How to Fix SELinux Blocking OpenVPN on AlmaLinux 10
On AlmaLinux 10, SELinux is in a strict enforcing state by default. Since OpenVPN version 2.7+ has updated permissions and security policies, certificate files or custom logs in non-default paths will cause OpenVPN to fail to start and report errors.
1. Fixing Certificate and Configuration File Path Labels: The OpenVPN process is in the openvpn_t security domain in SELinux.
If your keys and certificates are stored in a custom directory (such as /root/ or /home/), SELinux will directly block them.
Standard practice: Move all .conf, .crt, and .key files to the officially specified directory /etc/openvpn/.
Restore Context: Execute the following command to restore the files to the correct SELinux context label (openvpn_etc_t):
sudo restorecon -Rv /etc/openvpn/
2. Fix Log and Status File Permissions: In newer versions of OpenVPN, logging to custom paths (such as writing to `/var/log/openvpn/`) can easily be denied.
If you must use a custom log file, execute the following command to modify the SELinux type of that directory:
sudo mkdir /var/log/openvpn
sudo touch /var/log/openvpn/openvpn.log
sudo restorecon -v /var/log/openvpn/openvpn.log
sudo semanage fcontext -a -t openvpn_var_log_t "/var/log/openvpn(/.*)?"
sudo restorecon -Rv /var/log/openvpn
3. Enabling SELinux Network Boolean Values: Sometimes SELinux disables OpenVPN forwarding or initiating external network connections by default. It's necessary to enable the relevant boolean value switches:
bashsudo setsebool -P openvpn_can_network_connect on
4. Automatically capture logs and generate customized allow policies. Temporarily switch SELinux to permissive mode (only record, do not intercept, and obtain complete error logs):
sudo setenforce 0
5. Restart the OpenVPN service to trigger a complete connection stream:
sudo systemctl restart openvpn-server@server
6. Automatically compile the release module based on logs.
sudo grep openvpn /var/log/audit/audit.log | audit2allow -M my_openvpn_policy
7. Load the newly generated strategy module
sudo semodule -i my_openvpn_policy.pp
8. Restore SELinux strict blocking mode
sudo setenforce 1
9. Final Inspection
sudo systemctl status openvpn-server@server
10.View the Detailed OpenVPN Application Logs
sudo journalctl -xeu openvpn-server@server.service
11.Check for Hidden SELinux Denials
sudo grep "avc: denied" /var/log/audit/audit.log | tail -n 10
12.Locate the Configuration File
sudo find / -name "*server*.conf" -o -name "openvpn.conf" 2>/dev/null
13.Copy the Sample Configuration File
sudo cp /usr/share/doc/openvpn/sample/sample-config-files/server.conf /etc/openvpn/server/server.conf
14.Apply SELinux Contexts
sudo restorecon -Rv /etc/openvpn/server/
15.Install the Custom SELinux Policy Properly
sudo semodule -i my_openvpn_policy.pp
16.Comment Out Missing Certificates (For Testing)
sudo journalctl -n 20 -u openvpn-server@server.service
17.Install Easy-RSA
sudo dnf install -y easy-rsa
18.Initialize the PKI and Build the Certificates
# Set up the workspace
mkdir ~/openvpn-ca && cd ~/openvpn-ca
/usr/share/easy-rsa/3/easyrsa init-pki
# 1. Build the Certificate Authority (Press Enter when prompted for a common name)
/usr/share/easy-rsa/3/easyrsa build-ca nopass
# 2. Generate the Server Key and Certificate
/usr/share/easy-rsa/3/easyrsa gen-req server nopass
/usr/share/easy-rsa/3/easyrsa sign-req server server # Type 'yes' to confirm
# 3. Generate Diffie-Hellman parameters (Required for security)
/usr/share/easy-rsa/3/easyrsa gen-dh
19.Copy the Generated Files to OpenVPN
sudo cp pki/ca.crt pki/dh.pem pki/issued/server.crt pki/private/server.key /etc/openvpn/server/
20.Fix SELinux Contexts & Start the Service
sudo restorecon -Rv /etc/openvpn/server/
sudo systemctl restart openvpn-server@server.service
21. Enable Auto-Start on Boot
sudo systemctl enable openvpn-server@server.service
22. Use audit2allow to generate antivirus evasion patch.
sudo grep openvpn /var/log/audit/audit.log | audit2allow -M almalinux10_openvpn_netlink
23. Import the policy using sudo privileges.
sudo semodule -i almalinux10_openvpn_netlink.pp
24. Restart the service and restore strict mode.
# Ensure SELinux is back to enforcing mode
sudo setenforce 1
# Restart OpenVPN to verify it still works perfectly in enforcing mode
sudo systemctl restart openvpn-server@server.service
25. Enable Linux Kernel Network Forwarding (IP Forwarding)
# Temporarily enable network forwarding
sudo sysctl -w net.ipv4.ip_forward=1
# Permanently write to the configuration file to prevent loss after reboot
echo "net.ipv4.ip_forward = 1" | sudo tee /etc/sysctl.d/99-openvpn-forward.conf
sudo sysctl --system
26. Configure the firewall (firewalld) to allow ports and traffic
# 1. Allow traffic to the default port of the OpenVPN service
sudo firewall-cmd --permanent --add-service=openvpn
# 2. If you changed the default port (e.g., to a port other than 1194), manually allow it using the following command:
# sudo firewall-cmd --permanent --add-port=1194/udp
# 3. Enable NAT (Network Address Translation) so that clients can access the internet through the server's network card
sudo firewall-cmd --permanent --add-masquerade
# 4. Reload the firewall configuration to make all policies take effect immediately
sudo firewall-cmd --reload
27. Final Verification
sudo firewall-cmd --list-all
28. Prepare the necessary certificate files for the client
cd ~/openvpn-ca
# Generate a client key and certificate named client1 (press Enter to confirm all the way through, and enter yes in the last step)
/usr/share/easy-rsa/3/easyrsa gen-req client1 nopass
/usr/share/easy-rsa/3/easyrsa sign-req client client1
29. Write the client .ovpn configuration file
Paste the following general template (please replace "your server's public IP address" with your actual public or local area network IP address):
30. Connection Test
Download or send the prepared client.ovpn file to your test computer/phone.
Import the file using the OpenVPN Connect client and click Connect.
Explore More
› How to Fix SELinux Blocking PrivateVPN on AlmaLinux 10