I have achieved vpnness! I could use a little guidance on the ipchains stuff though. My configuration and represenatation of my understanding of how this is all working follows. Some of this is probably wasted bandwidth but I really needed to try and say it and hope that someone will correct any misunderstandings as well as help explain the non-understanding in my question near the end of this missive. I decided to post it in the hopes that maybe someone else will glean a little info out of it as well. Configuration: internal network with private ip space. Laptop that is connected to internal network during day, dialing in at night. RedHat 6.1 firewall with all security updates running ssh as only shell possible. Firewall has two nics, 1 on intenal net and another on static ip from dsl provider. The vpn is setup using Gordon's scripts and seems to work pretty well. The ppp connection is made via ssh to the firewall machine from my laptop at home. The addresses used on the VPN (both ends) are in the address space of the internal network My simplified understanding of the workings is as follows: The laptop has a dial in (ppp0) connection to the internet, ssh is used to create another interface (ppp1) to the firewall box (ppp0) via it's public interface (eth1). Packets from the laptop bound for the internal network (eth0) are encapsulated in packets directed to the public interface of the firewall box and sent to the ppp0 interface on the firewall box (magic to me but I guess this is what ppp is for) Packets arriving at the interface ppp0 on the firewall box now have the destination of the internal network and are routed to the internal nic and on to the destination machine. The reverse happens for packets headed back. The spoofing and stuffed masq rules don't apply I guess because by the time the packets arrive at the nics they are either encapsulated into packets with real internet addresses (public interface) or unencapsulated and have addresses for the internal network (internal interface). Now for the question: Why did I have to place two forwarding rules for the vpn to work? One forwards packets with both source and destination packets bound for the internal network through the ppp connection, and one does the same for the internal nic. Input and output rules allow internal address space addresses through the ppp interface. I thought I had my head around the forwarding stuff but this has me a little (lot?) baffled. I can try some ascii art if necessary to explain if it will help someone set me straight. Thanks in advance for any help given. Bret -- To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe" as the Subject.