I am using openvpn based on certificates with network manager in sys-net for a long time. Standard practice working with Fedora 38 was/is to edit the VPN client in the network manager icon. I do set it up in a way that the certificate password is requested upon every connection start.
Upon changing the template from Fedora 38 to Fedora 39, this does no longer work. Packages openvpn and NetworkManaer-openvpn are installed. However, the password is no longer requested and the connection does not start. Editing the configuration is also possible. Upon storing the password in the configuration, there is no change: Under Fedora 38, the VPN can then be started without typing the password every time. Under Fedora 39, there is no connection.
Can someone please point me to the right direction so that I can shift sys-net from Fedora 38 to Fedora 39 while keeping OpenVPN functionality?
Thank you very much @solene! When I first switched to Fedora 39, the Network Manager GUI for VPN did show something about “flags” which I did not understand.
Now my finding is:
“Older” VPN definitions to work both with Fedora 38 and Fedora 39
A new VPN definition does only work if you enter sudo setenforce 0 first and then import the VPN. After a reboot, it will not keep working.
Hence, I will try to find out how to set the equivalent to setenforce 0 (a) permanently and at the same time (b) limited to OpenVPN hoping that that will solve the issue altogether.
either change the file /etc/sysconfig/selinux.conf (IIRC it’s that file) or add setenforce 0 to /rw/config/rc.local
the real issue with selinux is that the openvpn certificates files must have the correct selinux context to work, otherwise openvpn is forbidden to read the files
Thanks again @solene! This does work. The rc-local method does at least modify only sys-net, not the entire template. I find it a bit spooky that the bug seems to be recognized for five months now without a fix: