Configuring OpenVPN to use Firewalld instead of iptables on Centos 7

by

I need to configure OpenVPN on Centos 7 using firewalld.

I used iptables on Centos 6.5 and only had to add the following lines to /etc/sysconfig/iptables:

-A POSTROUTING -s "10.0.0.0/24" -o "wlan0" -j MASQUERADE 
-A FORWARD -p tcp -s 10.0.0.0/24 -d 0.0.0.0/0 -j ACCEPT 
run the command: echo 1 > /proc/sys/net/ipv4/ip_forward 
open port 443.
Contents hide
Answers:
Method 1

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

Use the firewall-cmd command.

Assuming you’re opening the firewall up to OpenVPN on the default zone, carry out the following commands. If you are running it on a non-default zone, then add --zone=<zone> to the commands.

Note: If you use default public zone for your external facing network adapter then your loopback interface could also be masqueraded (dependant on the version of firewalld you’re running) which can cause issues if you are running a service (such as mySQL) that is accessed locally.

First, list what’s currently open:

# firewall-cmd --list-services
http https ssh

Next, add the openvpn service:

# firewall-cmd --add-service openvpn
success

A quick check:

# firewall-cmd --list-services
http https openvpn ssh

The above will allow openvpn to work, which you can now test. However, it won’t last over restarts. To make it permanent, add the --permanent option:

# firewall-cmd --permanent --add-service openvpn`
success

Note that this last command doesn’t open the port until the next restart, so you need to use both commands.

Finally, add the masquerade:

# firewall-cmd --add-masquerade
success

And make it permanent after a restart:

# firewall-cmd --permanent --add-masquerade
success

Confirm it:

# firewall-cmd --query-masquerade
yes

Note that if your incoming OpenVPN connection is in a different zone to your Internet facing connection the masquerade should be on the latter and you’ll need to use the --zone=<zone> option with the --add-masquerade commands.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x