1

I am trying to setup an OpenVPN server on a VPS running Fedora Server 35. I got the VPN setup and working, but am running into issues with the firewall setup.

This is my first experience administering a firewall, and I'm not a Linux-native either, but I'm trying to learn. I followed a guide for a CentOS instance, but since CentOS is no longer, I opted for a Fedora image in Contabo.

The guide relied on firewalld, and since it was already installed and partly setup on my VPS, I did the same. I know that the firewalld is the issue because when I turn it off, VPN client connects without issues.

There are 2 active zones configured, FedoraServer and trusted. The FedoraServer zone came pre-configured with the VPS image, and it was setup as the default zone. I used the following commands to alter the configuration as per the guide:

firewall-cmd --zone=trusted --add-service openvpn
firewall-cmd --zone=trusted --add-service openvpn --permanent
firewall-cmd --add-masquerade
firewall-cmd --add-masquerade --permanent
VAR=$(ip route get 1.1.1.1 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $VAR -j MASQUERADE
firewall-cmd --reload

The current zone info is as follows:

[~]# firewall-cmd --info-zone=FedoraServer
FedoraServer (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: cockpit dhcpv6-client ssh
  ports: 
  protocols: 
  forward: no
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 
[~]# firewall-cmd --info-zone=trusted
trusted (active)
  target: ACCEPT
  icmp-block-inversion: no
  interfaces: tun0
  sources: 
  services: openvpn
  ports: 
  protocols: 
  forward: yes
  masquerade: yes
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules:

The interesting caveat is that when I set trusted as the default zone, I am able to connect to VPN with firewalld running, with NAT working and having Internet access.

Now, you could say problem solved. But due to my lack of knowledge I am concerned I might be leaving a hole in the security because the trusted zone uses target: ACCEPT.

I read countless threads on StackExchange, Fedora forums and OpenVPN forums, as well as firewalld docs to no awail. I feel I am missing underlying networking knowledge to figure this out, and I don't know what to search for anymore.

Any help, tips or guidance would be appreciated!

Skenja
  • 13

2 Answers2

1

You could add services to the the Trusted zone and then change the accept to drop For example to only allow openvpn and ssh you can it like this

sudo firewall-cmd --zone=trusted --add-service={ssh,openvpn}
sudo firewall-cmd --zone=trusted --set-target=DROP
sudo firewall-cmd --reload
Turdie
  • 2,945
1

It seems like you're on the right track, and you've made good progress in configuring your OpenVPN server on Fedora 35. The primary concern is making sure that your firewall settings are secure and not leaving any unnecessary holes.

Let's address your concerns and provide some guidance:

Default Zone:

It's common to have different zones for different purposes. If setting trusted as the default zone allows your VPN to work, that's fine. However, you rightly pointed out the concern with target: ACCEPT. In a more secure configuration, you'd want to limit access to only necessary services.

FedoraServer Zone:

If you want to use the FedoraServer zone as the default, you need to ensure that it allows the necessary traffic for OpenVPN. You've mentioned that OpenVPN works when trusted is set as the default, so it might be helpful to compare the settings between the two zones. Adjusting FedoraServer Zone:

If you decide to use the FedoraServer zone as the default, you need to add rules to allow OpenVPN traffic. For example:

firewall-cmd --zone=FedoraServer --add-service=openvpn --permanent firewall-cmd --reload

IT Path Solutions
  • 46