Firewalld forward for openvpn client specific rules

Hi All,
I’ve been set up client specific rules in OpenVPN.
Now I’d like to forward virtual ip range to a specific server.
iptables command should be this:
iptables -A FORWARD -i tun0 -s 10.8.2.0/24 -d 10.66.4.12 -j ACCEPT

I tried to add with firewall-cmd, because Leap 15.5 using firewalld:
firewall-cmd --direct --add-rule ipv4 filter FORWWARD 0 -i tun0 -s 10.8.2.0/24 -d 10.66.4.12 -j ACCEPT
I’ve got an error message:
Error: COMMAND_FAILED: ‘/usr/sbin/iptables-restore -w -n’ failed: iptables-restore: line 2 failed

What did I make wrong?

But. It should be good add this rule without --direct, because this is deprecated and will be removed.

Thanks for any suggestion.

A typo: “FORWWARD” should be “FORWARD”

1 Like

Oh, my gosh!
I was reading the command several times and skimmed over this, even when I wrote the post!

Thank You so much! :slight_smile:

The filter doesn’t work. :frowning:
Let’s start from the beginning.
I’ve an OpenVPN server (10.66.4.10) which works fine basically. I’d like to let access to a specified server (10.66.4.12) only for a user.
Added to VPN server config:

server 10.8.0.0 255.255.255.0
route 10.8.2.0 255.255.255.0
client-config-dir ccd
push "route 10.66.4.0 255.255.255.0"

Created user config file in ccd folder:

ifconfig-push 10.8.2.1 10.8.2.2
iroute 10.8.2.0 255.255.255.0

Added two filters to firewall:

ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
ipv4 filter FORWARD 0 -i tun0 -s 10.8.2.0/24 -d 10.66.4.12 -j ACCEPT

User connect to VPN server, and get 10.8.2.1 IP address, but doesn’t access the 10.66.4.12 server.

What is the problem? Did I miss something?

Does it work when you stop firewall?

No.
But I think this is normal way, because user connect to vpn server, get virtual IP (10.8.2.1) and can’t go anywhere from that subnet without firewalld rule.

Please show the routing table when the VPN connection is active.

You do not even explain, where it needs to go. We do not know how servers are interconnected. Any complex network question needs to start with diagram of the network.

But there are common places - routing on every involved system needs to allow communication (each system needs route to the partner). If traffic goes through some intemediate system, it needs to enable and allow forwarding between interfaces. Is fowarding enabled on your VPN server? Does your client has route entry matching 10.66.4.12 so it knows where to sent packets to start with?

ip route
default via 10.66.4.254 dev eth0
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
10.8.2.0/24 via 10.8.0.2 dev tun0
10.66.4.0/24 dev eth0 proto kernel scope link src 10.66.4.10

You do not even explain, where it needs to go.

Sorry.
The real subnet is: 10.6.4.0
Router: 10.6.4.254
OpenVPN server: 10.6.4.10
Samba server: 10.6.4.12

User connect to openvpn server from outside via router and I’d like to let user to access samba server only.
Defined the virtual IP range for openvpn server in the config:
server 10.8.0.0 255.255.255.0
Also defined another virtual IP range and client config dir:

route 10.8.2.0 255.255.255.0
client-config-dir ccd

When user connect to openvpn server and get IP from 10.8.2.0 range, should have to reach samba server at 10.66.4.12.
That’s why I added a filter to firewall:

ipv4 filter FORWARD 0 -i tun0 -s 10.8.2.0/24 -d 10.66.4.12 -j ACCEPT

Is it enough?
Thanks

No. To reiterate:

Does your client has route entry matching 10.66.4.12 so it knows where to sent packets to start with?

Is fowarding enabled on your VPN server?

Ok. I didn’t write some basic information, but these were obvious for me.
OpenVPN server is working on normal way. I’am connecting to the VPN server with my account and can reach the whole subnet (10.66.4.0/24).
So the answer is: Yes, forwarding enabled on VPN server.

Sorry, maybe I don’t understand Your question.
I think, the specified client will have route to 10.66.4.12 through VPN virtual IP range (10.8.2.0/24) with FORWARD rule.

Show output of

ip -4 route show

on the client after VPN connection was established.

Client is on windows. :slight_smile:
I put config to my computer and check.

You may be surprised, but Windows has command line too.

route print

Absolutely surprised. :smiley: Don’t like to use it.

Here are:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.2.254     192.168.2.29     25
         10.8.0.1  255.255.255.255        10.8.2.2         10.8.2.1    225
        10.8.2.0  255.255.255.252         On-link         10.8.2.1    281
        10.8.2.1  255.255.255.255         On-link         10.8.2.1    281
        10.8.2.3  255.255.255.255         On-link         10.8.2.1    281
        127.0.0.0        255.0.0.0         On-link         127.0.0.1    331
        127.0.0.1  255.255.255.255         On-link         127.0.0.1    331
  127.255.255.255  255.255.255.255         On-link         127.0.0.1    331
      192.168.2.0    255.255.255.0         On-link      192.168.2.29    281
     192.168.2.29  255.255.255.255         On-link      192.168.2.29    281
    192.168.2.255  255.255.255.255         On-link      192.168.2.29    281
      10.66.4.0    255.255.255.0        10.8.2.2        10.8.2.1    225
        224.0.0.0        240.0.0.0         On-link         127.0.0.1    331
        224.0.0.0        240.0.0.0         On-link         10.8.2.1    281
        224.0.0.0        240.0.0.0         On-link      192.168.2.29    281
  255.255.255.255  255.255.255.255         On-link         127.0.0.1    331
  255.255.255.255  255.255.255.255         On-link         10.8.2.1    281
  255.255.255.255  255.255.255.255         On-link      192.168.2.29    281

192.168.2.0 subnet is my own.
And there’s no route to 10.66.4.12

There is route for 10.66.4.0/255.255.255.0 but it is hard to spot with such formatting.

Post

grep . /proc/sys/net/ipv4/conf/*/forwarding

from your VPN server.

Sorry. I was writing in hurry and forgot to format. :frowning: Sorrry again.

Here are:

grep . /proc/sys/net/ipv4/conf/*/forwarding
/proc/sys/net/ipv4/conf/all/forwarding:1
/proc/sys/net/ipv4/conf/default/forwarding:1
/proc/sys/net/ipv4/conf/eth0/forwarding:1
/proc/sys/net/ipv4/conf/lo/forwarding:1
/proc/sys/net/ipv4/conf/tun0/forwarding:1

And here is the routing table from VPN server, when client is connected:

ip -4 route show
default via 10.66.4.254 dev eth0
10.8.0.0/24 via 10.8.0.2 dev tun0
10.8.0.2 dev tun0 proto kernel scope link src 10.8.0.1
10.8.2.0/24 via 10.8.0.2 dev tun0
10.66.4.0/24 dev eth0 proto kernel scope link src 10.66.4.10

Good. And now routing table from the server 10.66.4.12.