On Fri, Mar 20, 2020 at 09:23:45PM +0100, Hans-Peter Jansen wrote:
Am Freitag, 20. März 2020, 20:12:03 CET schrieb Eric Garver:
On Fri, Mar 20, 2020 at 08:39:36AM +0100, Hans-Peter Jansen wrote:
Am Donnerstag, 19. März 2020, 20:06:19 CET schrieb Eric Garver:
Hrmpf. I've tried to eliminate all disturbing elements, but failed. Yes, a service on port 8080 needs be allowed as well, but having it working for ssh is enough to get the rest working in a similar fashion.
It should have read:
rule family="ipv4" source address="10.20.30.0/24" destination
address="192.168.78.0/24" port port="22" protocol="tcp" accept
I've tried port forwarding and other things, but ultimately, I would like to allow some services coming from the VPN (tun0/10.20.30.0/24) to be routed to the local network (and back).
On the client side is your SSH destination in the 10.20.30.0/24 block of addresses or are you using the OpenVPN's "uplink" address (eth0) ?
They come in from the VPN block 10.20.30.0/24.
Does the VPN work at all? Can an external client communicate with a internal client? AFAICS, the OpenVPN traffic will be denied at the external zone. You haven't added the openvpn service.
Maybe try
firewall-cmd --zone external --add-service openvpn
The stock service only allows UDP. If you're using TCP backed OpenVPN (you shouldn't) then you need to allow it explicitly:
firewall-cmd --zone external --add-port=1194/tcp