On Fri, 2007-08-10 at 10:56 -0600, Kenneth Burgener wrote: > I have in my rules: > DNAT net lan:10.10.10.3 udp 1194 - > 65.X.X.X
This looks like a shorewallism. What does the 65.X.X.X stand for? Is that your public IP obfuscated? If so, I assume the whole thing is spelled out in your config? > Here is how I am adding a static route: > route add -net 10.10.20.0 netmask 255.255.255.0 gw 10.10.10.3 dev > eth1 This shouldn't need the "dev eth1" What do you get without it. Still, I doubt it makes any difference. > My policy has: > $FW net ACCEPT > $FW lan ACCEPT > lan $FW ACCEPT > lan net ACCEPT > I watch the message log, and it does not appear that shorewall is > dropping any connections If you are dropping packet anywhere? If so, are they *ALL* being logged? When I say *ALL* I mean *ALL*. Otherwise, it's like a blackhole and troubleshooting is a nightmare. > so it appears that I am just doing the routing wrong. Keep it simple. Try pinging the VPN gw (10.10.20.1) from the 10.10.10.X subnet without using any OpenVPN stuff. First establish the route and then try for a VPN connection. Run tcpdump with the right filters on both the router and the VPN gw (don't tell me OpenVPN is running on Windows and doesn't have tcpdump!). Let us know what you find out. Gabe /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
