OpenVPN, internet access and settings of the "wired connection"

Pioneer Support
4

This post is referring to 2016864 – Masquerade fails to work on F35 that includes the following:

// create new policy
firewall-cmd --permanent --new-policy int_to_ext_fwd
firewall-cmd --permanent --policy int_to_ext_fwd --add-ingress-zone internal
firewall-cmd --permanent --policy int_to_ext_fwd --add-egress-zone external
firewall-cmd --permanent --policy int_to_ext_fwd --set-priority 100
firewall-cmd --permanent --policy int_to_ext_fwd --set-target ACCEPT

// Enable masquerade on external (this should already be the case if the setup worked on F34); 'forward' does not need to be set
firewall-cmd --permanent --zone=external --add-masquerade

// Enable forward on internal (this is a new setting)
firewall-cmd --permanent --zone=internal --add-forward

// restart firewalld
systemctl restart firewalld.service

I had run all these lines on the first Pioneer without understanding what it was, and since the default zone setting was enough to allow plinth to work, I did not try that again on the second Pioneer.

On the second Pioneer, I ran the lines with “–policy int_to_ext_fwd” and restarted firewalld, now I can access internet when connected to openVPN on it. Apparently a file /etc/firewalld/policies/int_to_ext_fwd.xml was created with the following contents:

<?xml version="1.0" encoding="utf-8"?>
<policy priority="100" target="ACCEPT">
  <ingress-zone name="internal"/>
  <egress-zone name="external"/>
</policy>

That seems to contain all the information in the commands so I suppose that removing/adding this file is equivalent to the set of commands I ran.

My current conclusions:

  • default zone setting to external (instead of public) is enough for plinth to work
  • this is not enough to use openVPN with internet access
  • the above changes can make openVPN with internet access work but I don’t know whether these changes are the most appropriate solution and whether they should be done even when one does not want to use openVPN with internet access
  • I don’t know whether the “masquerade” and the “add-forward” lines are really needed and what for