Ongoing OpenVPN Issues

bryanmoore · June 28, 2021, 1:19pm

I know there are many other threads in the forum about openvpn issues, but none of them have helped nor have any proposed solutions worked for me. Although I suspect it to be a selinux issue, I don’t know enough about how Fedora implements that to know for sure.

I can use sudo openvpn MyVPN.ovpn to connect via cli, but there is absolutely no configuration via NetworkManager that works and I’m wondering if it’s connected to the fact that ioctl and tun0 can only be accessed via root…

I appreciate the help and insights…

tjdoyle · June 28, 2021, 1:58pm

Hi,

Install NetworkManager-openvpn-gnome, then import ovpn in settings, under network, vpn:

sudo dnf install NetworkManager-openvpn-gnome

Thanks Tom.

bryanmoore · June 28, 2021, 2:44pm

Already installed; afaik, it’s installed by default.

tjdoyle · June 28, 2021, 4:04pm

Ok, so what happens if you try and import the ovpn file?

bryanmoore · June 28, 2021, 4:26pm

It fails to connect; journalctl -u NetworkManager.service throws a bunch of warnings and some errors:

Jun 28 12:23:46 fedora nm-openvpn[3733]: OpenSSL: error:2006D002:BIO routines:BIO_new_file:system lib
Jun 28 12:23:46 fedora nm-openvpn[3733]: OpenSSL: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Jun 28 12:23:46 fedora nm-openvpn[3733]: Cannot load certificate file /home/bryan/Scripts/openvpn/UserCertificate.crt

None of those exist when executed with sudo openvpn via cli.

vgaetera · June 28, 2021, 5:46pm

The keys and certs should be stored to one of the following locations:

sudo semanage fcontext -l | grep -e home_cert_t

Make sure to repair SELinux labels after importing the client profile:

sudo restorecon -R /path/to/keys_and_certs

bryanmoore · June 28, 2021, 6:35pm

Thanks for the info, @vgaetera; can the certs/keys be sym linked?

So, copying the cert and key files into ~/.cert and running sudo restorecon -R ~/.cert did nothing, as NM still complains the connection fails and journalctl gives me the same errors.

tjdoyle · June 28, 2021, 7:19pm

Hi,

Did you update the cert path for the vpn config, its located under the identity tab?

Thanks Tom.

vgaetera · June 28, 2021, 9:42pm

Verify the VPN connection settings match your certs and keys file names/locations:

nmcli connection show
nmcli -g vpn.data connection show id VPN_CON

bryanmoore · June 29, 2021, 10:02am

Thank you both, @tjdoyle and @vgaetera! Vladislav, you hit the nail on the head having me move the cert and key files; Tom, you were spot-on to suggest I check the cert path and, alas, that was the problem because after moving everything to ~/.cert NM was still looking in ~/Scripts/openvpn.

The issue is solved. Unfortunately, I can’t mark both of you as providing the solution.

On a related note, why so many hoops to jump through; that is, shouldn’t this be more intuitive?

vgaetera · June 29, 2021, 11:12am

1977268 – nm-openvpn applies incorrect SELinux labels when importing a VPN profile

Actually this is a long standing issue with NetworkManager failing to set the proper SELinux labels for the imported certs and keys.
This behavior is certainly counter intuitive and inconsistent compared to GNOME Boxes that automatically configures SELinux labels for image files.

bryanmoore · June 29, 2021, 1:26pm

I completely agree…

system · July 27, 2021, 1:26pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Trying to configure OpenVPN on Fedora 30, poor to non-existent documentation Ask Fedora	17	11448	August 3, 2019
Using openvpn requires adding SElinux policy Project Discussion silverblue-team	6	1611	November 23, 2023
Openvpn through GUI on Fedora 34 desktop Ask Fedora f34 , openvpn , gnome	8	6227	January 23, 2023
OpenVPN -Cert issues Ask Fedora f30 , desktop	8	6269	June 29, 2019
Cannot connect to IKEv2 VPN on Fedora 33 - No trusted RSA public key found Ask Fedora f33 , vpn , networking , gnome	33	5507	November 9, 2021

Ongoing OpenVPN Issues

Related Topics