On Sun, Jul 25, 2021 at 08:14:13PM -0000, Fedora Borealis wrote:
> I think in addition to the above policy you need a second one to
accept
> all traffic destined to tun+. Put tun+ in a zone, then add that zone the
> egress-zones set. Make sure this new policy has a higher precedence
> (lower priority value) than the one above.
Thanks for the insights, I'll try that. Nice that you're bringing in the fix to
v0.9.5 :)
I'm not familiar with setting the zone for a tun0 device. Currently
the tun0 interface has no zone assigned to it (not even the default).
If nothing is explicitly assigned then the default zone will be used.
I currently run openvpn directly as part of a script so that I can
easily change the destination ip address (along with changing the
firewall just before hand to allow only that address). I'm not that
familiar with using network manager (either gui or client) for openvpn
connections. Doing some brief digging I've found that I can set the
zone using
nmcli connection modify tun0 connection.zone myzone
but this probably isn't the preferred approach since the tun0 device only lasts
within the openvpn session.
I don't know if NM will track it across restarts.
Alternatively you can use addresses instead of interfaces names.
e.g.
# firewall-cmd --permanent --zone <zone> --add-source 10.0.0.0/8
Use the block of addresses assigned to tun+.
Should I just delve into using network manager proper for the
openvpn
client connections, saving the configuration (and zone setting)? Does
anyone have any useful links to give an introduction to using it (for
use in a scripting with changing destination ip addresses)?
I do not have an examples for this.