[zutthich]

In my case there was an issue derived from having added a new IP address to the LAN interface without deleting the setup 192.168.0.75 address.

Since the routing table still had the route for the original subnet, that created a problem with my specific settings. The environment ZS is in already contains an 192.168.0.0/24 subnet and the ZS routing instruction did not let packets return to the sender.

Dutifully deleting the original 192.168.0.75 address from the LAN interface fixed the problem.

[zutthich]

For the benefit of other users I answer my own question:

In the firewall section, add one rule to the INPUT chain ACCEPTing from the interface connected to the outside world any packet with TCP protocol and Destination Port 1194 (or whatever port number you’ve chosen for OpenVPN)

Add one rule to the OUTPUT chain ACCEPTing to let TCP packets go out of the interface connected to the outside world and Destination Port as per above.

Then one has to add the rule(s) for the VPN packets proper.
If the VPN is considered just like another internal LAN, then the equivalent rule(s) can be added provided one choose the VPN interface.

Induni

[Author]

Posts