Server 3.x


If you used the deploy_${DIST}.sh script on CentOS, Red Hat Enterprise Linux or Fedora, your VPN server has SELinux fully enabled and configured. If you make changes to the configuration, you MAY need to update the SELinux configuration.


By default, OpenVPN is not allowed to listen on any other ports than udp/1194 and tcp/1194.

If you want to use more OpenVPN processes, e.g. by listening on additional ports, this may not be enough.

To see what is currently configured you can use semanage. On a clean Fedora system you’ll see the following:

$ sudo semanage port -l | grep openvpn
openvpn_port_t                 tcp      1194
openvpn_port_t                 udp      1194

If you want to specify additional ports for OpenVPN to listen on for client connections, you can do something similar:

$ sudo semanage port -a -t openvpn_port_t -p tcp 1195-1200
$ sudo semanage port -a -t openvpn_port_t -p udp 1195-1200

This will also allow OpenVPN to listen on ports 1195-1200 for both TCP and UDP:

$ sudo semanage port -l | grep openvpn
openvpn_port_t                 tcp      1195-1200, 1194
openvpn_port_t                 udp      1195-1200, 1194

Policy Updates#

The VPN server uses OpenVPN’s --client-connect and --client-disconnect options to run scripts on VPN client connect and disconnect. This requires permissions, not granted by the default SELinux policy on EL9 and Fedora.

In order to fix this, we needed to change two things:

  1. Allow OpenVPN to run scripts in the “unconfined” context;
  2. Mark our --client-connect and --client-disconnect as being those unconfined scripts.

For new deploys on EL9 and Fedora this will now be done “out of the box”. For existing systems running EL9 and Fedora you SHOULD install updates to make sure you get at least vpn-server-node version 3.0.3-2, and run the following command:

$ sudo setsebool -P openvpn_run_unconfined=1 

NOTE: the name of the “bool” openvpn_run_unconfined is a bit confusing, it does indeed mean “Allow openvpn to run unconfined scripts”, as documented here.

See #187 for a detailed discussion on this topic.