2) Verify the PREROUTING table has the mark # iptables t mangle -L PREROUTING -v Chain PREROUTING (policy ACCEPT 126K packets, 87M bytes) pkts bytes target prot opt in out source destination 0 0 MARK tcp - any any anywhere anywhere tcp dpt:openvpn MARK set 0x4aa
That "0 0" means no bytes have been satisfied by that rule. Can you check after you have tested a packet that should satisfy the rule to confirm that the counters are increasing?
The counters are not increasing.
If the counters are not increasing then your rule isn't being hit, so nothing else is going to work. Are the packets being generated on the same box as is running the iptables rule? I just did a test: # iptables -t mangle -I PREROUTING -p tcp --dport 1194 # telnet 1.2.3.4 1194 # iptables -t mangle -vnL PREROUTING And the counters are 0, indicating that the rule is not being hit. If I try the telnet from a machine behind that one, the counters do increase. So it would seem that PREROUTING doesn't get hit for locally generated packets. If you put the iptables rule on the OUTPUT table the rule will get hit (I just tested this), but that might be too late for routing to be affected. Give it a go though as it should be easy to test. I think I'm doing that on my router. James