Hi Tom, I'm having a tough time getting this all straight.
My systemd OpenVPN.service has Wants=network-online.target shorewall-lite.service After=syslog.target network-online.target shorewall-lite.service According to systemd docs "Wants=: This directive is similar to Requires=, but less strict. Systemd will attempt to start any units listed here when this unit is activated. If these units are not found or fail to start, the current unit will continue to function. This is the recommended way to configure most dependency relationships. Again, this implies a parallel activation unless modified by other directives." So REMOVE the dependency in both Wants/After on 'shorewall-lite'? My firewall's 'interfaces' has vpn VPNIF optional,physical=tun1,routefilter=0,logmartians=0,routeback=1 This is clear "- Don't make the TUN interface 'optional'." So that changes - vpn VPNIF optional,physical=tun1,routefilter=0,logmartians=0,routeback=1 + vpn VPNIF physical=tun1,routefilter=0,logmartians=0,routeback=1 Not sure what to do with this one, "- Don't use any option for the TUN interface in /etc/shorewall /interfaces that causes a change in /proc/sys/net/config/." When I look in there cd /proc/sys/net/ ls bridge/ core/ ipv4/ ipv6/ netfilter/ nf_conntrack_max unix/ What changes do I look for? And for this one "- Don't name the TUN interface in the SOURCE column of the masq file." In my masq file I've got this #IFC:DEST SRC ADDRESS PROTO PORT(S) ... VPNIF:10.1.1.53 10.254.254.1 10.1.10.53 tcp,udp 53 so that 2 DNS servers, one local and one on the remote, can talk to each other over the VPN link. It does what it's supposed to. That 10.254.254.1 is the remote's end of the VPN tunnel, the IP of its tun1 interface tun1: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.254.254.1 netmask 255.255.255.0 destination 10.254.254.1 I'm not sure what you mean by "Don't name the TUN interface". Don't USE that 10.254.254.1 IP address? Or don't use a literal name? What SHOULD I be using in this one? Dave ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users