Content from 2012-07

As it turns out, openvpn on RHEL6 cannot run just any shell script as an event command despite the script-security 3 option being present in the config file. The event script needs to have the openvpn_etc_t type context set as well if SELinux policies are enforced.

]==> ls -lZ /etc/openvpn/
-rwxr-xr-x. root root unconfined_u:object_r:openvpn_etc_t:s0 /etc/openvpn/

This can be done by running the following command.

]==> chcon -v --type=openvpn_etc_t /etc/openvpn/
changing security context of `/etc/openvpn/'

There are some recipies on the web but none of them seems to work. OpenSSL either complains about missing distinguised_name or generates a key that is too short.

You need a config file like this:

]==> cat openssl.cfg
req_extensions = v3_req
distinguished_name = req_dn


basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

DNS.1 =
DNS.2 =
DNS.3 =

And then run:

openssl req -new -subj / -out newcsr.csr \
-nodes -config openssl.cfg -keyout privkey.pem -newkey rsa:2048