Expose internal LAN to VPN using CentOS FirewallD

Question

I have a (tinc) VPN setup with multiple clients that connect to a VPN server that sits on a LAN behind a firewall. I want to expose that LAN to the VPN that server is serving. I've seen a few examples around the net how to configure iptables, but I'd like to configure this setup using FirewallD, and have not yet succeeded.

The VPN subnet is 10.0.0.0/24 and the local LAN is 192.168.178.0/24 . The VPN server is at 10.0.0.60 and 192.168.178.47 . The test client is at 10.0.0.17 .

I've ran:

firewall-cmd --permanent --zone=external --add-interface=vpn
firewall-cmd --permanent --zone=internal --add-interface=eth0
firewall-cmd --permanent --zone=external --add-masquerade
systemctl restart firewalld

on the VPN server, and on the client:

route add -net 192.168.178.0 netmask 255.255.255.0 gw 10.0.0.60
ping 192.168.178.1

Which returned 100% packetloss. Is there anything I'm doing wrong?

PS: If I run "ping 192.168.178.47" on the test client I do get replies! Just not the rest of the LAN.

Answer 1

Your clients on the other end need the routing information as well, so I believe you'll need to have a gateway set for them to talk the other way around unless your VPN server currently acts as the default gateway on the 192.168.178.x network.

(if your firewall is set up right), the machines on the local LAN would need:

route add -net 10.0.0.0 netmask 255.255.255.0 gw 192.168.178.47

It would be BETTER to add this rule to your default gateway if at all possible, otherwise each machine would need the static route in order to communicate.