Are you using tcpdump to determine that the packets are going out over the wrong interface?
For the last test I only checked with lsof and conntrack:
# lsof -i -n | grep openvpn openvpn 21972 nobody 4u IPv4 129321 0t0 TCP 115.146.92.84:51520->172.26.10.100:openvpn (ESTABLISHED)
# conntrack -d 172.26.8.100 -L tcp 6 431995 ESTABLISHED src=115.146.92.84 dst=172.26.10.100 sport=51520 dport=1194 src=172.26.8.100 dst=115.146.92.84 sport=1194 dport=51520 [ASSURED] mark=0 use=2 conntrack v1.0.0 (conntrack-tools): 1 flow entries have been shown.
But now using tcpdump, I see that packets ARE leaving via eth1. But there is only outgoing packets, no incoming packets at all. Whereas on the default gateway device, packets are only incoming, no outgoing packets. The openvpn tunnel seems fine with that. So I need to change the source address of the packets for it to come back on the correct interface?
Yes that's exactly what you need to do, or the other end will just reply with the original (wrong) destination address. Something like: iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE you can use -j SNAT if you want to explicitly specify the source address (eg because you have several), but MASQUERADE should suffice. James