0

I have a server which is running OpenVPN as a client in a routed network. I'm trying to use firewalld to apply rules to packets coming over the OpenVPN tunnel interface but they are not working as I expect.

For example, given an 10.100.0.0/24 network and two clients, client1 with IP 10.100.0.2 and client2 with IP 10.100.0.3, client1 is trying to ssh into client2 over the VPN. By default, client1 is able to successfully ssh into client2. However, when I try adding client2's tunnel interface (tun1) to the drop zone:

sudo firewall-cmd --zone=drop --add-interface=tun1

client1 is still able to ssh into client2 even though I added the the tunnel interface to the drop zone. Also, the above command returns the following message: "The interface is under control of NetworkManager".

I don't know why the drop zone rules aren't affect the packets coming from client1. Could it have something to do with the NetworkManager controlling the tunnel interface? Also, even if the rules did apply, I don't know if the rules/zone-assignment would survive a firewall reload or a system reboot since the interface isn't for a physical device. I tried changing the zone with the --permanent flag but it didn't seem to save the interface to the zone properly (firewall-cmd --zone=drop --list-all did not show the tun1 interface after a firewall reload).

Copernicus
  • 1
  • 1

1 Answers1

0

One way to prevent NetworkManager from managing one of your interfaces is to create a file in /etc/udev/rules.d/00-custom.rules and add the following content:

# Interfaces that shouldn't be managed by NetworkManager
ACTION=="add", SUBSYSTEM=="net", KERNEL=="tun1", ENV{NM_UNMANAGED}="1"

Unless you really want to use firewalld, there is no need to do that.

If you want to move an interface managed by NetworkManager in a specific zone you can do that with the nm-connection-editor tool: right click on the interface -> edit -> General panel.

Luca Gibelli
  • 2,731
  • 1
  • 22
  • 30