Ongoing OpenVPN Issues

I know there are many other threads in the forum about openvpn issues, but none of them have helped nor have any proposed solutions worked for me. Although I suspect it to be a selinux issue, I don’t know enough about how Fedora implements that to know for sure.

I can use sudo openvpn MyVPN.ovpn to connect via cli, but there is absolutely no configuration via NetworkManager that works and I’m wondering if it’s connected to the fact that ioctl and tun0 can only be accessed via root…

I appreciate the help and insights…

1 Like

Hi,

Install NetworkManager-openvpn-gnome, then import ovpn in settings, under network, vpn:

sudo dnf install NetworkManager-openvpn-gnome

Thanks Tom.

2 Likes

Already installed; afaik, it’s installed by default.

Ok, so what happens if you try and import the ovpn file?

1 Like

It fails to connect; journalctl -u NetworkManager.service throws a bunch of warnings and some errors:

Jun 28 12:23:46 fedora nm-openvpn[3733]: OpenSSL: error:2006D002:BIO routines:BIO_new_file:system lib
Jun 28 12:23:46 fedora nm-openvpn[3733]: OpenSSL: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
Jun 28 12:23:46 fedora nm-openvpn[3733]: Cannot load certificate file /home/bryan/Scripts/openvpn/UserCertificate.crt

None of those exist when executed with sudo openvpn via cli.

The keys and certs should be stored to one of the following locations:

sudo semanage fcontext -l | grep -e home_cert_t

Make sure to repair SELinux labels after importing the client profile:

sudo restorecon -R /path/to/keys_and_certs
2 Likes

Thanks for the info, @vgaetera; can the certs/keys be sym linked?

So, copying the cert and key files into ~/.cert and running sudo restorecon -R ~/.cert did nothing, as NM still complains the connection fails and journalctl gives me the same errors.

Hi,

Did you update the cert path for the vpn config, its located under the identity tab?

Thanks Tom.

2 Likes

Verify the VPN connection settings match your certs and keys file names/locations:

nmcli connection show
nmcli -g vpn.data connection show id VPN_CON
1 Like

Thank you both, @tjdoyle and @vgaetera! Vladislav, you hit the nail on the head having me move the cert and key files; Tom, you were spot-on to suggest I check the cert path and, alas, that was the problem because after moving everything to ~/.cert NM was still looking in ~/Scripts/openvpn.

The issue is solved. Unfortunately, I can’t mark both of you as providing the solution. :frowning:

On a related note, why so many hoops to jump through; that is, shouldn’t this be more intuitive?

3 Likes

1977268 – nm-openvpn applies incorrect SELinux labels when importing a VPN profile

Actually this is a long standing issue with NetworkManager failing to set the proper SELinux labels for the imported certs and keys.
This behavior is certainly counter intuitive and inconsistent compared to GNOME Boxes that automatically configures SELinux labels for image files.

3 Likes

I completely agree…

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.