16

I need to configure OpenVPN on Centos 7 using firewalld.

I used iptables on Centos 6.5 and only had to add the following lines to /etc/sysconfig/iptables:

-A POSTROUTING -s "10.0.0.0/24" -o "wlan0" -j MASQUERADE 
-A FORWARD -p tcp -s 10.0.0.0/24 -d 0.0.0.0/0 -j ACCEPT 
run the command: echo 1 > /proc/sys/net/ipv4/ip_forward 
open port 443.
Rui F Ribeiro
  • 56,709
  • 26
  • 150
  • 232
Fxbaez
  • 459

1 Answers1

36

Use the firewall-cmd command.

Assuming you're opening the firewall up to OpenVPN on the default zone, carry out the following commands. If you are running it on a non-default zone, then add --zone=<zone> to the commands.

Note: If you use default public zone for your external facing network adapter then your loopback interface could also be masqueraded (dependant on the version of firewalld you're running) which can cause issues if you are running a service (such as mySQL) that is accessed locally.

First, list what's currently open:

# firewall-cmd --list-services
http https ssh

Next, add the openvpn service:

# firewall-cmd --add-service openvpn
success

A quick check:

# firewall-cmd --list-services
http https openvpn ssh

The above will allow openvpn to work, which you can now test. However, it won't last over restarts. To make it permanent, add the --permanent option:

# firewall-cmd --permanent --add-service openvpn`
success

Note that this last command doesn't open the port until the next restart, so you need to use both commands.

Finally, add the masquerade:

# firewall-cmd --add-masquerade
success

And make it permanent after a restart:

# firewall-cmd --permanent --add-masquerade
success

Confirm it:

# firewall-cmd --query-masquerade
yes

Note that if your incoming OpenVPN connection is in a different zone to your Internet facing connection the masquerade should be on the latter and you'll need to use the --zone=<zone> option with the --add-masquerade commands.

garethTheRed
  • 33,957
  • How do you tell what the definition of the openvpn service is in firewalld? For example, how can you verify that it's allowing openvpn over TCP 443? – Christopher Mar 04 '16 at 02:13
  • @Christopher - Service files are located in /lib/firewalld/services/. In your case, it will be openvpn.xml within that directory. User defined services go in /etc/firewalld/services. Note that the default port for openvpn is UDP/1194. – garethTheRed Mar 04 '16 at 07:24
  • 1
    Thanks. I was having a problem, and thought it might be firewalld. The only thing I did differently from the above instructions was use "https" instead of "openvpn" as the service name to add. Turns out, it wasn't firewalld with the problem. I was just being dumb, and forgot to configure my client properly to use "tun" instead of "tap". The above instructions work perfectly. – Christopher Mar 06 '16 at 08:51
  • 1
    I've noticed a problem with adding masquerade to the entire zone. This tries to NAT my connections to the loopback interface, when I am running other services on localhost. I'd like to limit the masquerading to just 10.8.0.0/16. Any idea how you might do that? – Christopher Mar 12 '16 at 06:16
  • 1
    This bug may be the cause. Basically, if your default zone is the public zone then it masquerades the loopback interface. It turns out that I'd previously set my default zone to be external, so never faced the issue you're seeing. Try moving the services and the adapter to another zone to see if that helps. Let me know :-) – garethTheRed Mar 12 '16 at 07:47
  • Would moving the interfaces to a non-default zone be essentially the equivalent to explicitly moving them into the public zone? I assume eth0 and tun0 should be in the zone doing the masquerading, but where do I put lo? – Christopher Mar 12 '16 at 07:54
  • On my setup, I have eth0 in external with the openvpn service and masquerade enabled, and tun0 in internal. When I run firewall-cmd --list-all-zones there's no mention of lo. – garethTheRed Mar 12 '16 at 08:06
  • I'm not sure the pros and cons, but I seemed to get things to work by putting eth0 and tun0 in public (or external... same config, didn't matter) and lo in trusted. I think the main thing is that lo can't be in the masqueraded zone, and unless specified it's in the default zone, so the others need to be moved out of the default zone explicitly??? Bleh, this is so bothersome. Thanks for the help though. :) – Christopher Mar 12 '16 at 08:18
  • @garethTheRed I have a similar issue. Are you willing to take a look? Here is the link: http://unix.stackexchange.com/questions/290046/openvpn-server-does-not-reply-to-client-ping – FarmHand Jun 16 '16 at 03:29
  • @garethTheRed I was running firewalld 0.3.9.x and the masquerade was interfering with loopback, so nginx was having errors to redirect to my local path and showing the websites. Updating firewalld did the trick, after hours of research, you saved me. – ibai Apr 28 '17 at 21:33
  • @garethTheRed, I believe I'm having the same issue: https://serverfault.com/questions/915257/ssh-port-forwarding-with-firewall-cmd can you take a look please ? – Noam Manos Jun 13 '18 at 15:28