CentOS

The Community ENTerprise Operating System
https://forums.centos.org/

[Solved] Problems setting up openvpn client

https://forums.centos.org/viewtopic.php?f=50&t=72800

Page 1 of 1

[Solved] Problems setting up openvpn client

Posted: 2019/12/13 11:00:44
by gostal
To configure the connection I used

Code: Select all

sudo nmcli connection import type openvpn file /home/gostal/Downloads/vpn/Integrity_OpenVPN_v3/Bahnhof.ovpn
and got confirmation:

Code: Select all

Connection 'Bahnhof' (a58b19a0-9537-45a3-912b-dc8b4e1eac40) successfully added.
I opened nm-connection-editor and tried to edit the connection Bahnhof. It was no problem to fill in and save the username but when trying to save the password I get Enter password to unlock your login keyring. The password you use to log in to your computer no longer matches that of your login keyring. in a pop-up window. No matter what I put in there it does not get accepted. I also got an selinux issue which had been reported several years ago about the .ca-certificate.
https://bugzilla.redhat.com/show_bug.cgi?id=1074830 .
The selinux troubleshooter gave me precisely this and I tried moving the certificate but I still get the same message about the mismatched password. So then I tried to switch selinux off by entering setenforce 0 as root. That did not help.

Same thing happens if I try to connect after having supplied the connection password.

All efforts above according to posts here and there in various fora. So what is going on here?

My best guess is that this has to do with my user being authenticated by an LDAP-server. If so what should I do? Is it possible to solve this problem for this user? Must I create a locally authenticated user? If so does it suffice to do what the selinux troubleshooter suggests:

Code: Select all

SELinux is preventing /usr/sbin/openvpn from open access on the file /home/gostal/Downloads/vpn/Integrity_OpenVPN_v3/ca.crt.

*****  Plugin openvpn (47.5 confidence) suggests   ***************************

If you want to mv ca.crt to standard location so that openvpn can have open access
Then you must move the cert file to the ~/.cert directory
Do
# mv /home/gostal/Downloads/vpn/Integrity_OpenVPN_v3/ca.crt ~/.cert
# restorecon -R -v ~/.cert


*****  Plugin openvpn (47.5 confidence) suggests   ***************************

If you want to modify the label on ca.crt so that openvpn can have open access on it
Then you must fix the labels.
Do
# semanage fcontext -a -t home_cert_t /home/gostal/Downloads/vpn/Integrity_OpenVPN_v3/ca.crt
# restorecon -R -v /home/gostal/Downloads/vpn/Integrity_OpenVPN_v3/ca.crt
or do I have to disable selinux?

Thanks for any help.

Cheers,
gostal

Re: Problems setting up openvpn client

Posted: 2019/12/13 12:27:52
by TrevorH
I'd start by moving it to the location it tells you is the recommneded place for it and then restorecon the file.

Re: Problems setting up openvpn client

Posted: 2019/12/13 14:33:59
by gostal
TrevorH wrote:
2019/12/13 12:27:52
 I'd start by moving it to the location it tells you is the recommneded place for it and then restorecon the file.
I already did that and tried to say so but perhaps I didn't express myself clear enough. But be that as it may, the problem persists even if I turn selinux off which I also tried to say. But reading now in the guide it's clear that setenforce 0 only puts selinux in a permissive mode, not entirely disabling it. Question is: is it permissive enough? I guess one way of finding out if moving the certificate clears the selinux issue is to try and delete the record of it and try to connect and se if it reappears. So far I don't know since it did not help to move the *.ca file and do

Code: Select all

restorecon -R -v ~/.cert
Is it enough just to hit the delete button in the troubleshooter window to clear the record or does that only put the record in a bug-me-not state?

Re: Problems setting up openvpn client

Posted: 2019/12/13 14:46:05
by TrevorH
Yes, permissive is enough so you have a non-selinux problem elsewhere.

Re: Problems setting up openvpn client

Posted: 2019/12/13 18:07:56
by gostal
I have successfully solved the selinux problem by moving also the file tls.key to ~/.cert and running again restorecon -R -v ~/.cert so clearly the problem lies elsewhere now. I deleted the selinux alerts and didn't get a new one. Just wanted to confirm.

I found this page:
https://www.sbarjatiya.com/notes_wiki/i ... or_openVPN
apparently notes pertaining to CentOS 6.x

So it would seem that the problem is tied to the LDAP authentication which was my initial guess. There is a package openvpn-auth-ldap in the repos and which the web page instructs to install. So I did and tried to start following the instructions but realized that some of them were modifications in the LDAP server, which I don't have access to. Also things may have changed since 6.x and the instructions may not be valid any more so the next thing I will try is to create a local user and try to set up the connection there. At least now I know how to satisfy selinux.

Re: Problems setting up openvpn client

Posted: 2019/12/15 13:58:50
by gostal
So now I created a local user and it still does not work. I get this:

Code: Select all

nmcli connection up Bahnhof
Error: Connection activation failed: Unknown reason
No problem saving the connection password, though, and the service is enabled:

Code: Select all

systemctl status openvpn@Bahnhof
● openvpn@Bahnhof.service - OpenVPN Robust And Highly Flexible Tunneling Application On Bahnhof
   Loaded: loaded (/usr/lib/systemd/system/openvpn@.service; enabled; vendor preset: disabled)
   Active: inactive (dead)
Make available to other users is checked in the settings window reachable from the network symbol in the top panel(Gnome 3 Classic).
Connection definition at /etc/NetworkManager/system-connections (sensitive info masked):

Code: Select all

[connection]
id=Bahnhof
uuid=2fe4e99a-7321-405a-940c-943f9b9c6d03
type=vpn
permissions=

[vpn]
ca=/home/gostal/.cert/ca.crt
cipher=aes-256-cbc
comp-lzo=adaptive
connection-type=password
dev=tun
ns-cert-type=server
password-flags=1
remote=openvpn.integrity.st:1196, openvpn2.integrity.st:1196, openvpn3.integrity.st:1196, openvpn4.integrity.st:1196
remote-random=yes
reneg-seconds=0
ta=/home/gostal/Downloads/vpn/Integrity_OpenVPN_v3/tls.key
ta-dir=1
username=*****
service-type=org.freedesktop.NetworkManager.openvpn

[ipv4]
dns-search=
method=auto

[ipv6]
addr-gen-mode=stable-privacy
dns-search=
ip6-privacy=0
method=auto
I noticed an odd thing, though. If I fire up nm-connection-editor the info there is not the same as that in the settings window reachable via the panel. There is no indication of a saved password. Should not the same information be picked up both ways?

Ideas, anyone?

Re: Problems setting up openvpn client

Posted: 2019/12/16 06:28:20
by aks
For "other" (non OpenVPN) connections, I've found that the password is stored in the Gnome keyring (I used seahorse to check this). That maybe where your password is?

Re: Problems setting up openvpn client

Posted: 2019/12/17 09:56:12
by gostal
Problem solved!

Although selinux was satisfied by moving the certificates to ~/.cert openvpn was not. An examination
of /var/log/messages showed that openvpn still expected the file tls.key to be found in the original
location. A look at the connection file under /etc/NetworkManager/system-connections showed that
although I had run restorecon -R -v ~/.cert after having, on selinux troubleshooter's suggestion,
moved also the file tls.key to ~/.cert the location in the connection file was not updated. I tried
editing it manually but it did not help so I decided to wipe it clean and start afresh with nothing under
/etc/NetworkManager/system-connections. To be on the safe side I also put selinux in permissive mode:

Code: Select all

sudo setenforce 0
Then again

Code: Select all

sudo nmcli connection import type openvpn file /path-to-.ovpn-file
as my newly created local user. I opened the connection editor via the network panel icon, entered the connection
username and password under the Identity tab, hit Apply and tried to connect. It turned out that selinux was not
sleeping at all in permissive mode. The same alerts showed up as before but the connection came up. Good!
However, after a while the connection timed out. My guess is because selinux wasn't quite happy. To make it
happy this time I opted for the other suggestion:

Code: Select all

*****  Plugin openvpn (47.5 confidence) suggests   ***************************

If you want to modify the label on ca.crt so that openvpn can have open access on it
Then you must fix the labels.
Do
# semanage fcontext -a -t home_cert_t /path-to-original-location-of-ca.crt
# restorecon -R -v /path-to-original-location-of-ca.crt
The first command I had to run with sudo. As before the same selinux alert came up but this time regarding
tls.key and I opted again to fix the labels. Finally I turned selinux back on with sudo setenfoce 1
and tried to connect. The connection was established without any more selinux alerts coming up and so far
the connection has been stable for about 1 and a half hours so I believe that I finally got it solved. But for
some reason the VPN ip is blacklisted so I had to turn the VPN connection off in order to post this.

Cheers,
gostal
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited