I recently setup openVPN and samba on my Redhat Enterprise server so users can access their files remotely. OpenVPN created a new tunneling adapter interface called tun0 with an ip of 10.8.0.1. I can connect to the VPN remotely and it provides me with a 10.8... IP. The problem I have is that APF firewall is blocking filesharing activity from my windows machine to the server when I am connected to the VPN. If I turn off APF, it works fine.

I know I could punch the ports through the APF firewall, but this would allow anybody on the internet to access the samba server. I am a little confused because APF is setup to monitor the eth0 adapter, and not the tun0 adapter, so why is it blocking my VPN data? I thought that when you are connected to a VPN, you are 'within' the network, thus allowing free reign of access. How can I make the firewall let me fileshare through my VPN, but not open the port to the whole world?

Thanks,
Christan

How about allowing access to that port only to your users local ISP IPs (or if you can't do that due to a dynamic IP changing frequently, limit it to your users local ISP IP ranges) in allow_hosts.rules

The problem with that is that they will always be in different locations, thus not being a very feasible solution. Is there any way I could limit filesharing to any data coming in on a 10.8.0.x IP or will that work? 10.8.0.x is the VPN assigned subnet

Why couldn't you just unblock the port for any IP in the 10.8.0.0/24 subnet?

What about setting the tun0 to a trusted interface?

This is a bit of a late coming reply but nevertheless I hope someone will value from it. See the conf.apf options BLK_P2P_PORTS and BLK_PORTS to make sure the ports you are attempting to use are not listed, if so remove said ports and restart apf.