After struggled with Shorewall and iptables for some time, finally got a working firewall for my ubuntu system. So, the winner is... FireHOL.
I have two network cards: eth0 (220.127.116.11) for internet and eth2 (192.168.0.154) for local net. On eth0, SSH, Apache, OpenVPN are running. Machines on local net (eth2) can communicates freely, so are those on OpenVPN net. The OpenVPN make a third interface, tun0 (10.8.0.1). Without the tun0 interface in the configuration, OpenVPN clients (10.8.0.6 and 10.8.0.18, say) can communicates with each other, but they cannot find 10.8.0.1.
I don't have communications between tun0 and eth2 since I do not have a reason for it.
The file RESERVED_IPS should contain 10.0.0.0/8 and 18.104.22.168/7. If you see the message
"List of RESERVED_IPS is out of date"
when starting /etc/init.d/firehol, use /sbin/get-iana to update the RESERVED_IPS in the /etc/firehol directory. And if you have problem with /sbin/get-iana, edit it as root, and change the line that says