How to Fix SELinux Blocking PrivateVPN on AlmaLinux 10
In AlmaLinux 10 (GNOME desktop environment), the configuration in version 10.1 wasn't this strict; modifying the firewall could still work. However, after upgrading to 10.2, it stopped working altogether, and now a complete overhaul is needed.
1. Fix SELinux tags in imported files. When NetworkManager starts the OpenVPN client in the background, SELinux requires all associated configuration files and certificates to have specific security tags.
sudo restorecon -Rv /etc/NetworkManager/
2. Allow access via SELinux boolean values related to NetworkManager.
sudo setsebool -P NetworkManager_can_forward_packets on
sudo setsebool -P NetworkManager_connect_all_unlabeled on 2>/dev/null
3. Enable SELinux by setting a boolean value to allow the VPN to read the home directory.
sudo setsebool -P vpn_enable_homedirs on
4. Repair the SELinux-specific security label in the certificate directory.
sudo chcon -R -t home_cert_t /home/jey/.cert/
sudo semanage fcontext -a -t home_cert_t "/home/jey/.cert(/.*)?"
sudo restorecon -Rv /home/jey/.cert/
5. Execute the incomplete policy release command.
sudo setsebool -P vpn_enable_homedirs on
6. Use audit2allow to generate a NetworkManager patch.
sudo grep "comm=\"openvpn\"" /var/log/audit/audit.log | audit2allow -M alma10_nm_vpn_home
7. Load this security patch module
sudo semodule -i alma10_nm_vpn_home.pp
8. Move all VPN certificates to the system's public security directory
# Create a secure system-level certificate storage directory
sudo mkdir -p /var/lib/NetworkManager-openvpn/
# Copy all certificate files from your home directory.
sudo cp -r /home/jey/.cert/nm-openvpn/* /var/lib/NetworkManager-openvpn/
# Assign a dedicated SELinux label to NetworkManager
sudo restorecon -Rv /var/lib/NetworkManager-openvpn/
9. Correct the system read permissions for these files.
sudo chmod 644 /var/lib/NetworkManager-openvpn/*
10. One-click batch modification of certificate paths for all VPN nodes
# Batch replace CA certificate paths and TLS-Auth certificate paths in the configuration file
sudo sed -i 's|/home/jey/.cert/nm-openvpn/|/var/lib/NetworkManager-openvpn/|g' /etc/NetworkManager/system-connections/*.nmconnection
11. Make NetworkManager reload the configuration.
sudo firewall-cmd --reload 2>/dev/null
sudo systemctl reload NetworkManager
12. Full capture strategy for when NetworkManager plugin is blocked
sudo grep -E "NetworkManager|openvpn" /var/log/audit/audit.log | audit2allow -M almalinux10_nm_vpn_final
13. Force load this final patch (Note: Merging the full strategy takes approximately 5-10 seconds; please wait patiently for the terminal prompt to reappear).
sudo semodule -i almalinux10_nm_vpn_final.pp
14. Restart the network service and connect.
sudo systemctl restart NetworkManager
15. Retest
sudo grep "avc: denied" /var/log/audit/audit.log | tail -n 5
16. Modify the directory and refresh to the correct SELinux-specific label
# Permanently register this path as a net_conf_t label type
sudo semanage fcontext -a -t net_conf_t "/var/lib/NetworkManager-openvpn(/.*)?"
# Force refresh to make it take effect immediately
sudo restorecon -Rv /var/lib/NetworkManager-openvpn/
17. Restart the network service and connect.
sudo systemctl restart NetworkManager
18. PrivateVPN connection successful
After downloading a new PrivateVPN node configuration file (.ovpn), simply follow these two steps to quickly allow access:
Place the extracted .pem certificate into /var/lib/NetworkManager-openvpn/
Run a tab refresh:
sudo restorecon -Rv /var/lib/NetworkManager-openvpn/
The most stubborn system-level security restriction on AlmaLinux 10 (RHEL 10).
Root cause: The new SELinux version completely removed the `vpn_enable_homedirs` shortcut switch, cutting off any access to the `/home` user directory by network plugins by default.
Perfect solution: We moved the certificate to the system's public security area `/var/lib/NetworkManager-openvpn/` and precisely assigned it the network trust label `net_conf_t`, thus allowing PrivateVPN to function without lowering the system's security level (maintaining the Enforcing state). Now your global network data is under the encrypted protection of PrivateVPN.
This method works exactly the same on Red Hat Enterprise Linux 10 (RHEL 10):
sudo mkdir -p /var/lib/NetworkManager-openvpn/
# Copy your certificate files (.pem/.crt/.key) into this directory
sudo cp /path/to/your/certificates/* /var/lib/NetworkManager-openvpn/
sudo chmod 644 /var/lib/NetworkManager-openvpn/*
The only difference is binding the official RHEL 10 network tag (net_conf_t).
Since RHEL 10 has completely deprecated the vpn_enable_homedirs switch, the system network component (nm-libnm-helper) must be allowed to read it legally by registering the tag:
sudo semanage fcontext -a -t net_conf_t "/var/lib/NetworkManager-openvpn(/.*)?"
sudo restorecon -Rv /var/lib/NetworkManager-openvpn/
# Batch correct paths
sudo sed -i 's|/home/.*\.cert/nm-openvpn/|/var/lib/NetworkManager-openvpn/|g' /etc/NetworkManager/system-connections/*.nmconnection
# Restart network service for the changes to take effect
sudo systemctl restart NetworkManager
Explore More
› How to Fix SELinux Blocking OpenVPN on AlmaLinux 10