Setup an openvpn access server. Am using Routing rather than NAT for the VPN. With firewalld turned off everything works and routes as expected. Turn on the firewall and it breaks. In the logs I can see my packets being dropped:
Code: Select all
[root@openvpnas ~]$ dmesg | grep -i REJECT
[ 298.700296] FINAL_REJECT: IN=as0t3 OUT=enp3s0 MAC= SRC=172.27.232.66 DST=192.168.103.10 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=28347 DF PROTO=TCP SPT=44366 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x6000000
[ 300.599828] FINAL_REJECT: IN=as0t3 OUT=enp3s0 MAC= SRC=172.27.232.66 DST=192.168.103.10 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=46876 DF PROTO=TCP SPT=44380 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x6000000
[ 302.274635] FINAL_REJECT: IN=as0t3 OUT=enp3s0 MAC= SRC=172.27.232.66 DST=192.168.103.10 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=30821 DF PROTO=TCP SPT=44394 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x6000000
[ 307.642134] FINAL_REJECT: IN=as0t3 OUT=enp3s0 MAC= SRC=172.27.232.66 DST=192.168.103.10 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=57711 DF PROTO=TCP SPT=44404 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 MARK=0x6000000
firewall-cmd --zone=public --add-rich-rule='rule family=ipv4 source address=172.27.232.66 destination address=192.168.103.0/24 accept' --permanent
I see that traffic is coming from VPN virtual interface/tunnel As0t3 and trying to go out interface enp3s0 which it the main server interface. That is correct. What rules do I need to add to allow traffic between the VPN tunnels and my main interface?