FirewallD and OpenVPN

Issues related to configuring your network
Post Reply
kb9mfd
Posts: 18
Joined: 2011/12/13 13:17:56

FirewallD and OpenVPN

Post by kb9mfd » 2019/11/11 15:22:22

I am not very familiar with FirewallD yet, but I am having a issue getting OpenVPN traffic to flow across it correctly. I have OpenVPN working, and connected clients can ping to the server just fine, and to each other, but if I try to ping from the remote client to another machine on the local network where the server is located, the packets are masqueraded. I have the external and internal zones set, OpenVPN setup to use the "trusted" zone. Internal interface is set to "internal" zone and the external interface is set to the "external" zone -

Code: Select all

internal (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp3s0
  sources:
  services: bacula mdns samba-client ssh
  ports: 10000/tcp 943/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


external (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp4s0
  sources:
  services: openvpn ssh
  ports: 1194/udp
  protocols:
  masquerade: yes
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces:
  sources: 10.8.0.0/24
  services:
  ports:
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

  
So
remote client -> server (ok)
remote client -> remote client (ok)
server -> remote client (ok)
remote client -> local computer to server (not ok)

When I do a " tcpdump -i tun0 icmp" I see the ping from my client to the destination I am pinging to. (destination is 172.28.101.45)

Code: Select all

09:14:43.150318 IP 10.8.0.101 > 172.28.101.45: ICMP echo request, id 9234, seq 1, length 64
When I do a " tcpdump -i enp3s0 icmp" I see the icmp packets leaving the local interface to the machine I am trying to ping, but the from address is the WAN address instead of the address of the vpn client like the packets when I dump the tun0 interface

Code: Select all

09:14:04.618830 IP xx-xx-xx-xx.static.mdsn.xx.charter.com > 172.28.101.45: ICMP echo request, id 9231, seq 3, length 64
Any suggestions? Thanks!

BShT
Posts: 584
Joined: 2019/10/09 12:31:40

Re: FirewallD and OpenVPN

Post by BShT » 2019/11/11 16:32:36

iroute?

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: FirewallD and OpenVPN

Post by TrevorH » 2019/11/11 16:52:28

I see that the firewalld packages supplies a /usr/lib/firewalld/services/openvpn.xml file. That means that firewall-cmd would know about --add-service=openvpn and add rules/load modules as it's told in that xml file. I don't have it installed so can't see its contents. You do, what does it say?
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

kb9mfd
Posts: 18
Joined: 2011/12/13 13:17:56

Re: FirewallD and OpenVPN

Post by kb9mfd » 2019/11/11 17:30:06

BShT wrote:
2019/11/11 16:32:36
iroute?
Didn't know about iroute, so I read up on it a bit and added it to my ccd -

Code: Select all

ifconfig-push 10.8.0.102 255.255.255.255
push "route 10.8.0.0 255.255.255.0 10.8.0.102"
push "route 172.28.101.0 255.255.255.0 10.8.0.102"
iroute 172.28.101.0 255.255.255.0
Did not work. I can still ping the server but nothing in the local lan to the server. For some strange reason I have to push the route for the 10.8.0.0 also or it will not work at all. My server config -

Code: Select all

local xx.xx.xx.xx
port 1194
proto udp
dev tun
ca ca.crt
cert server.crt
key server.key
dh dh.pem
auth SHA512
tls-crypt tc.key
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
#push "redirect-gateway def1"
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
client-config-dir /etc/openvpn/ccd
keepalive 10 120
cipher AES-256-CBC
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
verb 3
crl-verify crl.pem
explicit-exit-notify

Odd thing is, this works, as in the vpn can reach the server and the remote machine has internet, for my CentOS boxes, but for my Windows box it totally kills my network. Same configuration, but for Windows my DNS stops working, and I cannot ping across the VPN.

Thanks!
Last edited by kb9mfd on 2019/11/11 17:36:18, edited 1 time in total.

kb9mfd
Posts: 18
Joined: 2011/12/13 13:17:56

Re: FirewallD and OpenVPN

Post by kb9mfd » 2019/11/11 17:31:01

TrevorH wrote:
2019/11/11 16:52:28
I see that the firewalld packages supplies a /usr/lib/firewalld/services/openvpn.xml file. That means that firewall-cmd would know about --add-service=openvpn and add rules/load modules as it's told in that xml file. I don't have it installed so can't see its contents. You do, what does it say?
I did see that and use it, but it only supports TCP tunnels and I had to open the UDP one manually - Thanks!

kb9mfd
Posts: 18
Joined: 2011/12/13 13:17:56

Re: FirewallD and OpenVPN

Post by kb9mfd » 2019/11/11 17:59:08

kb9mfd wrote:
2019/11/11 17:30:06
BShT wrote:
2019/11/11 16:32:36
iroute?
Odd thing is, this works, as in the vpn can reach the server and the remote machine has internet, for my CentOS boxes, but for my Windows box it totally kills my network. Same configuration, but for Windows my DNS stops working, and I cannot ping across the VPN.
Never mind, I figured that out. I had the "ifconfig" wrong, I had the netmask as 255.255.255.255 instead of 255.255.255.0, but still, that did not fix the issue. I still think its a issue with FirewallD, as the packet capture from tun0 is correct, but when the packet it moved from tun0 to enp3s0 its being changed.

I tried to put tun0 in the internal zone, did not make a difference. I also turned off masquerade for the external zone, still something is changing the from address from the remote client to the WAN connection.

Post Reply