Wednesday, May 22, 2013

Custom openvpn port with SElinux enabled

Today I had to setup openvpn client connecting to the server on non-standard port.
Having SElinux enabled always make such things more "interesting".
Openvpn service has started up but in the logs I have found following alerts:

May 22 11:26:30 rhs333 setroubleshoot: SELinux is preventing the openvpn (openvpn_t) from connecting to port 5517. For complete SELinux messages. run sealert -l afe57636-f6d8-4df9-b9c3-1f2d25784025

You can find currently allowed ports by running:

# semanage port -l | grep openvpn_port_t
openvpn_port_t                 tcp       1194, 9997
openvpn_port_t                 udp      1194

Adding non-standard port is easy:
# semanage port -a -t openvpn_port_t -p tcp  5517

Finally restart openvpn service and it should work fine.

No comments:

Post a Comment