-
Notifications
You must be signed in to change notification settings - Fork 152
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support OpenVPN3 on Fedora Silverblue #229
Comments
Source: #171 (comment) |
Thank you for creating this ticket. I'll pay attention to this and will help out as needed. I can't promise we will manage any needed fixes for the next v22_dev release, but this will get priority after that release. Any help here in the meantime will surely be appreciated. Some debug tricks for this issue. Since it seems to be related to First, enable the a) Inspecting D-Bus communicationBecome the
b) Step-by-step start of a VPN session, to attach
|
I also forgot, you can start all the background services manually in a similar way to All these processes with the exception of the Another thing to test is also to run the system with SELinux in permissive mode. Also inspect the |
This might be far simpler than expected. I completely forgot about SELinux, so tried setting it to permissive and retrying the connection, and it worked 🎉 OpenVPN3 with OpenVPN Cloud + SSO + split tunneling worked! So I guess we may just need to work out the correct SELinux settings? (I say this knowing nothing about SELinux, so happy to be told it's more work) Here are some logs I think may be relevant:
(Note: This is still using the development build) |
Wow! That's awesome! That denial looks like something which there should already be an SELinux policy for. Can you check that the
If not, then you need to run this command:
|
The
After running Note: Now that I've enabled Error logs:
|
That's odd, as that should have happened during the |
Might also be worth checking the output of |
Correct, two policies are listed
I'm going back to your original comment with the dbus debugging steps |
Just a quick thought appeared as I looked at the openvpn3.spec file. Can you, as root, run |
|
That generally looks good. If those |
Checking this, and they don't actually exist. I guess I may need to manually create those json files too to get it working with SELinux enabled?
|
This line looks wrong (from
That need to be owned by |
I may be misunderstanding, but I believe this just means
Edit: Current directory permissions are 0750. Trying to change to one you mentioned previously |
Yeah, this is correct:
The |
After chowning from 0750 to 0600, I was unable to connect to the VPN with SELiunx permissive and received permission denied errors on
|
Duh! I meant |
The |
Ah, with
|
Okay, so it's now currently experienced as a pure SELinux related issue? It connects and works as expected with SELinux in |
It all appears functional with SELinux in permissive, although I doubt my use-case hits the full functionality of the app. The main issue is when SELinux is enforced. There are a few workarounds required (like manually creating Previously (before the glib development build) connecting even with SELinux permissive failed, so there were definitely improvements made with the new builds. |
This is actually quite good news, I would say. If you have had a chance to test user/password authentication, then the most critical code paths should have been good enough tested. The last auth method is web-based authentication, but those code paths aren't really modified (the Thanks a lot so far for all testing. I'll try to get a Silverblue VM running and will debug the SELinux issues. At this point the I believe we can manage to squeeze in a fix for this in the v22_dev release - unless a completely new policy is required. |
Regarding:
I think I'll make the |
I don't believe generating these in the You can see the install steps at the PR below: My guess would be to create these files if not exists the first time |
Hmmm ... I see. Well, using the appropriate way to have these directories persistent from install and done according to Silverblue standards should be the main goal. I don't want us to hack something which may break in the future. I'm just wondering how other applications which needs persistent data solves this? Are there some Silverblue packaging/composition guides somewhere which can be studied? If there are better "persistent state directories" to use than Is there an appropriate mailing list where such things is being discussed? I'm already on the Fedora devel list. |
General packaging rules:
Only the first two are available during package installation. |
No worries, @p5! I'm considering alternatives to have a more flexible model in regards to In regards to dynamic UIDs, that should not be an issue. The user and group names are compile-time set to |
That sounds reasonable (I'm a long time Fedora package maintainer for the Several of the auto-started D-Bus services will store their runtime modified settings in |
|
Has there been progress on this possibility of supporting (providing packages) for openvpn3 on Fedora Silverblue? I've tried following the openvpn-3-client-for-linux as well as tried the community OpenVPN3 Linux documentation. |
@bcdady Unfortunately, not yet - at least not from my side. It is on my todo-list, but unfortunately it's not surfaced as a high-priority issue currently. That said, I'm interested to get this working! If anyone has some time available to dig into this further, I would appreciate all the help we can get. That's the quickest way to resolve this sooner than waiting on me getting to this. The challenge is to get something working with the "first runtime setup", which is adding a challenge since |
Hi. I'm also on Bluefin DX and is not able to connect to OpenVPN either Network Manager OpenVPN nor the indicator. The indicator was really slow and unresponsive until I manually created |
OK. I just got it working. I had to do these manual steps:
Restart openvpn3 (can be done via starting indicator) and you should be good to go! Now, I've to find out how to achieve these while building my bluefin image or wait for these to get fixed upstream :) |
Hey @tunix I'm one of the Bluefin maintainers 😁 I've since moved companies, and no longer use OpeVPN. I never resolved this myself consistently (being honest, I didn't try very hard though), but glad you got it working! Creating, chowning and setting permissions on the directory can be done using systemd tmpfiles. Bluefin has a few examples of this, used for swtpm and some libvirt permission fixes. Unsure about the sebool stuff, but I'll have a quick look. It's probably a file that can be dropped in somewhere. If these are all done during image build, there's probably no need to pkill the service, so thats one less step to worry about. And the init-config could possibly be ran on boot, as a systemd oneshot service (assuming it's idempotent and will not mess with any client VPN configurations. This is probably not the approach OpenVPN would want to do to update their app, but it's a way that we should be able to fix it for us at least. I'm on mobile right now, so apologies for the rushed answer (and probably all the typos). I'll try and fill this out a bit more in a few days - when I have access to a laptop. |
As discussed in #171, we will move Fedora Silverblue (and similar ostree-based OSes) to a separate issue as there are some additional things we need to work around.
Right now using the development build provided by dsommers, we are receiving a fatal error from DBus after trying to establish a connection to the server.
Summary of current issues:
/var
is not writable and therefore/var/lib/openvpn3/configs
is not created, causing an error. A workaround is to manually create this directory in a booted system.Error:
I will try and provide some additional information if I can find it out.
The text was updated successfully, but these errors were encountered: