Trying to configure OpenVPN on Fedora 30, poor to non-existent documentation

I’m not really asking for particular help, but I just want to say how spotty the Fedora documentation is on this subject. When I search for “Fedora VPN” with search engines, I am taken to official Fedora documents for old releases, such as 23 or 18. The dialogs and examples shown look nothing like the ones in my current Fedora 30 installation (Gnome Workstation).

But when I go to the specific documentation for Fedora 30, the System Administration section does not even have a subsection for networking, much less VPN. Maybe I’m looking in the wrong place, but this is the place that makes sense to me.

Are you trying to setup your F30 as OpenVPN client or server?

Let’s assume your F30 box is the Client.

Did you already install the packages necessary for the openvpn connection?
openvpn
NetworkManager-openvpn
NetworkManager-openvpn-gnome

sudo dnf -y install openvpn NetworkManager-openvpn NetworkManager-openvpn-gnome

Then, you should have received a certificate from your provider. In order to avoid any trouble with SELinux, place it in ~/.cert/.

Now you are ready to use Gnome’s Network Manager to create a new connection. All information should be given by the provider.

On CLI, you can use sudo openvpn --config /etc/openvpn/ovpn.conf --daemon to establish a ovpn connection. Of course, you need to edit the file to your provider’s requirements.

The old askbot should have plenty of Q/A that describe the setup of OpenVPN in Gnome, didn’t it pop up in your search?

Thanks for your response, @florian. Actually, I was trying to find documentation to configure an OpenVPN client in Fedora 30. I kept looking for some after posting the top post, and I never found any.

But I finally figured it out. I placed the connection files from my provider into /etc/openvpn/client. Then, in the Settings app, I found a section for VPN connections and chose the last option, “Import from file”. Then, I edited the userid and password in the connection that was created after the file import. Now, I can start my VPN client from the controls at the top right of the Gnome desktop.

1 Like

The modern way to distribute the OpenVPN client configuration is the OVPN-profile.

Any potential SELinux issues should be resolved automatically if you use the profile import feature via NetworkManager assuming that your profile includes all the certificates and keys.

All the necessary packages should be preinstalled by default:

# dnf -q groupinfo "Fedora Workstation" | grep -i -e "gnome"
   GNOME Desktop Environment
# dnf -q groupinfo "GNOME Desktop Environment" | grep -i -e "openvpn"
   NetworkManager-openvpn-gnome
# dnf -q deplist NetworkManager-openvpn-gnome | grep -i -e "provider:.*openvpn"
   provider: NetworkManager-openvpn-1:1.8.10-1.fc30.x86_64
# dnf -q deplist NetworkManager-openvpn | grep -i -e "provider:.*openvpn"
   provider: openvpn-2.4.7-1.fc30.x86_64

Valid locations and SELinux context types for OpenVPN certificates and keys:

# semanage fcontext -l | grep -e home_cert_t 
/home/[^/]+/\.cert(/.*)?                           all files          unconfined_u:object_r:home_cert_t:s0 
/home/[^/]+/\.kde/share/apps/networkmanagement/certificates(/.*)? all files          unconfined_u:object_r:home_cert_t:s0 
/home/[^/]+/\.local/share/networkmanagement/certificates(/.*)? all files          unconfined_u:object_r:home_cert_t:s0 
/home/[^/]+/\.pki(/.*)?                            all files          unconfined_u:object_r:home_cert_t:s0 
/root/\.cert(/.*)?                                 all files          system_u:object_r:home_cert_t:s0 
/root/\.pki(/.*)?                                  all files          system_u:object_r:home_cert_t:s0 
1 Like

Yes, that is what I ended up doing.

This is all a little bit foreign to me, because on Arch Linux I simply execute “openvpn <.ovpn file from provider>” from the command line.

It looks simple, but let’s be frank, in terms of system integrity, fault tolerance and automation it is not a wise way to manage network connections and services in a long-term perspective.

CLI users can utilize either nmcli, or the systemd service templates openvpn-client@.service and openvpn-server@.service.

1 Like

Thanks. I will look in to that (the systemd services).

1 Like

The systemd service is a good choice on a server/VM where the network is configured with systemd-networkd and there’s no NetworkManager.

Meanwhile on a desktop/laptop nmcli is really convenient to use with autocomplete:

nmcli connection import type openvpn file /path/to/profile.ovpn
nmcli connection up VPN_CON
nmcli connection show
nmcli connection down VPN_CON
3 Likes

A note here: Fedora does not develop OpenVPN. Fedora is not upstream for OpenVPN. Fedora is rarely upstream for any software. Fedora is a downstream distribution—we take software and build/integrate it together.

While lots of documentation is available on Fedora specific things like Anaconda, it is just not possible for Fedora to write documentation about all the software that is included in Fedora—not with the current available man-power in the community anyway.

So, one can either:

So, a document on how to do this would be a great addition to quick-docs:

5 Likes

you may have to run this as root. Try sudo openvpn --config /etc/openvpn/ovpn.conf --daemon

1 Like

@FranciscoD, ok, I can see that. If any documentation were to be found, I think it should be at gnome.org. However, they don’t really have any, either. See Projects/NetworkManager/VPN - GNOME Wiki!

What threw me was that older releases of Fedora documentation did have documentation for configuring a VPN connection in the Gnome Settings app. So, while not documenting it is probably correct, the fact that it used to be documented made it seem like a mistaken omission. I apologize for my confusion.

Thank you.

1 Like

@florian, yes, I run that as root. This is on another, older Linux system that is not nearly as automated as my Fedora 30 system. Network Manager is not installed. This is by my choice. I have done UNIX administration since the early 80s, and the modern automated ways are less understandable to me than doing things manually. My fingers are in the pie, so to speak. :wink:

1 Like

Regarding adding documentation - I’ve summarized what I got from this thread into a general outline. I dont have much experience with these packages, so please forgive me if something doesnt make sense. I was thinking the information gleaned from this thread could be the beginning of a wiki page on the subject. Let me know if there are areas you think need expansion or clarification. When its good 2 go, I’ll try and figure out how to get it in the wiki/guides and follow up.

Configuring OpenVPN on Fedora 30

These packages are required:
openvpn - https://apps.fedoraproject.org/packages/openvpn
NetworkManager-openvpn - https://apps.fedoraproject.org/packages/NetworkManager-openvpn
NetworkManager-openvpn-gnome - https://apps.fedoraproject.org/packages/NetworkManager-openvpn-gnome

They should already be preinstalled:
dnf -q groupinfo “Fedora Workstation” | grep -i -e “gnome”
# GNOME Desktop Environment
dnf -q groupinfo “GNOME Desktop Environment” | grep -i -e “openvpn”
# NetworkManager-openvpn-gnome
dnf -q deplist NetworkManager-openvpn-gnome | grep -i -e “provider:.*openvpn”
# provider: NetworkManager-openvpn-1:1.8.10-1.fc30.x86_64
dnf -q deplist NetworkManager-openvpn | grep -i -e “provider:.*openvpn”
# provider: openvpn-2.4.7-1.fc30.x86_64

If not, then:
sudo dnf -y install openvpn NetworkManager-openvpn NetworkManager-openvpn-gnome

Place your certificate in a valid location using valid SELinux context types for openVPN certificates and keys:

# semanage fcontext -l | grep -e home_cert_t 
/home/[^/]+/\.cert(/.*)?                           all files          unconfined_u:object_r:home_cert_t:s0 
/home/[^/]+/\.kde/share/apps/networkmanagement/certificates(/.*)? all files          unconfined_u:object_r:home_cert_t:s0 
/home/[^/]+/\.local/share/networkmanagement/certificates(/.*)? all files          unconfined_u:object_r:home_cert_t:s0 
/home/[^/]+/\.pki(/.*)?                            all files          unconfined_u:object_r:home_cert_t:s0 
/root/\.cert(/.*)?                                 all files          system_u:object_r:home_cert_t:s0 
/root/\.pki(/.*)?                                  all files          system_u:object_r:home_cert_t:s0 

Create new connection: (configured to provider’s requirements)

Via Gnome Network Manager to create new connection:

Using CLI:
openvpn < .ovpn_file_from_provder
can be done by using:
openvpn --config /etc/openvpn/ovpn.conf --daemon

These commands are also useful in CLI:
nmcli connection import type openvpn file /path/to/profile.ovpn
nmcli connection up VPN_CON
nmcli connection show
nmcli connection down VPN_CON

Or the systemd service templates openvpn-client@.service and openvpn-server@.service can be utilized.

Links for reference or to be inserted as inline html links:

https://openvpn.net/community-resources/#documentation
OpenVPN systemd use - https://community.openvpn.net/openvpn/wiki/Systemd
https://docs.fedoraproject.org/en-US/Fedora/24/html/Networking_Guide/sec-Connecting_to_a_Network_Using_nmcli.html
2 Likes

Let’s hash the details out here, and then put up a quick-dock please. We’re trying to prevent users from getting lost in unreviewed wiki page hell nowadays. Hence the extra stress on documentation instead of wiki/blogs etc.

The starting point is the link you have already mentioned, it is just the level above:

There’s the documentation:

And by the way:

$ rpm -q -l openvpn | grep -e /doc/.*systemd
/usr/share/doc/openvpn/README.systemd
2 Likes

Oh, boy. The Fedora documentation page you referenced is in the documentation for six releases ago - Fedora 24. And I don’t think I should have to search the Arch Wiki to try to find out how to use something in Fedora. Even though my other distro is Arch Linux.

Although the link looks outdated, the documentation is still relevant, there are barely any changes.
Regarding Arch Linux, you mentioned it above, so I thought it might be helpful.

In terms of NetworkManager, OpenVPN is just a VPN type, and VPN is just a connection type.
It should be nothing special for a typical Fedora user who has NetworkManager preinstalled by default.

1 Like

Ok, thank you. Network Manager is new to me and I’m still learning to use it. All is good now.

1 Like