added firewalld config (from nyr/openvpn-install)

openvpn-install.sh

@@ -852,6 +852,25 @@ verb 3" >> /etc/openvpn/server.conf
 		installUnbound
 	fi
 
+    # Add firewall rules --> firewalld / iptable (systemd scripts)
+    if pgrep firewalld; then
+        # Allow incoming traffic
+        if [[ "$PORT" == '1194' ]]; then
+			firewall-cmd --zone=public --add-service=openvpn
+            firewall-cmd --permanent --zone=public --add-service=openvpn
+        else
+            firewall-cmd --zone=public --add-port=$PORT/$PROTOCOL
+            firewall-cmd --permanent --zone=public --add-port=$PORT/$PROTOCOL
+		fi
+        
+        # Add trusted zone
+		firewall-cmd --zone=trusted --add-source=10.8.0.0/24		
+		firewall-cmd --permanent --zone=trusted --add-source=10.8.0.0/24
+
+        # Set NAT for the VPN subnet
+        firewall-cmd --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
+		firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
+    else
         # Add iptables rules in two scripts
         mkdir /etc/iptables
 
@@ -907,6 +926,7 @@ WantedBy=multi-user.target" > /etc/systemd/system/iptables-openvpn.service
         systemctl daemon-reload
         systemctl enable iptables-openvpn
         systemctl start iptables-openvpn
+    fi
 
 	# If the server is behind a NAT, use the correct IP address for the clients to connect to
 	if [[ "$ENDPOINT" != "" ]]; then
@@ -1105,8 +1125,9 @@ function removeOpenVPN () {
 	echo ""
 	read -rp "Do you really want to remove OpenVPN? [y/n]: " -e -i n REMOVE
 	if [[ "$REMOVE" = 'y' ]]; then
-		# Get OpenVPN port from the configuration
+		# Get OpenVPN port and protocol from the configuration
 		PORT=$(grep '^port ' /etc/openvpn/server.conf | cut -d " " -f 2)
+		PROTOCOL=$(grep '^proto ' /etc/openvpn/server.conf | cut -d " " -f 2)
 
 		# Stop OpenVPN
 		if [[ "$OS" =~ (fedora|arch) ]]; then
@@ -1124,14 +1145,34 @@ function removeOpenVPN () {
 			rm /etc/systemd/system/openvpn\@.service
 		fi
 
+        # Remove firewall rules --> firewalld / iptable (systemd scripts)
+        if pgrep firewalld; then
+			IP=$(firewall-cmd --direct --get-rules ipv4 nat POSTROUTING | grep '\-s 10.8.0.0/24 '"'"'!'"'"' -d 10.8.0.0/24 -j SNAT --to ' | cut -d " " -f 10)
+
+             if [[ "$PORT" == '1194' ]]; then
+                firewall-cmd --zone=public --remove-service=openvpn
+                firewall-cmd --permanent --zone=public --remove-service=openvpn
+            else
+                firewall-cmd --zone=public --remove-port=$PORT/$PROTOCOL
+                firewall-cmd --permanent --zone=public --remove-port=$PORT/$PROTOCOL
+		    fi          
+
+            firewall-cmd --zone=trusted --remove-source=10.8.0.0/24
+            firewall-cmd --permanent --zone=trusted --remove-source=10.8.0.0/24
+
+            firewall-cmd --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
+            firewall-cmd --permanent --direct --remove-rule ipv4 nat POSTROUTING 0 -s 10.8.0.0/24 ! -d 10.8.0.0/24 -j SNAT --to $IP
+        else
             # Remove the iptables rules related to the script
             systemctl stop iptables-openvpn
+
             # Cleanup
             systemctl disable iptables-openvpn
             rm /etc/systemd/system/iptables-openvpn.service
             systemctl daemon-reload
             rm /etc/iptables/add-openvpn-rules.sh
             rm /etc/iptables/rm-openvpn-rules.sh
+        fi
 
 		# SELinux
 		if hash sestatus 2>/dev/null; then