This allows hosts to route to the outside world via a remote VPN
endpoint, in order to work around local network problems or geographical
restrictions.
## Define the available network classes.
m4_divert(42)m4_dnl
## Define the available network classes.
m4_divert(42)m4_dnl
-defnetclass scary scary trusted mcast
-defnetclass untrusted scary untrusted trusted mcast
-defnetclass trusted scary untrusted trusted safe noloop mcast
-defnetclass safe trusted safe noloop mcast
-defnetclass noloop trusted safe mcast
+defnetclass scary scary trusted vpnnat mcast
+defnetclass untrusted scary untrusted trusted mcast
+defnetclass trusted scary untrusted trusted safe noloop vpnnat mcast
+defnetclass safe trusted safe noloop vpnnat mcast
+defnetclass noloop trusted safe mcast
+defnetclass vpnnat scary trusted safe mcast
defnetclass link
defnetclass mcast
defnetclass link
defnetclass mcast
via housebdry colobdry
defnet sgo noloop
addr !172.29.198.0/23
via housebdry colobdry
defnet sgo noloop
addr !172.29.198.0/23
addr 10.0.0.0/8
addr 172.16.0.0/12
addr 192.168.0.0/16
addr 10.0.0.0/8
addr 172.16.0.0/12
addr 192.168.0.0/16
iface vpn-precision colohub
## Satellite networks.
iface vpn-precision colohub
## Satellite networks.
addr 10.165.27.0/24
via colohub
defhost mango
hosttype router
iface eth0 binswood default
addr 10.165.27.0/24
via colohub
defhost mango
hosttype router
iface eth0 binswood default
- iface vpn-precision colo
+ iface vpn-precision colo default
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
m4_divert(80)m4_dnl
###--------------------------------------------------------------------------
dnsresolver inbound
dnsserver inbound
dnsresolver inbound
dnsserver inbound
+## Nefarious VPN NAT hack.
+for i in PREROUTING OUTPUT POSTROUTING; do
+ run iptables -t nat -P $i ACCEPT 2>/dev/null || :
+ run iptables -t nat -F $i 2>/dev/null || :
+done
+run iptables -t nat -F
+run iptables -t nat -X
+makeset vpn-nat hash:net family inet
+run iptables -t nat -A POSTROUTING -o eth0 \
+ -m set --match-set vpn-nat dst \
+ -j SNAT --to-source 212.13.198.70
+
m4_divert(-1)
###----- That's all, folks --------------------------------------------------
m4_divert(-1)
###----- That's all, folks --------------------------------------------------