> I am following this tutorial[1] to set up OpenVPN. It suggests running > both of the following commands: > > sudo firewall-cmd --permanent --add-masquerade > sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A > POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE I tested to find that openvpn tunnel is working ONLY if I use first command, 2nd command having no effect. I found reason is --add-masquerade also adds a FORWARD rule, this seems broad, no?

-A FWDO_public_allow -m conntrack --ctstate NEW -j ACCEPT Can somebody confirm the 2nd command above is redundant?

> I was reading about firewalld and iptables and some people have wrote[2] > that the 1st command should already add a similar rule as the 2nd one I > guess without the specific subnet range. Why not use only the 2nd > command? What benefit is also running the 1st? > > Regard to the -o eth1 I have multiple public IP address with each has > its own interface. How do I force to NAT and MASQUERADE the openvpn > subnet to the IP address (interface) of my choice? Is -o eth1 detecting > traffic that is already routed out interface eth1? If yes, where does > the routing happen? If no, can I change -o eth2 to get what I want? (BTW > openvpn only listening on port 1194 for IP address thats on eth2.)

> > Other question: I read[3] "if you use default public zone for your > external facing network adapter then your loopback interface could also > be masqueraded" which I am concerned about. How do I test if this is the > case and what are the side effects?

I was reading to find that I might can use SNAT that would answer all my questions: no worry about MASQUERADE problems and choose the external IP address I want. Is that correct thinking?

I found this work: sudo firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -j SNAT --to-source x.x.x.x sudo firewall-cmd --direct --passthrough ipv4 -t filter -I FORWARD -i tun0 -j ACCEPT I wanted to ask: * Is it important to add "-o eth1" to SNAT command? Is it OK to leave away?

* Is FORWARD rule too broad, are there risks? Should I add any of the following or are they redundant? -s 10.8.0.0/24 -o eth1 -m state --state NEW

Hi Eric thank you for helping me! > > > I am following this tutorial[1] to set up OpenVPN. It suggests running > > > both of the following commands: > > > > > > sudo firewall-cmd --permanent --add-masquerade > > > sudo firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A > > > POSTROUTING -s 10.8.0.0/24 -o eth1 -j MASQUERADE > > > > I tested to find that openvpn tunnel is working ONLY if I use first command, > > 2nd command having no effect. > > > > I found reason is --add-masquerade also adds a FORWARD rule, this seems > > broad, no? > > It should be limited by the output interface. But the add-masquerade command does not accept interface argument right? I

think I can narrow it by managing zones, but the command would appear more useful to me if it had a interface argument. Still, I don't want to

masquerade any traffic except that which comes from the openvpn subnet and leave everything else alone. So to me even limited by zone or interface, add-masquerade is unecessarily broad so I forced to consider a passthru to tighten it up or another solution like SNAT. Would love to see a more powerful add-masquerade command

> > > Regard to the -o eth1 I have multiple public IP address with each has > > > its own interface. How do I force to NAT and MASQUERADE the openvpn > > > subnet to the IP address (interface) of my choice? Is -o eth1 detecting > > > traffic that is already routed out interface eth1? If yes, where does > > > the routing happen? If no, can I change -o eth2 to get what I want? (BTW > > > openvpn only listening on port 1194 for IP address thats on eth2.) > > I don't know how iptables selects which IP to use. Nor could I find any > documentation. Hmm it must require a PREROUTING rule or something else. Using SNAT helps me avoid getting too convoluted. > > I was reading to find that I might can use SNAT that would answer all my > > questions: no worry about MASQUERADE problems and choose the external IP > > address I want. Is that correct thinking? > > masquerade is typically for situations where your IP address may change. > If yours doesn't change, then regular SNAT may be better for you. OK > > I found this work: > > > > sudo firewall-cmd --direct --passthrough ipv4 -t nat -A POSTROUTING -s > > 10.8.0.0/24 -j SNAT --to-source x.x.x.x > > sudo firewall-cmd --direct --passthrough ipv4 -t filter -I FORWARD -i tun0 > > -j ACCEPT > > > > I wanted to ask: > > * Is it important to add "-o eth1" to SNAT command? Is it OK to leave away? > > It's probably a good idea. Otherwise the SNAT may accidentally apply to > internal traffic. I haven't seen a problem with that, but maybe I don't understand you. I got on the VPN and requested a web resource from a webserver running on the same machine and the IP is reflected as that of the VPN. Can you help sketch the details of the potential problem you mention?

> > * Is FORWARD rule too broad, are there risks? Should I add any of the > > following or are they redundant? > > -s 10.8.0.0/24 > > -o eth1 > > -m state --state NEW > > I think it would be fine to add these. The risk depends on your network > setup. In general is there any impact on performance to add more rules that ultimately make no difference to the result? Or is it so insignificant that adding more specificity can ensure no unwanted side effects of rules that are too loose?