[colug-432] Fwd: Routing with KVM / OpenVPN Redux

jim at rossberry.com jim at rossberry.com
Thu Dec 27 10:47:50 EST 2018 

I've used openvpn terminating on CentOS boxes.  When I do I need to
do...

Add the vpn device to the trusted zone of firewalld

firewall-cmd --permanent --add-interface=tun4 --zone=trusted

and

firewall-cmd --add-service openvpn --permanent

and

firewall-cmd --reload

On Wed, 26 Dec 2018, Joshua Kramer wrote:

> Hello All-
>
> My home environment is set up as noted below.  For some reason,
> devices on my local network cannot communicate with devices coming in
> via VPN.  IP forwarding is enabled on my hardware host as well as the
> VM that is the VPN server.  If I disable firewalld on the hardware
> host, everything works.  I've tried to set up as noted here, and it
> does not work.
>
> https://www.centos.org/forums/viewtopic.php?t=53819  (Note that I did
> not include the MASQUERADE rule as this should be direct routing, not
> masquerading.)
>
> 1. The network 192.168.2.0/24 is my main "local" network.  It is
> connected via a switch to my router.  On this .2 network I have a
> handful of RasPi's as well as the hardware interface to my hardware
> KVM host.
>
> 2. The network 192.168.4.0/24 is the network that is fully contained
> within KVM.  There are a number of VM's that have .4 addresses.  All
> VM's that have .4 addresses are fully available from anything on the
> .2 network.
>
> 3. The network 192.168.8.0/24 is the network that terminates to my
> OpenVPN server, which is at 192.168.4.36.  There are firewall rules
> that forward packets appropriately... any device that connects to this
> OpenVPN box has access to any server on the .4 network.
>
> 4. There is a routing rule on my hardware host that says that anything
> destined for the .8 network needs to go to .4.36 for forwarding.  This
> works fine for things on the .4 network, but it does not work for
> anything on the .2 network.
>
> 5. The hardware host is set up for IP forwarding.
>
> How can I determine what firewall rule I need to set up on the
> hardware host to get this working?
>
> Thanks!
> -JK
> _______________________________________________
> colug-432 mailing list
> colug-432 at colug.net
> http://lists.colug.net/mailman/listinfo/colug-432
>

----------------------------------------------------------------------
Jim Wildman
jim at rossberry.com

More information about the colug-432 mailing list