--On Friday, December 29, 2017 5:41 PM +0100 Alain Péan alain.pean@c2n.upsaclay.fr wrote:
https://unix.stackexchange.com/questions/149144/configuring-openvpn-to-us e-firewalld-instead-of-iptables-on-centos-7
Alas, this doesn't seem to allow forwarding from the tun0 device. That's the setup I had that failed. I needed the direct rule to allow forwarding from tun0 to get packets delivered to PCs on my LAN. Without that, the remote PC can only access the VPN server itself and not the internal PCs behind it.
It's also necessary for the LAN PCs to know that the addresses in the VPN must be routed through this gateway, but that's a given since this is also the Internet gateway for the LAN. Their default route takes care of that. If you run a separate VPN concentrator, you may need to advertise a route on the LAN (via DHCP) or add a route on your Internet gateway to the separate concentrator for your VPN netblock so the return packets find their way back to the tun device.
My OpenVPN server config includes a line to push a route to the remote clients for the office's LAN net block:
push "route 192.168.20.0 255.255.255.0"