Documentation

Server 3.x

SELinux#

If you used the deploy_${DIST}.sh script on CentOS, Red Hat Enterprise Linux or Fedora, your VPN server has SELinux fully enabled and configured. If you make changes to the configuration, you MAY need to update the SELinux configuration.

OpenVPN#

By default, OpenVPN is not allowed to listen on any other ports than udp/1194 and tcp/1194.

If you want to use more OpenVPN processes, e.g. by listening on additional ports, this may not be enough.

To see what is currently configured you can use semanage. On a clean Fedora system you’ll see the following:

$ sudo semanage port -l | grep openvpn
openvpn_port_t                 tcp      1194
openvpn_port_t                 udp      1194

If you want to specify additional ports for OpenVPN to listen on for client connections, you can do something similar:

$ sudo semanage port -a -t openvpn_port_t -p tcp 1195-1200
$ sudo semanage port -a -t openvpn_port_t -p udp 1195-1200

This will also allow OpenVPN to listen on ports 1195-1200 for both TCP and UDP:

$ sudo semanage port -l | grep openvpn
openvpn_port_t                 tcp      1195-1200, 1194
openvpn_port_t                 udp      1195-1200, 1194

Policy Issue#

We discovered a SELinux policy issue with PHP’s CLI tool (it runs on OpenVPN connect and disconnect):

SELinux is preventing /usr/bin/php from map access on the file /anon_hugepage (deleted)

See #187 for more details and possible workarounds. It is not exactly clear what is the best solution, in either case it does NOT impact the functionality of the VPN server.