[colug-432] Fwd: Routing with KVM / OpenVPN Redux

Eric Garver eric at garver.life
Thu Dec 27 10:19:45 EST 2018 

On Wed, Dec 26, 2018 at 07:41:03PM -0500, Joshua Kramer wrote:
> Hello All-

Hi,

> 
> My home environment is set up as noted below.  For some reason,
> devices on my local network cannot communicate with devices coming in
> via VPN.  IP forwarding is enabled on my hardware host as well as the
> VM that is the VPN server.  If I disable firewalld on the hardware
> host, everything works.  I've tried to set up as noted here, and it
> does not work.
> 
> https://www.centos.org/forums/viewtopic.php?t=53819  (Note that I did
> not include the MASQUERADE rule as this should be direct routing, not
> masquerading.)
> 
> 1. The network 192.168.2.0/24 is my main "local" network.  It is
> connected via a switch to my router.  On this .2 network I have a
> handful of RasPi's as well as the hardware interface to my hardware
> KVM host.
> 
> 2. The network 192.168.4.0/24 is the network that is fully contained
> within KVM.  There are a number of VM's that have .4 addresses.  All
> VM's that have .4 addresses are fully available from anything on the
> .2 network.
> 
> 3. The network 192.168.8.0/24 is the network that terminates to my
> OpenVPN server, which is at 192.168.4.36.  There are firewall rules
> that forward packets appropriately... any device that connects to this
> OpenVPN box has access to any server on the .4 network.
> 
> 4. There is a routing rule on my hardware host that says that anything
> destined for the .8 network needs to go to .4.36 for forwarding.  This
> works fine for things on the .4 network, but it does not work for
> anything on the .2 network.
> 
> 5. The hardware host is set up for IP forwarding.
> 
> How can I determine what firewall rule I need to set up on the
> hardware host to get this working?

Firewalld can tell you where things are being dropped, see the
--log-denied option.

  # firewall-cmd --set-log-denied=all

It's quite possible a zone's policy is denying the forwarding.

It would also help to know what version of firewalld you're using.
Newer versions use nftables instead of iptables.

More information about the colug-432 mailing list