[CentOS] OpenVPN server and firewalld

Sat Dec 30 01:28:03 UTC 2017
Kenneth Porter <shiva at sewingwitch.com>

--On Friday, December 29, 2017 5:41 PM +0100 Alain Péan 
<alain.pean at c2n.upsaclay.fr> wrote:

> https://unix.stackexchange.com/questions/149144/configuring-openvpn-to-us
> e-firewalld-instead-of-iptables-on-centos-7

Alas, this doesn't seem to allow forwarding from the tun0 device. That's 
the setup I had that failed. I needed the direct rule to allow forwarding 
from tun0 to get packets delivered to PCs on my LAN. Without that, the 
remote PC can only access the VPN server itself and not the internal PCs 
behind it.

It's also necessary for the LAN PCs to know that the addresses in the VPN 
must be routed through this gateway, but that's a given since this is also 
the Internet gateway for the LAN. Their default route takes care of that. 
If you run a separate VPN concentrator, you may need to advertise a route 
on the LAN (via DHCP) or add a route on your Internet gateway to the 
separate concentrator for your VPN netblock so the return packets find 
their way back to the tun device.

My OpenVPN server config includes a line to push a route to the remote 
clients for the office's LAN net block:

push "route"