It should all work fine though with that redirect-gateway def1 on there it may be doing something funny like sending traffic back via that other tunnel instead of directly.
I have now double checked this and here are my findings.
What I need to be able to do before it's working for my needs, are all of the below:
a. tunnel working for outbound traffic
b. tunnel being able to handle directing outbound traffic via fw rules (policy routing)
c. tunnel being able to accept incoming traffic, just like the WAN,
being able to run a SMTP service behind the tunnel for instance. This means you can
(must) add port forwards and fw rules.
I have ordered and set up a test tunnel.
(I'm skipping most of the setup stuff)
I disable/enable client config, triggering the tunnel to be set up.
These routing entries are added:
0.0.0.0/1 10.8.6.245 UGS 0 13 1500 ovpnc3 =>
10.8.6.241/32 10.8.6.245 UGS 0 11 1500 ovpnc3
10.8.6.245 link#15 UH 0 0 1500 ovpnc3
10.8.6.246 link#15 UHS 0 0 16384 lo0
18.104.22.168/1 10.8.6.245 UGS 0 33 1500 ovpnc3
My local IP is 10.8.6.246
Tunnel remote endpoint is 10.8.6.245
Tunnel GW is 10.8.6.241
I am unsure whether the advice given on the forum to choose the type of GW to "none" is the most correct one. I think I got it working using that setting though.
I rather quickly got outbound traffic working but inbound seems more uncertain than in 1.2.3, at least that's my assertion right now.
I have set up (as i did on 1.2.3) a GW with static IP, 10.8.6.246 in this case.
So basically what you do is look at the pushed info from the server side and add the local IP as the static IP address.openvpn: PUSH: Received control message: 'PUSH_REPLY,route-delay 2,route-metric 1,dhcp-option DNS n1.nn.nn.nn,dhcp-option DNS n2.nn.nn.nn,route 10.8.6.241,topology net30,ping 10,ping-restart 60,ifconfig 10.8.6.246 10.8.6.245'
NOW: pinging in from the outside works. And connecting to a mail server works.
NOTE: I have now NOT removed the routing entries being added.
However now all PCs are being pushed through the tunnel.
I now add an explicit rule forcing this one PC I'm testing on, to use the default GW instead, I even reset states to be sure. It still is pushed through the tunnel. The fw rule is not having any effect.
The only way I can get the fw rules to do their job is to remove the first and last entries above.
NOW: I remove the route entries. I don't reset states.EFFECTS ARE:
1. policy routing now immediately starts working. I can force the PC by fw rules to use EITHER default or strongvpn gw
2. Inbound traffic stops working
. All of a sudden I can't ping in or reach the mail server.
I don't really see the logic in "2" happening here.
Just to test it I reset states. No different. I don't restart (can selldom restart this machine on the fly due to other users)
The "2" from above is AFAICT different from 1.2.3. I useed this exact procedure to get all a/b/c above working, but seem not to be able to do so in 2.0.1.
So, it looks like it's either:1.
all outbound traffic through tunnel and inbound traffic working
policy routing enabled for outbound traffic and no inbound traffic
INBOUND traffic above is referring to traffic INITIATED from the outside.
I'm hoping I'm missing something here and it's possible to get it working in 2.0.1. I do know that all these features were working in my 1.2.3 setup.