CentOS 7 和 firewalld 上 OpenVPN 的多个用户类型/访问规则

如何在 CentOS 7 服务器上运行的 OpenVPN 中为用户和管理员定义单独的角色？ 具体来说，只能允许用户执行https，而必须允许管理员同时执行https和ssh。

迄今为止的进展：

翻译中@garethTheRed 建议的链接中的说明，我定义了以下步骤。我还完成了步骤一、二和三。但我不知道如何完成第四步。 有人可以展示如何将第四步从 iptables 转换为firewalld，并确认其他步骤吗？

步骤1（完全的）：根据用户类别创建虚拟IP地址映射：

    Class            Virtual IP range       Allowed Services  
    employees        10.8.0.0/24            https
    administrator    10.8.1.0/24            ssh, https  

第二步（完全的）：在/etc/openvpn/server.conf中，

    define the Employee IP address pool:
    server 10.8.0.0 255.255.255.0

    Add a route for the System Administrator IP range:
    route 10.8.1.0 255.255.255.0

    Specify client configuration directory to assign a fixed IP forAdministrator:
    client-config-dir ccd

第三步（完全的）：在新目录/etc/openvpn/ccd和新配置文件中/etc/openvpn/ccd/sysadmin：

    Define the fixed IP address for the Administrator VPN client:

        mkdir ccd
        cd ccd
        nano sysadmin1
        type the following into /etc/openvpn/ccd/sysadmin1:
        ifconfig-push 10.8.1.1 10.8.1.2

第四步（我如何在防火墙中执行此操作，以便用户只能https并且管理员可以ssh和https？）:

    First, define a static unit number for our tun interface:

        dev tun0  //where does this go?

    Establish firewall rules for the employees and administrator (convert these to firewalld):
        # Employee rule // MUST ONLY BE ALLOWED TO https
        iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.66.4.4 -j ACCEPT

        # Sysadmin rule //MUST BE ALLOWED TO ssh AND https
        iptables -A FORWARD -i tun0 -s 10.8.1.0/24 -d 10.66.4.0/24 -j ACCEPT

注意：当我输入 时firewall-cmd --list-all，到目前为止整个防火墙配置的总和定义如下：

public (default, active)
  interfaces: enp3s0
  sources: 
  services: dhcpv6-client openvpn smtp
  ports: 
  masquerade: yes
  forward-ports: 
  icmp-blocks: 
  rich rules: 

我想以任何需要的方式更改防火墙配置，以便为此用例提供最佳安全性。

我如何修改上述内容才能使其正常工作？

编辑：

阅读@garethTheRed 的有用答案后，我有三个问题/观察结果：

1.) There is no `tun` device on the firewall, but yet I am able  
    to connect to the VPN from the client with  
    `openvpn --config /path/to/client.ovpn` with the firewall  
    configured only as shown by the results of `firewall-cmd --list-all`.
    So why is it necessary to define a `tun` device in the firewall?  

2.) `ip addr` shows that I was logged in as 10.8.0.6.  How can I 
    force being logged in as a fixed address, such as 10.8.1.1 defined  
    in Step Three above?  

3.) What privileges/access does a user really have when they log in to the  
    server via OpenVPN when the firewall is configured as shown in the  
    results of `firewall-cmd --list-all` above?  Are they be able to do  
    anything other than https without a password anyway?  ssh would  
    require knowledge of both a password and a username.  

编辑#2

在 @garethTheRed 非常有用的答案中定义的内部区域中，内部区域的用户似乎可以访问以下服务dhcpv6-client、ipp-client、mdns、samba-client和ssh。这篇文章中的用例还包括https.

因此，此帖子的解决方案似乎包括：

1.) setting up rules blocking the `10.8.0.0/24` ip range from  
    `dhcpv6-client`, `ipp-client`, `mdns`, `samba-client`, and `ssh`,  
    while allowing access to `https`.  

2.) retaining access by the `10.8.1.0/24` ip range to all services  
    defined in the internal zone.  

3.) creating and installing separate client certificates for the  
    two classes of users (administrator and user)? Each class,  
    and therefore each certificate, must have a Canonical Name (CN)  
    that matches the names of config files added to `/etc/openvpn/ccd`.  
    Openvpn should then use the config file whose name matches the CN.  
    This config file should be set to configure the network address  
    that will be allocated to the clients in that class
    @garethTheRed's words are used here in #3.  

但这三件事还需要完成这个要求吗？我该如何完成这三件事？