firewalld settings for OpenVPN with https, ssh, and smtp

I am configuring a remote CentOS 7 webapp server to wrap https and ssh inside OpenVPN, while keeping smtp running outside of OpenVPN. I notice that, when I establish an OpenVPN connection from a Windows 7 Client using SecurePoint, I am only able to successfully connect to https : / / 10.8.0.1 and to ssh [email protected] when https and ssh are enabled BOTH in the public zone and in the private zone of firewalld. This seems wrong because all the OpenVPN activity should be running through port 1192. So how should I configure firewalld so that https and ssh are only allowed inside the VPN, but so that smtp can still function outside the VPN?

The output of sudo firewall-cmd --list-all-zones is as follows. What should I remove from the following configuration, and what should I add to it to accomplish the goals stated in paragraph 1 above? Are there zones below from whom everything should be removed?

block
  interfaces:
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

dmz
  interfaces:
  sources:
  services: ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

drop
  interfaces:
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

external
  interfaces:
  sources:
  services: ssh
  ports:
  masquerade: yes
  forward-ports:
  icmp-blocks:
  rich rules:

home
  interfaces:
  sources:
  services: dhcpv6-client ipp-client mdns samba-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

internal
  interfaces:
  sources:
  services: dhcpv6-client https ipp-client mdns samba-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:
        rule family="ipv4" source NOT address="10.8.1.1" service name="ssh" reject

public (default, active)
  interfaces: enp3s0
  sources:
  services: dhcpv6-client https openvpn ssh
  ports:
  masquerade: yes
  forward-ports:
  icmp-blocks:
  rich rules:

trusted
  interfaces:
  sources:
  services:
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

work
  interfaces:
  sources:
  services: dhcpv6-client ipp-client ssh
  ports:
  masquerade: no
  forward-ports:
  icmp-blocks:
  rich rules:

I know hindsight is great, but may I suggest that you only test with https leaving ssh open on the public until everything works fully? It sounds as if you've now configured the services/zones correctly, but are still suffering issues with openvpn. Did you try connecting with a CentOS client?

https : / / 10.8.0.1 seems to work now after the hosting company re-instated ssh in the public zone. I am reviewing the commands I typed, and they do not include a reload command. Do you think the problem may have been due to my not re-loading the firewall after adding the tun device? Also, ssh is working through the VPN now after I removed https from the public zone. I had to change server.conf to create a route for the administrator ip address so that the assigned ip address is no longer blocked by the rich rule in the firewall. Thank you and +1 for helping me find my way.

While we are still here for a moment, are you willing to please scan through the firewalld config in my OP and point out things that I can delete/remove, given my use case? For example, ssh is enabled in the dmz, external, home, and work zones, in addition to the internal zone. I have removed ssh and https from the public zone, but I am not sure what else I can safely remove. I would like a minimalist installation.

@CodeMed - There is no need to remove any services from zones that aren't in use (that is, don't have an interface allocated to them). Therefore you can leave home, dmz etc alone. On the public zone you want to remove everything bar smtp (and possibly ssh for now). I'm assuming that the mail server is out-going only and you don't have a need for pop3 or imap. On the internal zone, all you need is ssh and https.

@CodeMed - When you're 'experimenting' remotely with the firewall, do not use the --permanent option until you're certain your changes have worked. Without the option, settings are temporary and will not survive a reboot. If your service provider provides a web based interface to reboot, you can use that to reboot and return to your original config. If they don't then run shutdown -r +15 as root to reboot in 15 minutes. If your changes lock you out, you'll be able to log back in in 15 minutes. If they don't lock you out, run shutdown -c as root to cancel the reboot.