SELinux#
If you used the deploy_${DIST}.sh script on Fedora / EL, your VPN server has
SELinux fully enabled and configured. If you make changes to the configuration,
you MAY need to update the SELinux
configuration.
OpenVPN#
By default, OpenVPN is not allowed to listen on any other ports than udp/1194
and tcp/1194.
If you want to use more OpenVPN processes, e.g. by listening on additional ports, this may not be enough.
To see what is currently configured you can use semanage. On a clean Fedora
system you’ll see the following:
$ sudo semanage port -l | grep openvpn
openvpn_port_t tcp 1194
openvpn_port_t udp 1194
If you want to specify additional ports for OpenVPN to listen on for client connections, you can do something similar:
$ sudo semanage port -a -t openvpn_port_t -p tcp 1195-1200
$ sudo semanage port -a -t openvpn_port_t -p udp 1195-1200
This will also allow OpenVPN to listen on ports 1195-1200 for both TCP and
UDP:
$ sudo semanage port -l | grep openvpn
openvpn_port_t tcp 1195-1200, 1194
openvpn_port_t udp 1195-1200, 1194
Policy Updates#
The VPN server uses OpenVPN’s --client-connect and --client-disconnect
options to run scripts on VPN client connect and disconnect. This requires
permissions, not granted by the default SELinux policy on Fedora/EL.
In order to fix this, we needed to change two things:
- Allow OpenVPN to run scripts in the “unconfined” context;
- Mark our
--client-connectand--client-disconnectas being those unconfined scripts.
For new deploys on Fedora/EL this will now be done “out of the box”. For
existing systems running Fedora/EL you SHOULD install updates to make
sure you get at least vpn-server-node version 3.0.3-2, and run the following
command:
$ sudo setsebool -P openvpn_run_unconfined=1
NOTE: the name of the “bool” openvpn_run_unconfined is a bit confusing,
it does indeed mean “Allow openvpn to run unconfined scripts”, as documented
here.
See #187 for a detailed discussion on this topic.