Firewalld with OpenVPN internal networks

Support for security such as Firewalls and securing linux
Post Reply
WiVM
Posts: 12
Joined: 2015/12/15 08:19:45

Firewalld with OpenVPN internal networks

Post by WiVM » 2020/02/24 23:44:38

Hi,

I notice that most OpenVPN guides disable firewalld and use IPtables instead, but I want to stick to firewalld as it is default. My setup consists of two CentOS 7.7 systems that enable a site-to-site OpenVPN tunnel between two offices.
One of the two servers has two NICs, of which one is connected to the internet (and protected by hardware firewall) and the other one is connected to a private network. The other server has only one NIC connected to a private network and connects via NAT to the internet (hardware firewall not in this scope). The idea is that the server with the one NIC has a permanent connection to the server with the two NICs, with as goal to reach the private network on that remote network. OpenVPN is working fine. I can make connections without any problems, also to devices on that private network.
The question is: how can I protect the private range from connecting to my devices on the remote network apart from specific services that I allow?

SERVER1 = eth0 = 123.123.123.123 (NAT: 10.20.20.0/23) <=== UDP 9999 OpenVPN Tunnel ===> SERVER2 = eth0 = 231.231.231.213/32 + eth1 = 10.10.10.0/23

All interfaces are in the default public zone. Masquerade is disabled. At the moment I only have SSH and my OpenVPN UDP port open between both sides:
SERVER1:
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="231.231.231.213" port port=9999 protocol=udp accept' --permanent
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="231.231.231.213" port port=22 protocol=tcp accept' --permanent
SERVER2:
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="123.123.123.123" port port=9999 protocol=udp accept' --permanent
sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="123.123.123.123" port port=22 protocol=tcp accept' --permanent

I enabled 'net.ipv4.ip_forward = 1' on both CentOS servers.

So basically 10.10.10.0/23 should have limited access to devices on 10.20.20.0/23 over the VPN tunnel connection. I do control access on the devices itself, but want it as an extra filter just in case as those local firewalls are sometimes default Windows firewalls that I don't trust.

Thanks!

WiVM
Posts: 12
Joined: 2015/12/15 08:19:45

Re: Firewalld with OpenVPN internal networks

Post by WiVM » 2020/02/26 17:58:00

It actually looks like I am only able to ping all the devices over the VPN tunnel in both directions, but nothing more. When I test on the OpenVPN host 10.10.10.10 in the remote network it is able to connect to remote ports on any device in the 10.10.10.0/23 range, but when I try the same thing from a host on the 10.20.20.0/23 network (over the VPN tunnel), it isn't able to connect to any device on 10.10.10.0/23 except the remote VPN server itself.

I tried to add port on the remote SERVER1 (10.10.10.10) but that doesn't seem to change anything.

sudo firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" source address="10.10.10.11" port port=22 protocol=tcp accept' --permanent

I did save and reload firewalld.

WiVM
Posts: 12
Joined: 2015/12/15 08:19:45

Re: Firewalld with OpenVPN internal networks

Post by WiVM » 2020/02/27 20:41:25

I found out that the issue was actually the status "permissive" in the selinux. With that status disabled and firewalld stopped I am able to connect to a device on the 10.10.10.x network over SSH (which is not the OpenVPN host itself). But the issue now is that with the firewalld started it still denies that traffic for some reason.

This is what is in the log on the remote SERVER1 (10.10.10.10):
Feb 27 21:12:30 gw01 kernel: FINAL_REJECT: IN=tun0 OUT=eth1 MAC= SRC=10.20.20.2 D ST=10.10.10.11 LEN=52 TOS=0x00 PREC=0x00 TTL=126 ID=61992 DF PROTO=TCP SPT=63610 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0

This is the rule for the zone on the remote SERVER1 (10.10.10.10)
rich rules:
rule family="ipv4" source address="10.20.20.2" port port="22" protocol="tcp" accept

User avatar
TrevorH
Forum Moderator
Posts: 29902
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Firewalld with OpenVPN internal networks

Post by TrevorH » 2020/02/27 21:28:54

Your diagnosis is incorrect. When selinux is permissive it does not block anything, it only logs what would have been blocked and does nothing.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

WiVM
Posts: 12
Joined: 2015/12/15 08:19:45

Re: Firewalld with OpenVPN internal networks

Post by WiVM » 2020/02/27 21:32:18

Well this is what I thought too, and this was also the reason that I set it permissive instead of the commonly used disable.

WiVM
Posts: 12
Joined: 2015/12/15 08:19:45

Re: Firewalld with OpenVPN internal networks

Post by WiVM » 2020/03/27 12:04:12

I found out that is was a Masquerade issue anyway. Once enabled it seems to work... still have to test further as I am not sure this will allow all traffic or only the traffic allowed for the zone...

Post Reply

Return to “CentOS 7 - Security Support”