Openvpn – Firewalld virtual bridge outgoing traffic to vpn tunnel

I finally decided to sit down and do something that has long been on my todo list: to get my virtual networking actually to work.

Simply put: I have a pure virtual bridge device (created by ifcfg-script at boot) to which libvirtd attaches guest os:ses as they are spawned. There is also a dnsmasq-dhcp running on the bridge. Since the bridge is virtual one, there is no internet access, and the openvpn tun0 device cannot be directly added to the bridge. Now my goal is to get all outbound traffic redirected to the tun0 intedface. Seemingly an easy job with firewalld's direct rules, but one I have wasted a one day for.

The internall traffic on the bridge works fine, including the dhcp, but haven't been able to get the outgoing traffic to work at all. The problem is not with routing tables (using iproute2 for second routing table for tun0, checked with curl –interface … to get the external ip of tun0), or the openvpn connection itself.

Without further ado, here are mine configuration files:

ifcfg-tun0:

DEVICE=tun0
BOOTPROTO=none
ONBOOT=no
TUNNEL=’tun’

ifcfg-virtbr10:

DEVICE=virbr10
NAME=virbr10 
NM_CONTROLLED=no 
ONBOOT=yes 
TYPE=Bridge 
DELAY=2 
STP=on 
IPADDR=10.8.3.1 
NETMASK=255.255.255.0 
IPV6INIT=no 
ZONE=virbr10

/etc/firewalld/direct.xml:

<?xml version="1.0" encoding="utf-8"?>
 <direct>
  <rule priority="0" table="nat" ipv="ipv4" chain="POSTROUTING">-o tun0 -j MASQUERADE</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-o tun0 -i virbr10 -m state --state RELATED,ESTABLISHED -j ACCEPT</rule>
  <rule priority="0" table="filter" ipv="ipv4" chain="FORWARD">-o virbr10 -i tun0</rule>
</direct>

and some commands:

firewall-cmd –get-active-zones:

home
  interfaces: enp2s0 br0
virbr10
  interfaces: virbr10
purevpn
  interfaces: tun0

firewall-cmd –zone=purevpn –query-masquerade:

yes

All services are up and running with no errors, and I have been going through these files for several hours without noticing any clear errors. Any help would be much appreciated. There is one thing I'm not sure what to make of, and that is that the command "firewall-cmd –permanent –direct –get-all-rules" doesn't return anything. Though I'm not sure if it's meant to.

Oh and the system, is CentOS 7, and vpn is openvpn with some custom scripts to populate the second routing table.

edit: forgot to mention that routing is enabled in /etc/sysctl.conf.

edit2: It was pointed out I didn't actually ask any question… So does anyone notice any (less)obvious mistake I have made, or have any ideas how to get this network to work as intented.

Best Answer

After some time I managed to fix this myself. My configuration were not wrong per se (though I did rewrote the direct rules), but not complete. I realized, that even though my virtual bridge could forward packets to tun0 interface, it doesen't do this because default route is missing. I.e. it does not know that it could send the packets to tun0. Simply fixed by adding a third routing table for virbr10 interface, and modifying openvpn route-up -script to push the default route to this table once the connection is up. This combined with the revised firewalld forwardig rules seemed to do the trick.

Best Answer

Related Solutions

Openvpn – UFW: force traffic thru OpenVPN tunnel / do not leak any traffic

Openvpn – How to route all traffic from clients connected to the DD-WRT to its OpenVPN tunnel tun0

Related Topic