After struggled with Shorewall and iptables for some time, finally got a working firewall for my ubuntu system.  So, the winner is... FireHOL.

I have two network cards: eth0 (140.116.21.154) for internet and eth2 (192.168.0.154) for local net.  On eth0, SSH, Apache, OpenVPN are running.  Machines on local net (eth2) can communicates freely, so are those on OpenVPN net.  The OpenVPN make a third interface, tun0 (10.8.0.1). Without the tun0 interface in the configuration, OpenVPN clients (10.8.0.6 and 10.8.0.18, say) can communicates with each other, but they cannot find 10.8.0.1.

Notes.

  1. I don't have communications between tun0 and eth2 since I do not have a reason for it.
  2. The file RESERVED_IPS should contain 10.0.0.0/8 and 184.0.0.0/7. If you see the message
    "List of RESERVED_IPS is out of date"
    when starting /etc/init.d/firehol, use /sbin/get-iana to update the RESERVED_IPS in the /etc/firehol directory. And if you have problem with /sbin/get-iana, edit it as root, and change the line that says
    ANA_RESERVED="IANA - Reserved" 
    to
    IANA_RESERVED="IANA\|Future use" 
    and try again. The Tutorial page on the FireHOL site is very helpful as well as the article "Installing and configuring FireHOL" on Unix-Tutorials.com.

Now, here is my firehol.conf:

version 5
interface "eth0" Internet
protection strong
server "http" accept
server "ssh" accept
server custom openvpn "tcp/1194 udp/1194" default accept
client all accept

interface "eth2" LAN
policy accept
client all accept

interface "tun0" VPN
policy accept
client all accept

router lan2internet inface "eth2" outface "eth0"
client all accept
route all accept
masquerade

router vpn2internet inface "tun0" outface "eth0"
client all accept
route all accept
masquerade