0

I have OpenVPN setup on a CentOS box. Clients can connect to the vpn just fine and access its resources, ping the server's lan address. However i wanted OpenVPN clients to be able to access a computer on lan connected to the OpenVPN server. I enabled ip forwarding on the server, pushed the route as i've read you need to do but when testing an OpenVPN client is not even able to ping a computer on the servers lan.

After disabling firewalld, the problem goes away and clients can ping computers on the lan behind the openvpn server just fine. I've tried putting set-target on firewalld for the openvpn zone to accept (just as a test), created rules to accept all traffic from the openvpn subnet but no change. The only way it appears to work is if I completely stop firewalld. Has anyone else had this trouble and could guide me in the right direction?

Note this is a copy of the output from firewalld's list command for the zone in which openvpn resides:

Upon checking firewalld there are no rich rules or manual port forwards on this system apart from ticking the services http/https, openvpn and ssh to allow those ports through. This is a copy of the list command for the openvpn zone:

target: default
icmp-block-inversion: no
interfaces: enp8s0 enp9s0 tun0
sources: 
services: http https openvpn ssh
ports:
protocols: 
forward: no
masquerade: yes
forward-ports: 
source-ports: 
icmp-blocks: 
rich rules:

I ended up having to add the following rules:

firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i tun0 -o virbr2 -j ACCEPT
firewall-cmd --direct --add-rule ipv4 filter FORWARD 0 -i virbr2 -o tun0 -j ACCEPT

The only problem is that although this works, if i try to add them in with the permanent option they dont take effect - even though it's listed in direct.xml

Thanks, James.

roaima
  • 107,089
  • 14
  • 139
  • 261
James
  • 1
  • 1
  • So... you have a rule in your firewall blocking traffic to/from the VPN (we can't tell which at this point). If you want help with this you're going to need to [show us your firewall rules](https://unix.stackexchange.com/posts/731726/edit). Along with the LAN IP address range that's failing, the VPN subnet range, IP addresses of the OpenVPN server. I would expect that all of these would be in private [RFC1918](https://www.rfc-editor.org/rfc/rfc1918) ranges so there should be no need to obfuscate. – roaima Jan 14 '23 at 13:02
  • Hello many thanks for helping. My broadband router is 192.168.0.1, centos vpn server on 192.168.0.2, the vpn tunnel uses the subnet of 10.8.0.0. The vpn client i have been connecting with gets the ip of 10.8.0.2. The lan machine id like the client to be able to communicate with is 192.168.4.2. This 192.168.4.0 network is created with QUEM/KVM and is a virtual network on the centos server. I'm sure you're right and I can confirm that this appears to be a firewall issue as when disabling it all is well. I will post the contents of the firewall rules shortly. – James Jan 14 '23 at 13:46
  • Please don't reply in the comments. Instead, use [Edit] link to put information into your question. You can lay it out and format it there to make it readable - which in turn makes it easier for people to help you – roaima Jan 14 '23 at 17:41
  • Have you now changed your question to "[how to make firewall changes permanent via firewall-cmd?](https://unix.stackexchange.com/q/175255/100397)" – roaima Jan 14 '23 at 17:41
  • My temporary solution is just temporary, i have no idea if this is the best way, it's all i have come up with at the moment. Still looking for a better way as I am having to use a script to run the commands in my update which is not ideal. The given link hasn't helped me to improve on it so far as it seems to be for a different kind of rule. – James Jan 14 '23 at 22:51
  • Ok in that case please address the request for information in my very first comment – roaima Jan 15 '23 at 08:03

0 Answers0