Hello all,

I'm relatively new to Shorewall, and I'm trying to figure out how best to route an IP address - (although I can change this) to an external connection to the Internet, with IP address (example) of The idea is for the VPN clients to have a public IP on the Internet, and to be able to recieve incoming connections as well as outgoing ones.

The example in the OpenVPN FAQ was to 'mangle' the packets, changing the source/destination upon reciept. I tried to implement this but got quickly irritated and confused with IPTables' way of doing things.

Having thoroughly read the setup guide, I'm moving forward a little. What I'd like to know is should I use NAT, or proxyarp to connect the user to the internet? I'd also like to block certain ports (SMTP in and out) - how should I really be doing this?

For proxyarp, would adding the following lines to /etc/proxyarp work?
#ADDRESS      INTERFACE      EXTERNAL     HAVEROUTE     PERSISTENT       tap0                 eth0               no                     no

On a general routing note, I'm torn between giving my users a RFC 1918 (ie, 192.168.....) address and letting them talk to one another inside their own IP range, and just giving them a public IP address to play with. If they were all just assigned external IP addresses, would they be able to communicate with one another without any traffic leaving the eth0 interface (bandwidth is per-gigabyte billed)?

The way I want to set up my system is for each user to be assigned a public IP address upon signup. They connect via OpenVPN tunnel to port 443 of their IP, and a connection is established, a static IP address being given to the user. they can then make/recieve connections to the Internet as if they had a full ADSL connection... but I also want to have it behave like a LAN - ie, they can play games against one another easily. This presumably means they all have to be in the same subnet?

So what's my best option for getting this working correctly - to put them all on a 192.168.3.x subnet, and then map each IP using NAT to their public IPs, or to just give them a Public IP address, and do something like put rules in that redirect 'local' traffic to other VPN users directly through their respective interfaces, rather then eth0 (public 'net)?

Sorry if this seemed a little roundabout or extensive.

I'd be very grateful for any and all assistance or tips anyone can provide. :)


Jan Mulders