My primary objective here is to use a cloud hosted VM to host an OVPN server and web server that only VPN clients can see.
I have Cent 7.8 installed, OVPN set up and functional and the firewall configured with nothing other than the following right now:
firewall-cmd --permanent --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-service=openvpn
firewall-cmd --permanent --zone=trusted --add-interface=tun0
firewall-cmd --add-masquerade
firewall-cmd --permanent --add-masquerade
happy=$(ip route get 8.8.8.8 | awk 'NR==1 {print $(NF-2)}')
firewall-cmd --permanent --direct --passthrough ipv4 -t nat -A POSTROUTING -s 10.8.0.0/24 -o $happy -j MASQUERADE
Network Configuration:
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 555.555.555.34 netmask 255.255.240.0 broadcast 555.555.555.255 inet6 fe80::bc44:1eff:fee7:20f3 prefixlen 64 scopeid 0x20 ether be:44:1e:e7:20:f3 txqueuelen 1000 (Ethernet) RX packets 1253234 bytes 893615766 (852.2 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 1273084 bytes 912612027 (870.3 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0:0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.8.0.5 netmask 255.255.255.0 broadcast 10.8.0.255 ether be:44:1e:e7:20:f3 txqueuelen 1000 (Ethernet)
eth1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 10.120.0.2 netmask 255.255.240.0 broadcast 10.120.15.255 inet6 fe80::9c23:37ff:fef6:10ff prefixlen 64 scopeid 0x20 ether 9e:23:37:f6:10:ff txqueuelen 1000 (Ethernet) RX packets 120 bytes 7020 (6.8 KiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 57 bytes 3646 (3.5 KiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10 loop txqueuelen 1000 (Local Loopback) RX packets 12 bytes 920 (920.0 B) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 12 bytes 920 (920.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500 inet 10.8.0.1 netmask 255.255.255.255 destination 10.8.0.2 inet6 fe80::121f:84de:7122:1bbb prefixlen 64 scopeid 0x20 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC) RX packets 807601 bytes 699309413 (666.9 MiB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 854518 bytes 786487397 (750.0 MiB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
I have the webserver and service I'm trying to host set up to the point that if I stop the firewall, I can paint the Apache test page publicly. However, either way, firewall enabled or disabled, I cannot paint the Apache page from within the VPN when trying to hit the VPN gateway (10.8.0.1) from a browser. A port scan shows the ports as open, but the page will not paint.
I also cannot ssh to the cloud server from the within the VPN, only across the web. My attempts to ssh or access web services on the gateway seem to time out, rather than get rejected.
I created an alias adapter with another IP on the VPN network (10.8.0.5), wondering if the VPN gateway was just redirecting all traffic, since I have that enabled in the VPN configs, but attempts to access services at the alias IP timeout as well.
Clients connected to the VPN are also able to access services hosted on each other, but no client can access services hosted on the VPN server.
OVPN configuration issue? Seems unlikely to be firewall related if it still doesn't work with thte firewall disabled. Thoughts?
