建立 tun0 去 listen 一粒 private ip
...
nmcli con mod tun0 ipv4.method manual
nmcli con modify tun0 ipv6.method disabled
# Firewall & Zone
firewall-cmd --get-active-zones # 只見 public zone 時就知要 config 它
firewall-cmd --get-zones # 見到有 ... internal
nmcli con show tun0 | grep zone
nmcli con mod tun0 connection.zone internal
firewall-cmd --zone=internal --list-all
firewall-cmd --zone=internal --permanent --remove-service={cockpit,dhcpv6-client,mdns,samba-client,ssh}
firewall-cmd --zone=internal --permanent --add-service={dns,mysql}
firewall-cmd --zone=internal --permanent --add-service={dns,mysql}