Am Freitag, 20. März 2020, 21:44:10 CET schrieb Eric Garver:
On Fri, Mar 20, 2020 at 09:23:45PM +0100, Hans-Peter Jansen wrote:
> Am Freitag, 20. März 2020, 20:12:03 CET schrieb Eric Garver:
>
> > On Fri, Mar 20, 2020 at 08:39:36AM +0100, Hans-Peter Jansen wrote:
> >
> > > Am Donnerstag, 19. März 2020, 20:06:19 CET schrieb Eric Garver:
> > >
> > >
> > > Hrmpf. I've tried to eliminate all disturbing elements, but failed.
> > > Yes, a service on port 8080 needs be allowed as well, but having it
> > > working for ssh is enough to get the rest working in a similar
> > > fashion.
> > >
> > > It should have read:
> > >
> > >
> > > rule family="ipv4" source
address="10.20.30.0/24" destination
> > >
> > >
> > >
> > > address="192.168.78.0/24" port port="22"
protocol="tcp" accept
> > >
> > >
> > >
> > > I've tried port forwarding and other things, but ultimately, I would
> > > like
> > > to allow some services coming from the VPN (tun0/10.20.30.0/24) to be
> > > routed to the local network (and back).
> >
> >
> >
> > On the client side is your SSH destination in the 10.20.30.0/24 block
> > of
> > addresses or are you using the OpenVPN's "uplink" address (eth0)
?
> >
>
>
> They come in from the VPN block 10.20.30.0/24.
Does the VPN work at all? Can an external client communicate with a
internal client? AFAICS, the OpenVPN traffic will be denied at the
external zone. You haven't added the openvpn service.
Maybe try
firewall-cmd --zone external --add-service openvpn
The stock service only allows UDP. If you're using TCP backed OpenVPN
(you shouldn't) then you need to allow it explicitly:
firewall-cmd --zone external --add-port=1194/tcp
Yes, sorry again for the omission. Yes, I've opened the external openvpn port
and using vpn server services including ssh are working fine. It's just the
routing to the local net part, that is dysfunctional, although these are
outgoing from the vpn serverpoint of view (but departing from the wrong net).
Thanks,
Pete