How to Fix SELinux Blocking OpenVPN on AlmaLinux 10

Published: 2026-06-02
Google AdSense 广告位 (待申请通过后开启)

On AlmaLinux 10, SELinux is in a strict enforcing state by default. Since OpenVPN version 2.7+ has updated permissions and security policies, certificate files or custom logs in non-default paths will cause OpenVPN to fail to start and report errors.

1. Fixing Certificate and Configuration File Path Labels: The OpenVPN process is in the openvpn_t security domain in SELinux.

If your keys and certificates are stored in a custom directory (such as /root/ or /home/), SELinux will directly block them.

Standard practice: Move all .conf, .crt, and .key files to the officially specified directory /etc/openvpn/.

Restore Context: Execute the following command to restore the files to the correct SELinux context label (openvpn_etc_t):

sudo restorecon -Rv /etc/openvpn/

2. Fix Log and Status File Permissions: In newer versions of OpenVPN, logging to custom paths (such as writing to `/var/log/openvpn/`) can easily be denied.

If you must use a custom log file, execute the following command to modify the SELinux type of that directory:

sudo mkdir /var/log/openvpn

sudo touch /var/log/openvpn/openvpn.log

sudo restorecon -v /var/log/openvpn/openvpn.log

sudo semanage fcontext -a -t openvpn_var_log_t "/var/log/openvpn(/.*)?"

sudo restorecon -Rv /var/log/openvpn

3. Enabling SELinux Network Boolean Values: Sometimes SELinux disables OpenVPN forwarding or initiating external network connections by default. It's necessary to enable the relevant boolean value switches:

bashsudo setsebool -P openvpn_can_network_connect on

4. Automatically capture logs and generate customized allow policies. Temporarily switch SELinux to permissive mode (only record, do not intercept, and obtain complete error logs):

sudo setenforce 0

5. Restart the OpenVPN service to trigger a complete connection stream:

sudo systemctl restart openvpn-server@server

6. Automatically compile the release module based on logs.

sudo grep openvpn /var/log/audit/audit.log | audit2allow -M my_openvpn_policy

7. Load the newly generated strategy module

sudo semodule -i my_openvpn_policy.pp

8. Restore SELinux strict blocking mode

sudo setenforce 1

9. Final Inspection

sudo systemctl status openvpn-server@server

10.View the Detailed OpenVPN Application Logs

sudo journalctl -xeu openvpn-server@server.service

11.Check for Hidden SELinux Denials

sudo grep "avc: denied" /var/log/audit/audit.log | tail -n 10

12.Locate the Configuration File

sudo find / -name "*server*.conf" -o -name "openvpn.conf" 2>/dev/null

13.Copy the Sample Configuration File

sudo cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/server.conf

14.Apply SELinux Contexts

sudo restorecon -Rv /etc/openvpn/server/

15.Install the Custom SELinux Policy Properly

sudo semodule -i my_openvpn_policy.pp

16.Comment Out Missing Certificates (For Testing)

sudo journalctl -n 20 -u openvpn-server@server.service

17.Install Easy-RSA

sudo dnf install -y easy-rsa

18.Initialize the PKI and Build the Certificates

# Set up the workspace

mkdir ~/openvpn-ca && cd ~/openvpn-ca

/usr/share/easy-rsa/3/easyrsa init-pki

# 1. Build the Certificate Authority (Press Enter when prompted for a common name)

/usr/share/easy-rsa/3/easyrsa build-ca nopass

# 2. Generate the Server Key and Certificate

/usr/share/easy-rsa/3/easyrsa gen-req server nopass

/usr/share/easy-rsa/3/easyrsa sign-req server server # Type 'yes' to confirm

# 3. Generate Diffie-Hellman parameters (Required for security)

/usr/share/easy-rsa/3/easyrsa gen-dh

19.Copy the Generated Files to OpenVPN

sudo cp pki/ca.crt pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/server/

20.Fix SELinux Contexts & Start the Service

sudo restorecon -Rv /etc/openvpn/server/

sudo systemctl restart openvpn-server@server.service

21. Enable Auto-Start on Boot

sudo systemctl enable openvpn-server@server.service

22. Use audit2allow to generate antivirus evasion patch.

sudo grep openvpn /var/log/audit/audit.log | audit2allow -M almalinux10_openvpn_netlink

23. Import the policy using sudo privileges.

sudo semodule -i almalinux10_openvpn_netlink.pp

24. Restart the service and restore strict mode.

# Ensure SELinux is back to enforcing mode

sudo setenforce 1

# Restart OpenVPN to verify it still works perfectly in enforcing mode

sudo systemctl restart openvpn-server@server.service

25. Enable Linux Kernel Network Forwarding (IP Forwarding)

# Temporarily enable network forwarding

sudo sysctl -w net.ipv4.ip_forward=1

# Permanently write to the configuration file to prevent loss after reboot

echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/99-openvpn-forward.conf

sudo sysctl --system

26. Configure the firewall (firewalld) to allow ports and traffic

# 1. Allow traffic to the default port of the OpenVPN service

sudo firewall-cmd --permanent --add-service=openvpn

# 2. If you changed the default port (e.g., to a port other than 1194), manually allow it using the following command:

# sudo firewall-cmd --permanent --add-port=1194/udp

# 3. Enable NAT (Network Address Translation) so that clients can access the internet through the server's network card

sudo firewall-cmd --permanent --add-masquerade

# 4. Reload the firewall configuration to make all policies take effect immediately

sudo firewall-cmd --reload

27. Final Verification

sudo firewall-cmd --list-all

28. Prepare the necessary certificate files for the client

cd ~/openvpn-ca

# Generate a client key and certificate named client1 (press Enter to confirm all the way through, and enter yes in the last step)

/usr/share/easy-rsa/3/easyrsa gen-req client1 nopass

/usr/share/easy-rsa/3/easyrsa sign-req client client1

29. Write the client .ovpn configuration file

Paste the following general template (please replace "your server's public IP address" with your actual public or local area network IP address):

vim ~/client.ovpn
client
dev tun
proto udp
remote Your server's public IP address 1194
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
verb 3

<ca>
# Please copy and paste the text content of ~/openvpn-ca/pki/ca.crt here.
</ca>

<cert>
# Please copy and paste the text content of ~/openvpn-ca/pki/issued/client1.crt here
# (Only keep the part between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----)
</cert>

<key>
# Please copy and paste the text content of ~/openvpn-ca/pki/private/client1.key here.
</key>

30. Connection Test

Download or send the prepared client.ovpn file to your test computer/phone.

Import the file using the OpenVPN Connect client and click Connect.

Explore More

Technology Guides →

How to Fix SELinux Blocking PrivateVPN on AlmaLinux 10

How to Fix Eclipse Startup Errors on AlmaLinux 10

Southeast Asia Insights →