Openvpn firewalls zone=trusted quested

I am in a learning mode of using Rocky Linux, Openvpn and firewalld. I installed openvpn on Rocky Linux 8.6 and the install instructions specified to add service=openvpn permanent to zone trusted, also port 1194/udp to trusted. Zone=trusted is target=accept. However when I used an openvpn client polling failed. I then tried setting service=openvpn in public and port 1194/udp in public zone and I am working. My question is why, after reading about zone trusted with target=accept I felt that should have worked.

Can you try something like

firewall-cmd --get-active-zones

Odd way to say it.

Concept of zone (in FirewallD) is dualistic. It separates (decouples) FROM from WHAT.

  • On one hand a zone is a list of machines that belong to zone. The FROM
  • A zone is is also a list of (filter) rules for all connections that come from machines that belong to zone. The WHAT

You can add and remove machines, but you modify ruleset of a zone.

As you say, zone “trusted” accepts all connections. Allowing packets explicitly to port 1194/udp does not change what is accepted. At most it gives statistics on how many connection is to that port (from machines in the zone).

OpenVPN, AFAIK, does two things:

  1. Runs a process that has connection to another machine, via existing (physical) interface, and uses the 1194/udp
  2. Creates new, virtual interface

Note that OpenVPN does not listen 1194/udp on that virtual interface.

Lets take a simple machine with one interface. That NIC used to have name “eth0”. The eth0 links the machine to subnet “LAN”. Machine has two routes:

  1. to LAN via eth0
  2. to everywhere else via Router that is in LAN

You start OpenVPN server. It listens 1194/udp on eth0.
Some machine connects to 1194/udp on eth0 and forms VPN Tunnel (if connection is allowed).
For the tunnel, OpenVPN creates interface “vpn0”.

Now your machine has two interfaces, eth0 and vpn0 that link to LAN and VPN subnets.

All outgoing traffic is allowed by default. All machines (in LAN, VPN, etc) belong to zone “public” by default and public allows incoming ssh (and couple other things).
If you want machines in VPN to connect to other services, then they must be set into zone that allows all the things you want. The trusted allows everything.

If you had a machine in LAN and another in VPN that should access (exactly) ssh and https, then those two machines would be in distinct zone that should allow ssh and https.

The machines in VPN probably do not connect to 1194/udp, because they already reach you “via tunnel”.

A whole separate (and new) topic is if machine in LAN should reach machine in VPN (or vice versa).
Then your machine acts as server between the LAN and VPN subnets.
If both LAN and VPN are in same zone, then filter rules about traffic within zone do apply.

If they are in different zones, then … FirewallD does finally support this with policies. A policy is what is allowed from one zone to another. Since this is very new, it is likely that “guides” do not know about it yet.

Anyway, it is useful to know what are the actual rules in kernel and those you can see with:

sudo nft list ruleset

Thank you for your enlightening description of how the firewall and vpn interface. I have a good basis on which to study this interface interaction.