Nm-openvpn - cannot pre-load keyfile

So I was trying to connect to protonvpn service but couldn’t for some reason. Neither through gui, cli, or importing .ovpn configuration file to network manager directly. Soon I discovered en error that looked like this:

nm-openvpn[16331]: Cannot pre-load keyfile (/var/home/aitvaras/.cert/nm-openvpn/ProtonVPN-75081sp_-tls-auth.pem)

A quick search lead me to believe that it might be something to do with selinux. The fact that protonvpn clients connected to proton servers if I set setenforce permissive confirmed suspicions. Which lead me into a selinux rabbit hole and I wonder if anyone here could help me out understand whats going on here.

Later I learned about selinux labels(or whatever) and that openvpn can read certificates from specific folders(e.g. .cert) only in home folder, that have specific selinux labels(home_cert_t). I noticed that ~/.cert gets created like this

$ ll -d -Z ~/.cert
drwxr-xr-x. 1 aitvaras aitvaras unconfined_u:object_r:unlabeled_t:s0 20  5 jan 03.53 /var/home/aitvaras/.cert/

but if I understood correctly it supposed to look like this

$ sudo semanage fcontext -l | grep -e home_cert_t
/var/home/[^/]+/\.cert(/.*)?    all files    unconfined_u:object_r:home_cert_t:s0 

If i use sudo restorecon -R ~/.cert the command restores the labels but it does not help with the problem. I still get the error above about keyfile.

Then I learned about /var/log/audit/audit.log and I found a entry that looks like this

type=AVC msg=audit(1641346830.798:3379): avc:  denied  { search } for  pid=14393 comm="openvpn" name="aitvaras" dev="sda3" ino=256 scontext=system_u:system_r:openvpn_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=dir permissive=0

If I make a module from that entry with audit2allow and install it with semodules -i then protonvpn clients start working. Another thing I noticed is that i need both, the module and sudo resstorecon -R ~/.cert command for protonvpn clients to work.

Maybe someone here has an idea of what could be wrong here. Why doesn’t protonvpn/openvpn work here out of the box without all this tinkering? Is there a better way to make it work?

Not sure, but my opinion maybe it’s because related to external services that connect deeply to the system networking.

If I think about vpn that directly connected to system network instead of specific app like browser, it means all our traffic including all command in terminal like dnf install it will go through those connection. And it’s bad for securities if all those kinds is allowed by default.

Maybe the maintener leave this to the user to add the trust manually.

sudo chcon -R -t home_cert_t ~/.cert
1 Like

Well the command sudo restorecon -R ~/.cert re-added home_cert_t to ~/.cert recursively and new files under had it also thereafter but I still got the cannot pre-load keyfile error and the denied search entry in audit.log. Does chcon command do something different/extra?

Try creating a custom permissive policy:
Perhaps this is a Silverblue-specific issue.

I stumbled upon this during my roubleshooting and after generating a module file with audit2allow as well as installing it with semodule -i it started working. It’s just that I was wondering about how good or bad this solution is because I don’t know selinux. And maybe there’s a simpler way to make it work.


Had the similar issue. Thank you for pointing me to selinux, wouldn’t have solved it for myself without this thread.

One way to make the permissive policy to stay is to set SELINUX=enforcing at /etc/sysconfig/selinux to permissive, as instructed in the file. I was able to log into the VPN after I did that.

Having tried out the CInnamon spin, which has SELinux Alert Browser downloaded by Default, I set the config back to enforcing and followed the instructions when the Alert Browser notified me of the “problem”.

I decided to leave selinux on enforcing and act by the possible solutions maked under details until that let’s me do what I need to do.

Hopefully, my post is a good bread crum, if you still need one.