Make the VPN rule only to originated, not forwarded, traffic.
Currently the VPN rule for the primary user will match every
forwarded packet on the system, because it specifies a UID range
that includes 0, and forwarded packets have UID 0.
Use "iif lo" to limit the rule match to locally-originated
traffic. This requires a kernel that sets the loopback ifindex.
when originating packets. Anything based on 3.10 is fine, but
devices using 3.4 will need a one-line change for IPv6.
1 file changed