After connecting to the VPN, the client device will be able to browse the Internet without any further configuration. However, a pre-condition for this to work is that you need to have at least one Internet connected network interface which is part of the ‘External’ firewall zone. Use the networks configuration page to edit the firewall zone for the device’s network interfaces.
I have two Pioneer boxes where the firewall zone for the “wired connection 1” interface is set to “External” but with a very different behaviour when connected to openVPN.
On the first one:
when connected to openVPN, I can access internet
the firewall zone of the “wired connection” is set to external
if my memory is correct, I changed it from “internal” to “external” using network settings in plinth
in the wired connection settings, the zone appears as:
The differences in what plinth shows are:
that the wired connection appears on second box but not on the first box on the picture
that the wired connection is indicated as “not maintained by Freedombox” on the first box but there is no such indication on the second box.
Can these differences explain that access to internet is possible on one box but not on the other one?
How does an interface become indicated as “not maintained” by the Freedombox?
As far as I can remember, the only difference in their configurations is that one has a manually set local IP address while the other one uses DHCP, but I would expect any issue there to have much more consequences that this, so I’d say this cannot be the explanation.
“not maintained by Freedombox” suggests that the interface might have an entry in /etc/network/interfaces that you need to comment out or delete. From this thread:
If you comment out your network/wifi cards in /etc/network/interfaces that allows NetworkManager to get full control of those interfaces. Freedombox uses NetworkManager to configure networking, so by doing this you are using the configuration method expected by the Freedombox team.
But since that issue is on the first box where you already can access the Internet over OpenVPN, I don’t know if it helps explain why the two boxes behave differently.
Thanks for the list. I checked, on both boxes, /etc/network/interfaces has a single non-commented line: source /etc/network/interfaces.d/* and the directory is empty.
I looked into the network tab of cockpit, I don’t notice any difference between the two boxes there.
About openVPN, I turned on logging for firewalld, here is what I have when I am connected and try to access a web page:
// create new policy
firewall-cmd --permanent --new-policy int_to_ext_fwd
firewall-cmd --permanent --policy int_to_ext_fwd --add-ingress-zone internal
firewall-cmd --permanent --policy int_to_ext_fwd --add-egress-zone external
firewall-cmd --permanent --policy int_to_ext_fwd --set-priority 100
firewall-cmd --permanent --policy int_to_ext_fwd --set-target ACCEPT
// Enable masquerade on external (this should already be the case if the setup worked on F34); 'forward' does not need to be set
firewall-cmd --permanent --zone=external --add-masquerade
// Enable forward on internal (this is a new setting)
firewall-cmd --permanent --zone=internal --add-forward
// restart firewalld
systemctl restart firewalld.service
I had run all these lines on the first Pioneer without understanding what it was, and since the default zone setting was enough to allow plinth to work, I did not try that again on the second Pioneer.
On the second Pioneer, I ran the lines with “–policy int_to_ext_fwd” and restarted firewalld, now I can access internet when connected to openVPN on it. Apparently a file /etc/firewalld/policies/int_to_ext_fwd.xml was created with the following contents:
That seems to contain all the information in the commands so I suppose that removing/adding this file is equivalent to the set of commands I ran.
My current conclusions:
default zone setting to external (instead of public) is enough for plinth to work
this is not enough to use openVPN with internet access
the above changes can make openVPN with internet access work but I don’t know whether these changes are the most appropriate solution and whether they should be done even when one does not want to use openVPN with internet access
I don’t know whether the “masquerade” and the “add-forward” lines are really needed and what for