Thanks for the explaintion on voluntary/compulsory and split/non-split,
that made a lot of sense.
In my case for a local VPN setup, I want everything as secure as
possible, so I want *all* traffic over the wireless network to be
encrypted once the VPN connection has been initiated. It sounds like I
need to get the redirect-gateway + local working in Linux. I'm
*assuming* it is working in windows OK because I don't get that error
message, but I won't feel cozy about that until I have a friend come
over to sniff my network. I will check out the OpenVPN list to see if I
can locate background on the redirect-gateway error in the Linux client.
Just to keep everything together for the archive, here is the error I see:
Dec 12 15:56:08 mybox openvpn: PUSH: Received control message:
'PUSH_REPLY,redirect-gateway 'local',route 10.1.1.1,ifconfig 10.1.1.18
Dec 12 15:56:08 mybox openvpn: Options error: unknown
--redirect-gateway flag: 'local'
Dec 12 15:56:08 mybox openvpn: OPTIONS IMPORT: --ifconfig/up
Dec 12 15:56:08 mybox openvpn: OPTIONS IMPORT: route options modified
Dec 12 15:56:08 mybox openvpn: TUN/TAP device tun0 opened
OpenVPN 2.0_rc1 i386-redhat-linux-gnu [SSL] [LZO] [EPOLL] built on Dec
> What kind of stuff can you see in plain the wireless interface?
I'm going to go back and do a bit more formal testing, document the
config and exactly what I am doing, routes, etc, and throw the results
into another e-mail.
> include the ones you actually want. I will mess about with this some more -
> maybe just auto-set the rules if a single interface is selected?
Ideally it would be a checkbox that you could click on to add the rule
autoamtically (like when adding NAT items, you select generate filewall
rules). At a minimum, little message on the bottom of the page telling
the user they need to create X rule on the interface before they will be
able to VPN in.
> I have not yet discussed this with Manuel. I would like to see this feature -
> particularly as I am currently working on per-client configs that over-ride
It would be great to see cert utils directly in the GUI, have a single
point to manage everything rather then having to go to figure out the
various different techniques that exist to generate everything required;
it can be quite confusing. A good section in the m0n0wall docs as to
how to generate everything would surfice if it turns out not to be
reasonable to build this functionality into the image.