[Firewall] NAT, OpenVPN client, and Arno fw

Mike Klein mike at kleinnet.com
Tue Apr 11 03:42:35 CEST 2017


I tried a few variations of your suggestions but didn't get anywhere.  
Defining tun0 as an external interface seemed promising.

I did finally find a useful reference after many search keyword 
refinments. It indicates the general approach is to mark packets and 
connections that should be routed over the VPN, then route those 
separately.  There are additional complexities such as managing DNS if 
the VPN reconfigures that.  Link: 
https://www.htpcguides.com/force-torrent-traffic-vpn-split-tunnel-debian-8-ubuntu-16-04/ 
(although I'm not interested in a torrent, this is by far the best guide 
I've found).

What I'm trying to accomplish at a higher level is to redirect all 
locally-originated traffic through a VPN to the VPN provider's network, 
from where that traffic flows out onto the internet.  This needs to 
cover non-encrypted traffic and DNS.  Thus any device that connects to 
our LAN is protected by this arrangement.  At the same time the services 
that my network provides externally, such as SMTP, IMAP, and others, 
need to continue as they are now.  And internal services, such as 
printers, file servers and others, should remain accessible without 
needing to go outside the LAN.  So the VPN can't take over the entire 
routing table.

         -Mike


More information about the Firewall mailing list