On 12/29/2017 3:59 AM, Wojciech Łysiak wrote: > firstly check which zone are your interface in : > > bash> firewall-cmd --get-active-zones > > then all you have to do is add a service to the firewall > > firewall-cmd --zone=<INSERT YOUR ZONE> --add-service=openvpn --permanent > > assuming that your Openvpn is running on standard port 1194/tcp|udp, > If not then modify firewall-cmd rule and add your port/proto > > e.g. > firewall-cmd --zone=<INSERT YOUR ZONE> --add-port=11193/tcp That opens the physical Ethernet interface to allow the raw SSL connection from the client into the server. It doesn't open a connection for the tunnel (tun0 interface) that's been created by the OpenVPN service to forward packets to the internal LAN zone. I tried adding the tun0 interface to the internal zone and firewall-cmd told me tun0 was managed by NetworkManager. After that it didn't show tun0 as a member of any zone. # firewall-cmd --zone=internal --add-interface=tun0 The interface is under control of NetworkManager, setting zone to 'internal'. success # firewall-cmd --list-all-zones (long list of zones, none of which have tun0 in their interfaces field)