建立 tun0 去 listen 一粒 private ip

...

nmcli con mod tun0 ipv4.method manual

nmcli con modify tun0 ipv6.method disabled

# Firewall & Zone

firewall-cmd --get-active-zones     # 只見 public zone 時就知要 config 它

firewall-cmd --get-zones               # 見到有 ... internal

nmcli con show tun0 | grep zone

nmcli con mod tun0 connection.zone internal

firewall-cmd --zone=internal --list-all

firewall-cmd --zone=internal --permanent --remove-service={cockpit,dhcpv6-client,mdns,samba-client,ssh}

firewall-cmd --zone=internal --permanent --add-service={dns,mysql}

firewall-cmd --zone=internal --permanent --add-service={dns,mysql}