{   
    my $ovpndb = esmith::ConfigDB->open_ro('openvpn-s2s');

    # Find the current SnatVPN_$$ chain, and create a new one.
    $OUT .=<<'EOF';
    OLD_SnatVPN=$(get_safe_id SnatVPN nat find)
    NEW_SnatVPN=$(get_safe_id SnatVPN nat new)
    /sbin/iptables --table nat --new-chain $NEW_SnatVPN
EOF

    foreach my $vpn ($ovpndb->get_all_by_prop(type=>('client')),
                     $ovpndb->get_all_by_prop(type=>('server'))){
        $OUT .= "    /sbin/iptables --table nat --append \$NEW_SnatVPN --out-interface tun" . $vpn->key .
                " -s " . $vpn->prop('LocalIP') . " -j SNAT --to-source $InternalInterface{'IPAddress'}\n"
                if (($vpn->prop('SnatOutbound') || 'yes') =~ m/(yes|enabled)/i);
    }

    # Having created a new SnatVPN chain, activate it and destroy the old.
    $OUT .=<<'EOF';
    /sbin/iptables --table nat --replace SnatVPN 1 \
            --jump $NEW_SnatVPN
    /sbin/iptables --table nat --flush $OLD_SnatVPN
    /sbin/iptables --table nat --delete-chain $OLD_SnatVPN
EOF

}

