I don´t know the inner working of OpenVPN, but I suppose using "client-to-client" option make the OpenVPN daemon do the routing, not even leave the packets go thru O.S. routes.
I have several similar setups and never need to use routeback option. Just "client-to-client" solved this problem.
 
-Gilson

 
On 3/26/08, Chris Morley <g18c@hotmail.com> wrote:
Thanks for the fast reply and resolution! I added routeback to the vpn interface as per the file below and it all started working:
 
router-hq:~# cat /etc/shorewall/interfaces
###############################################################################
#ZONE   INTERFACE       BROADCAST       OPTIONS
lana    eth0            detect          tcpflags,nosmurfs
lanb    eth1            detect          tcpflags,nosmurfs
dmz     eth2            detect
net     eth3            detect          tcpflags,dhcp,routefilter,nosmurfs,logmartians
vpn     tun0            -               routeback
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE

FYI i also pushed the route "172.16.1.0 255.255.255.0" to clients so they could also connect direct to vpn end points should any road warriors dial in.
 
Thanks very much for the help,
 
Chris



> Date: Wed, 26 Mar 2008 06:40:08 +0000
> From: asuffield@suffields.me.uk
> To: shorewall-users@lists.sourceforge.net
> Subject: Re: [Shorewall-users] Hub/Spoke OpenVPN can't communicate from Client A to Client B - FORWARD:REJECT:IN=tun0 OUT=tun0
>
> On Wed, Mar 26, 2008 at 06:30:51AM +0000, Chris Morley wrote:
> > So in summary, how can i route packets which come in over tun0/vpn
> > back out via the same interface?
>
> Without looking at the problem, my bet's on 'routeback'.
>
> -------------------------------------------------------------------------
> Check out the new SourceForge.net Marketplace.
> It's the best place to buy or sell services for
> just about anything Open Source.
> http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users



Have you played Fishticuffs? Get fish-slapping on Messenger

-------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://ad.doubleclick.net/clk;164216239;13503038;w?http://sf.net/marketplace
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users




--
Gilson Soares
Gerência de Redes e Segurança
Kobold Gestora de Fundos Ltda