OpenVPN, internet access and settings of the "wired connection"

Pioneer Support
1

The manual says:

After connecting to the VPN, the client device will be able to browse the Internet without any further configuration. However, a pre-condition for this to work is that you need to have at least one Internet connected network interface which is part of the ‘External’ firewall zone. Use the networks configuration page to edit the firewall zone for the device’s network interfaces.

I have two Pioneer boxes where the firewall zone for the “wired connection 1” interface is set to “External” but with a very different behaviour when connected to openVPN.

On the first one:

  • when connected to openVPN, I can access internet
  • the firewall zone of the “wired connection” is set to external
  • if my memory is correct, I changed it from “internal” to “external” using network settings in plinth
  • the network settings page appears as
    box1-network
    box1-network750×495 40.8 KB
  • in the wired connection settings, the zone appears as
    box1-interface

On the second one:

  • when connected to openVPN, I cannot access internet
  • the firewall zone of the “wired connection” is set to external
  • it was set to “external” from the start, I did not change it
  • the network settings page appears as
    box2-network
    box2-network773×548 47 KB
  • in the wired connection settings, the zone appears as:
    box2-interface

The differences in what plinth shows are:

  • that the wired connection appears on second box but not on the first box on the picture
  • that the wired connection is indicated as “not maintained by Freedombox” on the first box but there is no such indication on the second box.

Can these differences explain that access to internet is possible on one box but not on the other one?
How does an interface become indicated as “not maintained” by the Freedombox?

As far as I can remember, the only difference in their configurations is that one has a manually set local IP address while the other one uses DHCP, but I would expect any issue there to have much more consequences that this, so I’d say this cannot be the explanation.

2

“not maintained by Freedombox” suggests that the interface might have an entry in /etc/network/interfaces that you need to comment out or delete. From this thread:

If you comment out your network/wifi cards in /etc/network/interfaces that allows NetworkManager to get full control of those interfaces. Freedombox uses NetworkManager to configure networking, so by doing this you are using the configuration method expected by the Freedombox team.

But since that issue is on the first box where you already can access the Internet over OpenVPN, I don’t know if it helps explain why the two boxes behave differently.

3

Thanks for the list. I checked, on both boxes, /etc/network/interfaces has a single non-commented line:
source /etc/network/interfaces.d/* and the directory is empty.

I looked into the network tab of cockpit, I don’t notice any difference between the two boxes there.

About openVPN, I turned on logging for firewalld, here is what I have when I am connected and try to access a web page:

Jun 30 19:07:50 freedombox kernel: filter_FWD_internal_REJECT: IN=tun0 OUT=end0 MAC= SRC=10.91.0.6 DST=185.199.141.17 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=10282 DF PROTO=TCP SPT=41264 DPT=80 WINDOW=64240 RES=0x00 SYN URGP=0 
Jun 30 19:07:50 freedombox kernel: filter_FWD_internal_REJECT: IN=tun0 OUT=end0 MAC= SRC=10.91.0.6 DST=185.199.141.17 LEN=60 TOS=0x00 PREC=0x00 TTL=63 ID=16853 DF PROTO=TCP SPT=59282 DPT=443 WINDOW=64240 RES=0x00 SYN URGP=0

10.91.0.6 is the local address in openVPN, so it seems firewalld is rejecting outgoing packets to the ethernet interface.

4

This post is referring to 2016864 – Masquerade fails to work on F35 that includes the following:

// create new policy
firewall-cmd --permanent --new-policy int_to_ext_fwd
firewall-cmd --permanent --policy int_to_ext_fwd --add-ingress-zone internal
firewall-cmd --permanent --policy int_to_ext_fwd --add-egress-zone external
firewall-cmd --permanent --policy int_to_ext_fwd --set-priority 100
firewall-cmd --permanent --policy int_to_ext_fwd --set-target ACCEPT

// Enable masquerade on external (this should already be the case if the setup worked on F34); 'forward' does not need to be set
firewall-cmd --permanent --zone=external --add-masquerade

// Enable forward on internal (this is a new setting)
firewall-cmd --permanent --zone=internal --add-forward

// restart firewalld
systemctl restart firewalld.service

I had run all these lines on the first Pioneer without understanding what it was, and since the default zone setting was enough to allow plinth to work, I did not try that again on the second Pioneer.

On the second Pioneer, I ran the lines with “–policy int_to_ext_fwd” and restarted firewalld, now I can access internet when connected to openVPN on it. Apparently a file /etc/firewalld/policies/int_to_ext_fwd.xml was created with the following contents:

<?xml version="1.0" encoding="utf-8"?>
<policy priority="100" target="ACCEPT">
  <ingress-zone name="internal"/>
  <egress-zone name="external"/>
</policy>

That seems to contain all the information in the commands so I suppose that removing/adding this file is equivalent to the set of commands I ran.

My current conclusions:

  • default zone setting to external (instead of public) is enough for plinth to work
  • this is not enough to use openVPN with internet access
  • the above changes can make openVPN with internet access work but I don’t know whether these changes are the most appropriate solution and whether they should be done even when one does not want to use openVPN with internet access
  • I don’t know whether the “masquerade” and the “add-forward” lines are really needed and what for