SELinux#
If you used the deploy_${DIST}.sh script on CentOS, Red Hat Enterprise Linux
or Fedora, your VPN server has SELinux fully enabled and configured. If you
make changes to the configuration, you MAY need to update the SELinux
configuration.
OpenVPN#
By default, OpenVPN is not allowed to listen on any other ports than udp/1194
and tcp/1194.
If you want to use more OpenVPN processes, e.g. by listening on additional ports, this may not be enough.
To see what is currently configured you can use semanage. On a clean Fedora
system you’ll see the following:
$ sudo semanage port -l | grep openvpn
openvpn_port_t tcp 1194
openvpn_port_t udp 1194
If you want to specify additional ports for OpenVPN to listen on for client connections, you can do something similar:
$ sudo semanage port -a -t openvpn_port_t -p tcp 1195-1200
$ sudo semanage port -a -t openvpn_port_t -p udp 1195-1200
This will also allow OpenVPN to listen on ports 1195-1200 for both TCP and
UDP:
$ sudo semanage port -l | grep openvpn
openvpn_port_t tcp 1195-1200, 1194
openvpn_port_t udp 1195-1200, 1194
Policy Updates#
The VPN server uses OpenVPN’s --client-connect and --client-disconnect
options to run scripts on VPN client connect and disconnect. This requires
permissions, not granted by the default SELinux policy on EL9 and Fedora.
In order to fix this, we needed to change two things:
- Allow OpenVPN to run scripts in the “unconfined” context;
- Mark our
--client-connectand--client-disconnectas being those unconfined scripts.
For new deploys on EL9 and Fedora this will now be done “out of the box”. For
existing systems running EL9 and Fedora you SHOULD install updates to make
sure you get at least vpn-server-node version 3.0.3-2, and run the following
command:
$ sudo setsebool -P openvpn_run_unconfined=1
NOTE: the name of the “bool” openvpn_run_unconfined is a bit confusing,
it does indeed mean “Allow openvpn to run unconfined scripts”, as documented
here.
See #187 for a detailed discussion on this topic.