Shorewall users - Nov 2013 - openvpn restart fails with dual entry in conntrack and wrong sourceport

the establishment of an openvpn link sometimes fails.

I tracked it down to network traffic with wrong Sourceport in the answer 
packet (should be 1300 not 1024):
2	1.119309000	aaa.185.165	bbb.162.192	UDP	58	Source port: 1300  
Destination port: 1300 
3	1.119446000	bbb.162.192	aaa.185.165	UDP	66	Source port: 1024  
Destination port: 1300

and a collateral entry in the connection tracking table (out of shorewall 
dump):

Conntrack Table (1512 out of 65536)
[...]
udp      17 22 src=212.117.77.218 dst=62.155.185.165 sport=1300 dport=1300 
[UNREPLIED] src=62.155.185.165 dst=80.152.162.192 sport=1300 dport=1024 mark=0 
use=2
udp      17 172 src=62.155.185.165 dst=80.152.162.192 sport=1300 dport=1300 
src=80.152.162.192 dst=62.155.185.165 sport=1300 dport=1300 [ASSURED] mark=256 
use=2
[...]


How can I get rid of the additional entry when the openvpn tunnel is renewed? 


Axel

-- 
Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau.

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

On 11/21/2013 1:53 PM, Axel Zöllich wrote:
> the establishment of an openvpn link sometimes fails.
> 
> I tracked it down to network traffic with wrong Sourceport in the answer 
> packet (should be 1300 not 1024):
> 2	1.119309000	aaa.185.165	bbb.162.192	UDP	58	Source port: 1300  
> Destination port: 1300 
> 3	1.119446000	bbb.162.192	aaa.185.165	UDP	66	Source port: 1024  
> Destination port: 1300
> 
> and a collateral entry in the connection tracking table (out of shorewall 
> dump):
> 
> Conntrack Table (1512 out of 65536)
> [...]
> udp      17 22 src=212.117.77.218 dst=62.155.185.165 sport=1300 dport=1300 
> [UNREPLIED] src=62.155.185.165 dst=80.152.162.192 sport=1300 dport=1024
mark=0
> use=2
> udp      17 172 src=62.155.185.165 dst=80.152.162.192 sport=1300 dport=1300
> src=80.152.162.192 dst=62.155.185.165 sport=1300 dport=1300 [ASSURED]
mark=256
> use=2
> [...]
> 
> 
> How can I get rid of the additional entry when the openvpn tunnel is
renewed?
Use the ''conntrack'' utility.

-Tom
-
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

> > Conntrack Table (1512 out of 65536)
> > [...]
> > udp      17 22 src=212.117.77.218 dst=62.155.185.165 sport=1300
dport=1300
> > [UNREPLIED] src=62.155.185.165 dst=80.152.162.192 sport=1300
dport=1024
> > mark=0 use=2
> > udp      17 172 src=62.155.185.165 dst=80.152.162.192 sport=1300
> > dport=1300
> > src=80.152.162.192 dst=62.155.185.165 sport=1300 dport=1300 [ASSURED]
> > mark=256 use=2
> > [...]
> > 
> > 
> > How can I get rid of the additional entry when the openvpn tunnel is
> > renewed?
> Use the ''conntrack'' utility.
I did, but this is not what I want.
Or is actively removing of the entries the only way to reestablish a tunnel 
when connection tracking is enabled?


-- 
Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau.

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

On 11/22/2013 12:50 PM, Axel Zöllich wrote:
>>> Conntrack Table (1512 out of 65536)
>>> [...]
>>> udp      17 22 src=212.117.77.218 dst=62.155.185.165 sport=1300
dport=1300
>>> [UNREPLIED] src=62.155.185.165 dst=80.152.162.192 sport=1300
dport=1024
>>> mark=0 use=2
>>> udp      17 172 src=62.155.185.165 dst=80.152.162.192 sport=1300
>>> dport=1300
>>> src=80.152.162.192 dst=62.155.185.165 sport=1300 dport=1300
[ASSURED]
>>> mark=256 use=2
>>> [...]
>>>
>>>
>>> How can I get rid of the additional entry when the openvpn tunnel
is
>>> renewed?
>> Use the ''conntrack'' utility.
>
> I did, but this is not what I want.
> Or is actively removing of the entries the only way to reestablish a tunnel
> when connection tracking is enabled?
>
I have no idea why you are seeing that problem. Anyone else seen it?

-Tom
PS -- I''ve run OpenVPN for years...
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

Am Freitag, 22. November 2013, 12:58:11 schrieb Tom
Eastep:
> On 11/22/2013 12:50 PM, Axel Zöllich wrote:
> >>> Conntrack Table (1512 out of 65536)
> >>> [...]
> >>> udp      17 22 src=212.117.77.218 dst=62.155.185.165
sport=1300
> >>> dport=1300
> >>> [UNREPLIED] src=62.155.185.165 dst=80.152.162.192 sport=1300
dport=1024
> >>> mark=0 use=2
> >>> udp      17 172 src=62.155.185.165 dst=80.152.162.192
sport=1300
> >>> dport=1300
> >>> src=80.152.162.192 dst=62.155.185.165 sport=1300 dport=1300
[ASSURED]
> >>> mark=256 use=2
> >>> [...]
> >>> 
> >>> 
> >>> How can I get rid of the additional entry when the openvpn
tunnel is
> >>> renewed?
> >> 
> >> Use the ''conntrack'' utility.
> > 
> > I did, but this is not what I want.
> > Or is actively removing of the entries the only way to reestablish a
> > tunnel
> > when connection tracking is enabled?
> 
> I have no idea why you are seeing that problem. Anyone else seen it?
Maybe there is a correlation with my two ISPs setup?

I didn''t ivestigate further yet, but i''ve got
martians
>martian source 212.117.77.218 from 217.92.133.162, on dev ppp0
where 212... is the IP of eth4.

and sometimes bind (running on the shorewall box) errors:
named[3063]: error (network unreachable) resolving ''professional.avira-
cdn.com/A/IN'': 

Axel

-- 
Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau.

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

On 11/22/2013 1:21 PM, Axel Zöllich wrote:
> Am Freitag, 22. November 2013, 12:58:11 schrieb Tom Eastep:
>> On 11/22/2013 12:50 PM, Axel Zöllich wrote:
>>>>> Conntrack Table (1512 out of 65536)
>>>>> [...]
>>>>> udp      17 22 src=212.117.77.218 dst=62.155.185.165
sport=1300
>>>>> dport=1300
>>>>> [UNREPLIED] src=62.155.185.165 dst=80.152.162.192
sport=1300 dport=1024
>>>>> mark=0 use=2
>>>>> udp      17 172 src=62.155.185.165 dst=80.152.162.192
sport=1300
>>>>> dport=1300
>>>>> src=80.152.162.192 dst=62.155.185.165 sport=1300 dport=1300
[ASSURED]
>>>>> mark=256 use=2
>>>>> [...]
>>>>>
>>>>>
>>>>> How can I get rid of the additional entry when the openvpn
tunnel is
>>>>> renewed?
>>>>
>>>> Use the ''conntrack'' utility.
>>>
>>> I did, but this is not what I want.
>>> Or is actively removing of the entries the only way to reestablish
a
>>> tunnel
>>> when connection tracking is enabled?
>>
>> I have no idea why you are seeing that problem. Anyone else seen it?
> 
> Maybe there is a correlation with my two ISPs setup?
> 
> I didn''t investigate further yet, but i''ve got martians
>> martian source 212.117.77.218 from 217.92.133.162, on dev ppp0
> where 212... is the IP of eth4.
Are ppp0 and eth4 your provider links.

Also, is your OpenVPN setup Point-to-Point or client/server?

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

Am Freitag, 22. November 2013, 16:27:00 schrieb Tom
Eastep:
> On 11/22/2013 1:21 PM, Axel Zöllich wrote:
> > Am Freitag, 22. November 2013, 12:58:11 schrieb Tom Eastep:
> >> On 11/22/2013 12:50 PM, Axel Zöllich wrote:
> >>>>> Conntrack Table (1512 out of 65536)
> >>>>> [...]
> >>>>> udp      17 22 src=212.117.77.218 dst=62.155.185.165
sport=1300
> >>>>> dport=1300
> >>>>> [UNREPLIED] src=62.155.185.165 dst=80.152.162.192
sport=1300
> >>>>> dport=1024
> >>>>> mark=0 use=2
> >>>>> udp      17 172 src=62.155.185.165 dst=80.152.162.192
sport=1300
> >>>>> dport=1300
> >>>>> src=80.152.162.192 dst=62.155.185.165 sport=1300
dport=1300 [ASSURED]
> >>>>> mark=256 use=2
> >>>>> [...]
> >>>>> 
> >>>>> 
> >>>>> How can I get rid of the additional entry when the
openvpn tunnel is
> >>>>> renewed?
> >>>> 
> >>>> Use the ''conntrack'' utility.
> >>> 
> >>> I did, but this is not what I want.
> >>> Or is actively removing of the entries the only way to
reestablish a
> >>> tunnel
> >>> when connection tracking is enabled?
> >> 
> >> I have no idea why you are seeing that problem. Anyone else seen
it?
> > 
> > Maybe there is a correlation with my two ISPs setup?
> > 
> > I didn''t investigate further yet, but i''ve got
martians
> > 
> >> martian source 212.117.77.218 from 217.92.133.162, on dev ppp0
> > 
> > where 212... is the IP of eth4.
> 
> Are ppp0 and eth4 your provider links.
Yes. Both with fixed IPs.

providers:
tcom    1       0x100   -               ppp0            -               
balance=2       -
netco   2       0x200   -               eth4            212.117.77.217  
balance=1       -

tcrules:
#alles über tcom:
0x100:P 0.0.0.0/0
0x100   $FW
#Mebidia via netco
0x200:P -               212.117.77.202
0x200   $FW             212.117.77.202
0x200:P -               212.117.77.203
0x200   $FW             212.117.77.203
> Also, is your OpenVPN setup Point-to-Point or client/server?
Client/Server and the shorewall Box acts as server.


Axel


-- 
Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau.

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

On 11/23/2013 8:50 AM, Axel Zöllich wrote:
> Am Freitag, 22. November 2013, 16:27:00 schrieb Tom Eastep:
>> On 11/22/2013 1:21 PM, Axel Zöllich wrote:
>>> Am Freitag, 22. November 2013, 12:58:11 schrieb Tom Eastep:
>>>> On 11/22/2013 12:50 PM, Axel Zöllich wrote:
>>>>>>> Conntrack Table (1512 out of 65536)
>>>>>>> [...]
>>>>>>> udp      17 22 src=212.117.77.218
dst=62.155.185.165 sport=1300
>>>>>>> dport=1300
>>>>>>> [UNREPLIED] src=62.155.185.165 dst=80.152.162.192
sport=1300
>>>>>>> dport=1024
>>>>>>> mark=0 use=2
>>>>>>> udp      17 172 src=62.155.185.165
dst=80.152.162.192 sport=1300
>>>>>>> dport=1300
>>>>>>> src=80.152.162.192 dst=62.155.185.165 sport=1300
dport=1300 [ASSURED]
>>>>>>> mark=256 use=2
>>>>>>> [...]
>>>>>>>
>>>>>>>
>>>>>>> How can I get rid of the additional entry when the
openvpn tunnel is
>>>>>>> renewed?
>>>>>>
>>>>>> Use the ''conntrack'' utility.
>>>>>
>>>>> I did, but this is not what I want.
>>>>> Or is actively removing of the entries the only way to
reestablish a
>>>>> tunnel
>>>>> when connection tracking is enabled?
>>>>
>>>> I have no idea why you are seeing that problem. Anyone else
seen it?
>>>
>>> Maybe there is a correlation with my two ISPs setup?
>>>
>>> I didn''t investigate further yet, but i''ve got
martians
>>>
>>>> martian source 212.117.77.218 from 217.92.133.162, on dev ppp0
>>>
>>> where 212... is the IP of eth4.
>>
>> Are ppp0 and eth4 your provider links.
> Yes. Both with fixed IPs.
> 
> providers:
> tcom    1       0x100   -               ppp0            -               
> balance=2       -
> netco   2       0x200   -               eth4            212.117.77.217  
> balance=1       -
> 
> tcrules:
> #alles über tcom:
> 0x100:P 0.0.0.0/0
> 0x100   $FW
> #Mebidia via netco
> 0x200:P -               212.117.77.202
> 0x200   $FW             212.117.77.202
> 0x200:P -               212.117.77.203
> 0x200   $FW             212.117.77.203
What do you have in masq?
> 
>> Also, is your OpenVPN setup Point-to-Point or client/server?
> Client/Server and the shorewall Box acts as server.
Please send me the output of ''shorewall dump''.

Thanks,
-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

> > providers:
> > tcom    1       0x100   -               ppp0            -
> > balance=2       -
> > netco   2       0x200   -               eth4            212.117.77.217
> > balance=1       -
> > 
> > tcrules:
> > #alles über tcom:
> > 0x100:P 0.0.0.0/0
> > 0x100   $FW
> > #Mebidia via netco
> > 0x200:P -               212.117.77.202
> > 0x200   $FW             212.117.77.202
> > 0x200:P -               212.117.77.203
> > 0x200   $FW             212.117.77.203
> 
> What do you have in masq?
masq:
eth1    -                       192.168.122.189         tcp     22
ppp0    0.0.0.0/0               80.152.162.192
eth4    0.0.0.0/0               212.117.77.218
> >> Also, is your OpenVPN setup Point-to-Point or client/server?
> > 
> > Client/Server and the shorewall Box acts as server.
> 
> Please send me the output of ''shorewall dump''.
done
> Thanks,
I''m the one who should thank you.

Axel

-- 
Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau.

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

On 11/24/2013 8:22 AM, Axel Zöllich wrote:
>>> providers:
>>> tcom    1       0x100   -               ppp0            -
>>> balance=2       -
>>> netco   2       0x200   -               eth4           
212.117.77.217
>>> balance=1       -
>>>
>>> tcrules:
>>> #alles über tcom:
>>> 0x100:P 0.0.0.0/0
>>> 0x100   $FW
>>> #Mebidia via netco
>>> 0x200:P -               212.117.77.202
>>> 0x200   $FW             212.117.77.202
>>> 0x200:P -               212.117.77.203
>>> 0x200   $FW             212.117.77.203
>>
>> What do you have in masq?
> 
> masq:
> eth1    -                       192.168.122.189         tcp     22
> ppp0    0.0.0.0/0               80.152.162.192
> eth4    0.0.0.0/0               212.117.77.218
> 
>>>> Also, is your OpenVPN setup Point-to-Point or client/server?
>>>
>>> Client/Server and the shorewall Box acts as server.
>>
>> Please send me the output of ''shorewall dump''.
> done
> 
>> Thanks,
> I''m the one who should thank you.
> 
Axel,

Your configuration has USE_DEFAULT_RT=Yes; from
http://www.shorewall.org/manpages/shorewall-interfaces.html

Note

There are certain cases where routefilter cannot be used on an interface:

If USE_DEFAULT_RT=Yes in shorewall.conf(5) and the interface is listed
in shorewall-providers(5). <=================
If there is an entry for the interface in shorewall-providers(5) that
doesn''t specify the balance option.

If IPSEC is used to allow a road-warrior to have a local address, then
any interface through which the road-warrior might connect cannot
specify routefilter.

This is the cause of your martians.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

> Your configuration has USE_DEFAULT_RT=Yes; from
> http://www.shorewall.org/manpages/shorewall-interfaces.html
> 
> Note
> 
> There are certain cases where routefilter cannot be used on an interface:
> 
> If USE_DEFAULT_RT=Yes in shorewall.conf(5) and the interface is listed
> in shorewall-providers(5). <=================> 
> If there is an entry for the interface in shorewall-providers(5) that
> doesn''t specify the balance option.
> 
> If IPSEC is used to allow a road-warrior to have a local address, then
> any interface through which the road-warrior might connect cannot
> specify routefilter.
> 
> This is the cause of your martians.
USE_DEFAULT_RT=No

No more martians. Thanks a lot! (I''m awaiting packets from jupiter by
now.
(With black monoliths inside, of course.) :) )

And until now the openvpn tunnels reestablish as intended.


As far as I understand I can use rpfilter on my extrernal interfaces,
can''t I?


Axel

-- 
Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau.

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

> And until now the openvpn tunnels reestablish as intended.
...
not any more :(

conntrack says:
udp      17 28 src=212.117.77.218 dst=62.155.185.57 sport=1300 dport=1300 
[UNREPLIED] src=62.155.185.57 dst=80.152.162.192 sport=1300 dport=1024 mark=0 
use=1
udp      17 25 src=62.155.185.57 dst=80.152.162.192 sport=1300 dport=1300 
[UNREPLIED] src=80.152.162.192 dst=62.155.185.57 sport=1300 dport=1300 
mark=256 use=1


This one is from the wrong interface (eth4): 212.117.77.218 and dport=1024 is 
wrong too. Why does this happen?


Axel

-- 
Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau.

------------------------------------------------------------------------------
Shape the Mobile Experience: Free Subscription
Software experts and developers: Be at the forefront of tech innovation.
Intel(R) Software Adrenaline delivers strategic insight and game-changing 
conversations that shape the rapidly evolving mobile landscape. Sign up now. 
http://pubads.g.doubleclick.net/gampad/clk?id=63431311&iu=/4140/ostg.clktrk

On 11/25/2013 6:39 PM, Axel Zöllich wrote:
>> And until now the openvpn tunnels reestablish as intended.
> ...
> not any more :(
> 
> conntrack says:
> udp      17 28 src=212.117.77.218 dst=62.155.185.57 sport=1300 dport=1300 
> [UNREPLIED] src=62.155.185.57 dst=80.152.162.192 sport=1300 dport=1024
mark=0
> use=1
> udp      17 25 src=62.155.185.57 dst=80.152.162.192 sport=1300 dport=1300 
> [UNREPLIED] src=80.152.162.192 dst=62.155.185.57 sport=1300 dport=1300 
> mark=256 use=1
> 
> 
> This one is from the wrong interface (eth4): 212.117.77.218 and dport=1024
is
> wrong too. Why does this happen?
Are you using the ''local'' setting in your OpenVPN server
configuration?
You should be.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don''t have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk

> Are you using the ''local'' setting in your OpenVPN server
configuration?
No, I didn''t even know about the possibility.
thank you



-- 
Wir verwenden ausschließlich blaue Elektronen aus biologischem Anbau.

------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don''t have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk

On 11/26/2013 8:56 AM, Axel Zöllich wrote:
>  
>> Are you using the ''local'' setting in your OpenVPN
server configuration?
> No, I didn''t even know about the possibility.
It is mentioned as a requirement at
http://www.shorewall.org/MultiISP.html#Local

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don''t have a clear picture of how application performance
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics
Pro!
http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk