Centos 7 and OpenVPN: how make them friends

centoscentos7openvpnselinux

I'm trying to install OpenVPN server on Centos 7 and faced with next problem:

[root@msk ~]# /etc/init.d/openvpn start
Starting openvpn (via systemctl):                          [  OK  ]
[root@msk ~]# ps aux | grep openvpn
root      5639  0.0  0.0 112640   980 pts/6    S+   12:54   0:00 grep --color=auto openvpn
[root@msk ~]# service openvpn start
Starting openvpn (via systemctl):                          [  OK  ]
[root@msk ~]# ps aux | grep openvpn
root      5657  0.0  0.0 112640   980 pts/6    S+   12:54   0:00 grep --color=auto openvpn
[root@msk ~]#

As you can see – nothing happens.

But if i'll try to start it with single command: openvpn --daemon --writepid /var/run/openvpn/openvpn.pid --config /etc/openvpn/server.conf --cd /etc/openvpn it works nice.

I think problem is selinux. And I don't want to disable it at all.

Could you point me where is error?

Best Answer

CentOS 7 uses systemd to control system service daemons. That you are using init scripts suggests that you have installed your openvpn without using a package manger ( the openvpn-2.3.2-4.el7 rpm doesn't contain init scripts)

I think at this point, rather than trying to debug and use init scripts it would be better to remove your current installation and then install and configure the natively supported package. Something like

yum install openvpn
systemctl enable openvpn@service.service

systemctl start openvpn@server.service
systemctl status -l openvpn@server.service

Notice the use of openvpn@server, this relates to the /etc/openvpn configuration file which in this case would be expected to be /etc/openvpn/server.conf. If for example you had openvpn listening on port 443 you could

systemctl enable openvpn@port443.service

and you would complement that with a /etc/openvpn/port443.conf.

Related Solutions

OpenVPN Port-Share with Apache 443/10443 – Troubleshooting

I finally found the answer to this problem.

Despite firewall rules seems correct, the fact that openvpn were listening on a different host (public ip) than apache was the problem. Using same host (and public ip) for openvpn and apache solved it.

OpenVPN SELinux Permission Denied

A quick fix would be to change the log file to be /var/log/openvpn-status.log as the openvpn process is running as openvpn_t and it has permission within the policy to write to files labelled var_log_t (as /var/log should be).

The default context for /var/log/openvpn is openvpn_var_log_t

matchpathcon /var/log/openvpn
/var/log/openvpn        system_u:object_r:openvpn_var_log_t:s0

A longer process that requires slightly more management is to allow openvpn_t to write to openvpn_var_log_t which is the context that /var/log/openvpn gets e.g.

echo "host kernel: type=1400 audit(1384344598.334:39761): avc:  denied  { read write } for  pid=5777 comm="openvpn" name="openvpn" dev=dm-0 ino=54527865 scontext=unconfined_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_var_log_t:s0 tclass=dir" | audit2allow -M localOpenVpn

which will generate a .pp file that you can install

semodule -i localOpenVpn.pp

Don't forget to store the localOpenVpn.te and localOpenVpn.pp somewhere safe.

For Jiri Xichtkniha

If you look at the generated .te file amongst other things it says

#============= openvpn_t ==============  
#!!!! The source type 'openvpn_t' can write to a 'dir' of the following types:
# net_conf_t, pcscd_var_run_t, openvpn_etc_t, openvpn_tmp_t, openvpn_var_run_t, 
  tmp_t, etc_t, var_run_t, var_log_t, krb5_host_rcache_t, tmp_t, cluster_var_lib_t,
  cluster_var_run_t, root_t, cluster_conf_t

Note that openvpn_var_log_t isn't listed.

Best Answer

Related Solutions

OpenVPN Port-Share with Apache 443/10443 – Troubleshooting

OpenVPN SELinux Permission Denied

Related Topic