Openvpn firewall zone


I use firewalld and Openvpn. The desktop computer is used in home environment. I have set the ordinary use to zone=home and the tun0 to zone=trusted. I’m not sure if this is the right setup for the service and the security of my linux box, but I have tried to google this, but have not found any easy explanations how to set this up. The vpn connection works fine, but I’m a little worried.

Can someone give me a hint or point to a good setup for the firewall?

Dag R

Interfaces that are facing to the internet (such as tun0 is in your case) should be protected. I personally would not select trusted.

Zone descriptions listed here

You can check the zone definitions (located in /etc/firewalld/zones/) for yourself. Of course they can be tweaked to suit your specific requirements if desired.

A question about the interfaces. Is tun0 used for all traffic from my machine when I uses this

I have read the articles you sent and I have to read those carfully once or twice (or more) before I gete the whole picture, but is all traffic from my linux box routed through tun0 (both in my home network and the WAN) when I activate VPN?

Because when I run:

firewalld-cmd --zone=trusted --list-services

the output is nil. I thought maybe this tun0 interface was only for internet.

Dag R

Share the routing table when VPN connection is active…

ip route

Just external traffic. Internal (LAN) traffic will be outside the tunnel ie applicable ethernet or wlan interface.

The actively set firewall zone should depend on the network you are connecting to.
If you are securely in your home network which is behind a firewall or NAT, the any of the less paranoid, trusting zones should be OK.
Setting to a more trusting zone would allow easier network connections between machines in your home network.

If on the other hand this is a laptop that you might take with you outside your home (or business) network and connect to untrusted networks like public WiFi hotspots, then you would want to set your zone to an untrusting "External’ zone.


When an VPN tunnel is employed (as the OP has already indicated), the local gateway firewall is effectively bypassed (tunnelled through). Hence, firewalling on the client device is important.

I have changed the sone for tun0 to “public” out of what you guys says about the tunnel bypasses the home router. It seems to work ok. When I run:

sudo firewall-cmd --zone=public --list-all
  target: default
  icmp-block-inversion: no
  services: dhcpv6-client samba
  ports: 111/tcp 2049/tcp 20048/tcp
  masquerade: no
  rich rules: 

the services listed are dhcpv6-client samba, but the service for http and bittorrent is not there. In the firewall gui it is a lot of possible services, but I only get those two services. Is it something I have misunderstood? (In life, yes, but concerning the services needed to run a desktop with connection to the Internett). And should it not after “interfaces:” be printed tun0?

Dag R