On Fri, Mar 20, 2020 at 09:23:45PM +0100, Hans-Peter Jansen wrote:
Am Freitag, 20. März 2020, 20:12:03 CET schrieb Eric Garver:
> On Fri, Mar 20, 2020 at 08:39:36AM +0100, Hans-Peter Jansen wrote:
> > Am Donnerstag, 19. März 2020, 20:06:19 CET schrieb Eric Garver:
> >
> >
> > Hrmpf. I've tried to eliminate all disturbing elements, but failed.
> > Yes, a service on port 8080 needs be allowed as well, but having it
> > working for ssh is enough to get the rest working in a similar fashion.
> >
> > It should have read:
> >
> > rule family="ipv4" source address="10.20.30.0/24"
destination
> >
> > address="192.168.78.0/24" port port="22"
protocol="tcp" accept
> >
> >
> > I've tried port forwarding and other things, but ultimately, I would like
> > to allow some services coming from the VPN (tun0/10.20.30.0/24) to be
> > routed to the local network (and back).
>
>
> On the client side is your SSH destination in the 10.20.30.0/24 block of
> addresses or are you using the OpenVPN's "uplink" address (eth0) ?
>
They come in from the VPN block 10.20.30.0/24.
Does the VPN work at all? Can an external client communicate with a
internal client? AFAICS, the OpenVPN traffic will be denied at the
external zone. You haven't added the openvpn service.
Maybe try
firewall-cmd --zone external --add-service openvpn
The stock service only allows UDP. If you're using TCP backed OpenVPN
(you shouldn't) then you need to allow it explicitly:
firewall-cmd --zone external --add-port=1194/tcp