[CentOS] OpenVPN server and firewalld

Fri Dec 29 12:29:24 UTC 2017
Kenneth Porter <shiva at sewingwitch.com>

On 12/29/2017 3:59 AM, Wojciech Łysiak wrote:
> firstly check which zone are your interface in :
>
> bash> firewall-cmd --get-active-zones
>
> then all you have to do is add a service to the firewall
>
> firewall-cmd --zone=<INSERT YOUR ZONE> --add-service=openvpn --permanent
>
> assuming that your Openvpn is running on standard port 1194/tcp|udp,
> If not then modify firewall-cmd rule and add your port/proto
>
> e.g.
> firewall-cmd --zone=<INSERT YOUR ZONE> --add-port=11193/tcp 

That opens the physical Ethernet interface to allow the raw SSL 
connection from the client into the server. It doesn't open a connection 
for the tunnel (tun0 interface) that's been created by the OpenVPN 
service to forward packets to the internal LAN zone.

I tried adding the tun0 interface to the internal zone and firewall-cmd 
told me tun0 was managed by NetworkManager. After that it didn't show 
tun0 as a member of any zone.

#  firewall-cmd --zone=internal --add-interface=tun0
The interface is under control of NetworkManager, setting zone to 
'internal'.
success
# firewall-cmd --list-all-zones
(long list of zones, none of which have tun0 in their interfaces field)