Just spent a lot of time trying to bypass my vpn for a incoming service. Very important for iptables packet marking.
sysctl -w net.ipv4.tcp_fwmark_accept=1

