I use firewalld and Openvpn. The desktop computer is used in home environment. I have set the ordinary use to zone=home and the tun0 to zone=trusted. I’m not sure if this is the right setup for the service and the security of my linux box, but I have tried to google this, but have not found any easy explanations how to set this up. The vpn connection works fine, but I’m a little worried.
Can someone give me a hint or point to a good setup for the firewall?
You can check the zone definitions (located in /etc/firewalld/zones/) for yourself. Of course they can be tweaked to suit your specific requirements if desired.
I have read the articles you sent and I have to read those carfully once or twice (or more) before I gete the whole picture, but is all traffic from my linux box routed through tun0 (both in my home network and the WAN) when I activate VPN?
Because when I run:
firewalld-cmd --zone=trusted --list-services
the output is nil. I thought maybe this tun0 interface was only for internet.
The actively set firewall zone should depend on the network you are connecting to.
If you are securely in your home network which is behind a firewall or NAT, the any of the less paranoid, trusting zones should be OK.
Setting to a more trusting zone would allow easier network connections between machines in your home network.
If on the other hand this is a laptop that you might take with you outside your home (or business) network and connect to untrusted networks like public WiFi hotspots, then you would want to set your zone to an untrusting "External’ zone.
When an VPN tunnel is employed (as the OP has already indicated), the local gateway firewall is effectively bypassed (tunnelled through). Hence, firewalling on the client device is important.
I have changed the sone for tun0 to “public” out of what you guys says about the tunnel bypasses the home router. It seems to work ok. When I run:
sudo firewall-cmd --zone=public --list-all
public
target: default
icmp-block-inversion: no
interfaces:
sources:
services: dhcpv6-client samba
ports: 111/tcp 2049/tcp 20048/tcp
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
the services listed are dhcpv6-client samba, but the service for http and bittorrent is not there. In the firewall gui it is a lot of possible services, but I only get those two services. Is it something I have misunderstood? (In life, yes, but concerning the services needed to run a desktop with connection to the Internett). And should it not after “interfaces:” be printed tun0?