You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
69 lines
2.5 KiB
69 lines
2.5 KiB
---
|
|
title: Importing an OpenVPN Profile on Fedora 36
|
|
slug: Importing-OpenVPN-Profile-on-Fedora-36
|
|
date: 2022-07-12 00:01:00
|
|
tags:
|
|
- linux
|
|
- networking
|
|
---
|
|
|
|
To access my internal network & self-hosted services while I'm out of the house, I connect to an OpenVPN server running on my firewall.
|
|
|
|
I recently upgraded to Fedora 36 and discovered (the hard way) that the VPN was _broken_ and I couldn't re-import it. Turns out there are **multiple** bugs in the process that prevent the GUI from "just working" the way it's supposed to.
|
|
|
|
So, I read through the various bug reports so you don't have to. Here's how to import your OpenVPN connection file into Fedora 36.
|
|
|
|
My god was this ever a massive pain in the ass.
|
|
|
|
This assumes you have a `.ovpn` file, a `.key` file and a `.p12` file with your certificates. My VPN is using a "Password with Certificates" login system.
|
|
|
|
On Fedora 36+ we need to re-enable legacy crypto providers in OpenSSL. To do this, modify `/etc/ssl/openssl.cnf` and uncomment the lines:
|
|
|
|
```txt
|
|
[openssl_init]
|
|
providers = provider_sect
|
|
ssl_conf = ssl_module
|
|
|
|
[provider_sect]
|
|
default = default_sect
|
|
legacy = legacy_sect
|
|
|
|
[default_sect]
|
|
activate = 1
|
|
|
|
[legacy_sect]
|
|
activate = 1
|
|
```
|
|
|
|
Next, because of a bug with OpenVPN, we need to extract the CA certificate from our `.p12` into a separate file, since OpenVPN doesn't (currently) support reading it:
|
|
|
|
```shell
|
|
openssl pkcs12 -in my_certs.p12 -cacerts -nokeys -out my_ca.crt
|
|
```
|
|
|
|
Then, edit your `.ovpn` file to add the line:
|
|
|
|
```txt
|
|
ca my_ca.crt
|
|
```
|
|
|
|
Because of a bug in the NetworkManager GUI, we have to import the `.ovpn` configuration by hand.
|
|
|
|
```shell
|
|
sudo nmcli connection import type openvpn file my_config.ovpn
|
|
```
|
|
|
|
In the VPN GUI, edit the VPN and set your username and (optionally) the passwords. You may encounter a bug where the "Add" button is greyed out. This is because it wants you to enter _both_ the "Password" and "User key password" fields, but will not let you edit the "User key password" field. Currently, the only workaround is to click the little icon on the "User key password" field and click "Ask every time."
|
|
|
|
Yes, this is really annoying.
|
|
|
|
Oh, and on SELinux systems, you also need to update the security context of the certificate files to allow NetworkManager to access them. Most systems ship with a `home_cert_t` type that does the trick:
|
|
|
|
```
|
|
chcon -t home_cert_t vpn_millslan_net_glmdev.p12
|
|
chcon -t home_cert_t vpn_millslan_net_glmdev-tls.key
|
|
chcon -t home_cert_t ca.crt
|
|
```
|
|
|
|
Now, at long last, the VPN should activate.
|