openvpn: firewalld with nftables backend can't handle 'tun+' interface
This issue is same as https://alioth-lists.debian.net/pipermail/freedombox-discuss/2019-January/008685.html could be the same as #1438 (closed) and the remaining issue in #1432 (closed) . Logs show something similar to:
2019-01-14 12:12:09 ERROR: Failed to apply rules. A firewall reload might solve the
issue if the firewall has been modified using ip*tables or ebtables.
2019-01-14 12:12:09 ERROR: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING
_ZONES iifname tun+ goto raw_PRE_internal' failed: Error: syntax error, unexpected
junk, expecting end of file or newline or semicolon
insert rule inet firewalld raw_PREROUTING_ZONES iifname tun+ goto raw_PRE_internal
^
2019-01-14 12:12:11 ERROR: Failed to apply rules. A firewall reload might solve the
issue if the firewall has been modified using ip*tables or ebtables.
2019-01-14 12:12:11 ERROR: '/usr/sbin/nft insert rule inet firewalld raw_PREROUTING
_ZONES iifname eth0 goto raw_PRE_internal' failed: Error: Could not process rule: N
o such file or directory
insert rule inet firewalld raw_PREROUTING_ZONES iifname eth0 goto raw_PRE_internal
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^Looks like firewalld nftables backend is not properly handling the '+' in 'tun+' interface created by OpenVPN.
Recovering from a running system if you have SSH/console access:
firewall-cmd --zone=internal --remove-interface=tun+ --permanent
firewall-cmd --zone=internal --remove-interface=tun+
systemctl restart firewalldRecovering when you can access the disk or SD card:
Edit /etc/firewalld/zones/internal.xml and remove tun+ line and save. Boot the disk or SD card.