I know there are many other threads in the forum about openvpn issues, but none of them have helped nor have any proposed solutions worked for me. Although I suspect it to be a selinux issue, I don’t know enough about how Fedora implements that to know for sure.
I can use
sudo openvpn MyVPN.ovpn to connect via cli, but there is absolutely no configuration via NetworkManager that works and I’m wondering if it’s connected to the fact that ioctl and tun0 can only be accessed via root…
I appreciate the help and insights…
Install NetworkManager-openvpn-gnome, then import ovpn in settings, under network, vpn:
sudo dnf install NetworkManager-openvpn-gnome
Already installed; afaik, it’s installed by default.
Ok, so what happens if you try and import the ovpn file?
It fails to connect;
journalctl -u NetworkManager.service throws a bunch of warnings and some errors:
Jun 28 12:23:46 fedora nm-openvpn: OpenSSL: error:2006D002:BIO routines:BIO_new_file:system lib
Jun 28 12:23:46 fedora nm-openvpn: OpenSSL: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Jun 28 12:23:46 fedora nm-openvpn: Cannot load certificate file /home/bryan/Scripts/openvpn/UserCertificate.crt
None of those exist when executed with
sudo openvpn via cli.
The keys and certs should be stored to one of the following locations:
sudo semanage fcontext -l | grep -e home_cert_t
Make sure to repair SELinux labels after importing the client profile:
sudo restorecon -R /path/to/keys_and_certs
Thanks for the info, @vgaetera; can the certs/keys be sym linked?
So, copying the cert and key files into ~/.cert and running
sudo restorecon -R ~/.cert did nothing, as NM still complains the connection fails and journalctl gives me the same errors.
Did you update the cert path for the vpn config, its located under the identity tab?
Verify the VPN connection settings match your certs and keys file names/locations:
nmcli connection show
nmcli -g vpn.data connection show id VPN_CON
Thank you both, @tjdoyle and @vgaetera! Vladislav, you hit the nail on the head having me move the cert and key files; Tom, you were spot-on to suggest I check the cert path and, alas, that was the problem because after moving everything to ~/.cert NM was still looking in ~/Scripts/openvpn.
The issue is solved. Unfortunately, I can’t mark both of you as providing the solution.
On a related note, why so many hoops to jump through; that is, shouldn’t this be more intuitive?
1977268 – nm-openvpn applies incorrect SELinux labels when importing a VPN profile
Actually this is a long standing issue with NetworkManager failing to set the proper SELinux labels for the imported certs and keys.
This behavior is certainly counter intuitive and inconsistent compared to GNOME Boxes that automatically configures SELinux labels for image files.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.