don''t need to use that technique. > >Sorry Shorewall Geek, this really got me confused ... If say openvpn is running on firewall should by started with a) --locall 0 or b) --local xx.xx.xx.xx ??? Thanks. Regards Harry. ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
Harry Lachanas wrote:>> The only thing that ''loose'' does is that it causes one routing rule per >> external interface to be omitted (the rule that allows applications to >> bind to a particular interface''s address to force the application use >> that interface). Specifying ''loose'' is an alternative to the technique >> of configuring your applications themselves to use a specific interface. >> It should work fine provided that you don''t need to use that technique. >> >> > Sorry Shorewall Geek, > this really got me confused ... > > If say openvpn is running on firewall should by started with > a) --locall 0 > or > b) --local xx.xx.xx.xx > ???You are running an OpenVPN server. So as long as you have ''track'' specified on your providers, it doesn''t make any different. Note though, if you use --local xx.xx.xx.xx then your clients can only connect using one of your providers unless you run two instances of OpenVPN (one on each address). ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
On Fri, Dec 12, 2008 at 1:47 AM, Harry Lachanas <grharry@freemail.gr> wrote:> > If say openvpn is running on firewall should by started with > a) --locall 0 > or > b) --local xx.xx.xx.xx > ??? >And if you''re running with multiple interfaces, you better be running OpenVPN 2.1RC with --multihome. Otherwise things get messy. Prasanna. -- Want to manage multiple office networks? Want to securely connect all your locations? Want to do it in a budget? www.elinanetworks.com ------------------------------------------------------------------------------ SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can''t happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/