OpenVPN client cant ping computers on OpenVPN server lan

Issues related to configuring your network
Post Reply
Jesterace
Posts: 1
Joined: 2017/12/30 00:25:36

OpenVPN client cant ping computers on OpenVPN server lan

Post by Jesterace » 2023/01/14 01:04:06

Hello,
I'm quite new to OpenVPN but after research managed to set it up on my CentOS box. Clients are able to connect and ping the OpenVPN servers LAN iP ok.

My OpenVPN server has the LAN IP of 192.168.0.2
Broadband Router LAN IP 192.168.0.1

The OpenVPN server is connected to another LAN which has a network of 192.168.4.0 (this is a virtual routed network created using QEMU/KVM). On that network is a virtual machine with IP 192.168.4.2. From what I gather, 192.168.4.1 is the gateway ip as this is what i use as the gateway for getting internet on the virtual machine - but i digress that it probably not that important to tell.

I have enabled ip forwarding.

If i turn off firewalld i'm able to ping 192.168.4.2 from a remote OpenVPN client through the tunnel, and even vnc into 192.168.4.2 or whatever I like. However, if firewalld is on then I can't ping it or do anything with the 4.x lan.

I have spent a long time trying to understand and research the problem to see what rules I might need to implement but my understanding is still not good enough, hence my question here. I've read lots of articles where iptables is used to create extra rules to perhaps allow this kind of communication, but my understanding was that firewalld was my firewall. Then i read that iptables is used as its backend, but when i printed out the iptables rules currently on the system there are some missing that are implemented within firewalld - so i'm not sure if my system uses a different backend. If i did use iptables to create rules to fix this problem, i'm not sure if those rules take priority over firewalld. As you can tell my knowledge is limited right now but eager to learn!

I would be grateful if someone can guide me in the right direction. When firewalld is off, everything works great.

P.S. i'm using CentOS 8.

Thanks,
James.

BShT
Posts: 531
Joined: 2019/10/09 12:31:40

Re: OpenVPN client cant ping computers on OpenVPN server lan

Post by BShT » 2023/01/16 18:25:33

you can´t use firewalld and insert iptables rules at command line

https://webhostinghero.org/centos7-open ... lld-setup/

or

disable firewalld and set iptables rules which is actually not even iptables anymore, but nftables, although there is a built-in compatibility conversion

User avatar
jlehtone
Posts: 4248
Joined: 2007/12/11 08:17:33
Location: Finland

Re: OpenVPN client cant ping computers on OpenVPN server lan

Post by jlehtone » 2023/01/16 20:45:22

Jesterace wrote:
2023/01/14 01:04:06
Then i read that iptables is used as its backend, but when i printed out the iptables rules currently on the system there are some missing that are implemented within firewalld - so i'm not sure if my system uses a different backend.
Starting RHEL 8 the backend is nftables and the command to see all rules is:

Code: Select all

nft list ruleset
So yes, firewalld in CentOS Stream 8 does use nftables.

Red Hat has actually backported nftables into RHEL 7 too, even though the firewalld of RHEL 7 does use iptables as backend.


There are basically three hypothetical possibilities:
  1. openvpn co-operates with firewalld and dynamically adds necessary rules
  2. You configure firewalld to add (more static) rules that allow traffic
  3. You switch from firewalld.service into nftables.service and supply whole ruleset
The A is unlikely. The B is difficult, since firewalld has been lacking in some pieces.

The C might require most learning, but is ultimately more doable than B.
You can save the output of nft list ruleset and use it as starting point for ruleset for nftables.service

Post Reply