The problem was that it didn't work after following some instruction on the web. (like this one http://dillidba.blogspot.com/2017/02/install-openvpn-on-centos-with-google.html)
My openvpn log was showing this error:
PLUGIN_CALL: POST /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so/PLUGIN_AUTH_USER_PASS_VERIFY status=1 PLUGIN_CALL: plugin function PLUGIN_AUTH_USER_PASS_VERIFY failed with status 1: /usr/lib64/openvpn/plugins/openvpn-plugin-auth-pam.so TLS Auth Error: Auth Username/Password verification failed for peer
Then after that, I checked /var/log/secure:
openvpn(pam_google_authenticator)[20015]: Accepted google_authenticator for vpn_user openvpn(pam_google_authenticator)[20015]: Failed to update secret file "/etc/openvpn/google-authenticator/vpn_user": Permission denied
Then after tha, I checked /var/log/audit/audit.log:
sudo cat /var/log/audit/audit.log | grep openvpn | grep denied type=AVC msg=audit(1547603809.897:49734): avc: denied { unlink } for pid=20015 comm="openvpn" name="vpn_user" dev="xvda1" ino=4711785 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547604668.769:49823): avc: denied { unlink } for pid=20015 comm="openvpn" name="vpn_user" dev="xvda1" ino=4711785 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547604713.435:49829): avc: denied { unlink } for pid=20015 comm="openvpn" name="vpn_user" dev="xvda1" ino=4711785 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file permissive=0 type=AVC msg=audit(1547605092.191:49860): avc: denied { unlink } for pid=21207 comm="openvpn" name="vpn_user" dev="xvda1" ino=4711785 scontext=system_u:system_r:openvpn_t:s0 tcontext=unconfined_u:object_r:openvpn_etc_t:s0 tclass=file permissive=0
And finally, I fixed it:
sudo cat /var/log/audit/audit.log | grep openvpn | grep denied | audit2allow -M myopenvpn semodule -i myopenvpn.pp
Now I can connect to openvpn, by supplying password and 6 digit number from google authenticator .
So conclusion is you always need to check SELinux permissions when writing something to non-standard locations like in my case.
No comments:
Post a Comment