Oracle Linux 8 selinux: hook fsm_file_prepare failed

A broken rpm-plugin-selinux package on Oracle Linux 8 will cause SELinux based package updates to fail. This package was on the Oracle Linux 8 repositories for a short period of time before being fixed. If this broken package was installed during this time frame any future updates of packages that include SELinux policies will fail during unpacking. This issue is most likely to have occurred on systems with automatic updates enabled. If the Pritunl package is updated in this state the old files will be removed from the system and the new files will fail to unpack. The Pritunl server will continue to run but will show the error OSError: Could not find a suitable TLS CA certificate bundle, invalid path:

/usr/lib/pritunl/lib/python3.6/site-packages/certifi/cacert.pem

when attempting to load this file that will be removed. The issue must be fixed manually by running the commands below to fix this package, once fixed updates can be completed and the software will resume working. This issue is fully documented on the Oracle Support Knowledge Doc ID 3002168.1.

Oracle Linux RPM Fix
sudo rpm -e --nodeps rpm-plugin-selinux
sudo dnf -y install rpm-plugin-selinux
sudo dnf -y update

If automatic updates are enabled the openssh-server package will get updated and fail to unpack. This will cause the error Connection closed by remote host and Connection reset by. Once this occurs a startup script must be run to fix the package. Below is a Cloud Init script to fix the issue.

To fix this on AWS after the SSH server is inaccessible stop the instance. Then click Instance settings → Edit user data and add the script below.

Cloud Init Fix
while ! ping -c1 google.com &>/dev/null; do echo "Waiting for network..."; sleep 1; done
rpm -e --nodeps rpm-plugin-selinux
dnf -y install rpm-plugin-selinux
dnf -y update

​

​

Downgrading Client​

Previous versions of the client are available on the Pritunl GitHub Releases click Assets to expand the available packages. Information on debugging the client is available in the Client Debugging documentation.

​

​

MongoDB 7 Issues​

There are multiple known issues with MongoDB 7, it is currently recommended to continue using MongoDB 6 and avoid upgrading to MongoDB 7.

MongoDB 7 has known issues with the capped collections. The messages capped collection is used for host to host messaging and will typically result in the error Server start timed out when not functioning.

This can be fixed by running the command sudo pritunl destroy-secondary this command will clear all the database collections used for temporary cache. The latest release has the command sudo pritunl clear-message-cache to drop only this collection.

​

​

MongoDB Server Not Starting​

A recent 4.4 and 5.0 update prevents the MongoDB database from starting. MongoDB 6.0 is not effected. If this occurs downgrade the MongoDB release using the commands below.

MongoDB 4.4 Downgrade
sudo yum install mongodb-org-4.4.18 mongodb-org-server-4.4.18
MongoDB 5.0 Downgrade
sudo yum install mongodb-org-5.0.14 mongodb-org-database-5.0.14 mongodb-org-server-5.0.14

​

​

CentOS 8 Discontinued​

CentOS 8 was discontinued on December 31st, 2021 the operating system will no longer be updated. The Pritunl repositories for CentOS 8 were also discontinued. The Oracle Linux 8 repository is fully compatible with any RHEL8 distribution including CentOS 8 and AlmaLinux 8. The Oracle Linux 8 Pritunl repository can be used on CentOS 8 but in order for the system to receive updates it must be switched to Oracle Linux 8. Oracle providers a script to upgrade to Oracle Linux 8 that will convert an existing CentOS 8 system to Oracle Linux 8.

​

​

Lets Encrypt Root Certificate Issue​

Due to the Oct 1st expiration of the Lets Encrypt root certificate all v1.29 versions of Pritunl containing the expired certificate will no longer produce a valid certificate. Having an invalid certificate will not disrupt VPN service. The primary issue will occur when a user attempts to import a new profile to the Pritunl Client. Both the Pritunl Client and Pritunl Server need to be updating to the latest releases containing the new root certificates to fix this issue.

The issue can easily be avoided by clicking Download Profiles on the profile page then importing the tar file into the Pritunl Client by click Import Profile, this is the same profile data that would be imported with a URI. The issue can also be avoided by replacing the domain name in the URI with the IP address of the server. The client will ignore certificate validation for URI's containing an IP address.

​

​

Ubuntu Update Issue​

If Ubuntu 20.04 is configured with the Ubuntu 18.04 Pritunl repository the error ModuleNotFoundError: No module named 'encodings' will be shown when attempting to start Pritunl. This can be fixed by running the commands below to update the repository files to the correct distribution.

Ubuntu 20.04 Repository
sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb http://repo.pritunl.com/stable/apt focal main
EOF

sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list << EOF
deb https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse
EOF

wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -

sudo apt update
sudo apt upgrade

​

​

EPEL OpenVPN Issue​

There is currently an issue with the compilation options used on the OpenVPN package in the EPEL repository. This issue will cause routing issues on some connections. To fix this issue run the command below to install the newer OpenVPN package from the Pritunl repository. This issue will only occur on UDP servers, TCP can also be used as a workaround.

The pritunl-openvpn package is only available on the Oracle Linux 7 and Oracle Linux 8 repositories and will provide the latest version of OpenVPN. These repositories can be used on any RHEL Linux distribution including CentOS.

Pritunl OpenVPN Install RHEL 7

sudo yum swap openvpn pritunl-openvpn

Pritunl OpenVPN Install RHEL 8

sudo yum --allowerasing install pritunl-openvpn

This can be reverted by running the command below.

OpenVPN Install
sudo yum --allowerasing install openvpn

​

​

Connection MTU Issues​

Some connections may have MTU issues this can be fixed by entering a lower MSS Fix value in the server settings. First test 1200 or lower to confirm that it is an MTU issue. If this fixes the connection increase the MTU in a range of 1200-1400 to find a working MTU.

​

​

Carrier-Grade NAT​

Carrier-grade NATs are becoming more common to mitigate IPv4 address exhaustion. These are common with all cellular connections and wired ISP connections in foreign countries with limited IPv4 address space. These can cause issues with MTU detection and UDP VPN servers. Switching the server protocol to TCP with a lower MTU may fix issues when a carrier-grade NAT is present.

​

​

iOS DNS Issue​

There are currently three fixes for the DNS issue on iOS.

Add the DNS server to the server routes. The default DNS server used is 8.8.8.8 add the route 8.8.8.8/32 to the server routes for this configuration.

Remove the DNS server from the settings. This will instruct the client to use their current DNS configuration. This could cause problems with some clients if that DNS configuration becomes unroutable due to the VPN routes.

Enable VPN Client DNS Mapping in the advanced server settings. This will start a DNS server on the Pritunl server that will proxy all DNS requests and will always be available to the client.

 

[ТОҶИКОН ФОРУМ]

Install and configure Pritunl

Below are several methods available for installing Pritunl.

OpenVPN Authentication Errors​

Newer OpenVPN clients may send the password in an encoded format. This format will not be recognized by the Pritunl server resulting in authentication errors. This issue has been fixed in an update and can be fixed by updating to the latest Pritunl package.

SELinux Support​

Pritunl includes full SELinux polices which cover both the main pritunl process and the isolated pritunl-web web server process. Running Pritunl with a Linux distribution that supports SELinux will significantly improve security. It is recommend to only use Red Hat Enterprise Linux, Oracle Linux or CentOS for Pritunl servers. The first log message shown when the Pritunl server is started will indicate the SELinux context. It should look similar to the log message below, if it is none or unconfined the SELinux policy is not functioning.

SELinux

[pritunl0][2018-12-16 07:45:03,406][INFO] Starting server
selinux_context = "system_u:system_r:pritunl_t:s0"

Oracle Linux​

All development and testing of Pritunl software is done on Oracle Linux and it is the recommended distribution to use for Pritunl software. It will provide the highest level of compatibility, reliability and security. Oracle provides a script to switch CentOS to Oracle Linux if the chosen platform does not have Oracle Linux images.

Enterprise Clusters​

If you intend on creating a Pritunl cluster with multiple hosts all the hosts will need to connect to the same MongoDB database. For cluster configurations it is best to have a dedicated server that is not running Pritunl for the MongoDB database. Single host configurations can run MongoDB with Pritunl on the same server.

Recommended Instance Types​

For MongoDB servers with high memory are best (t3.medium, t3.large) are best. For Pritunl nodes high CPU with good single-threaded performance (higher core frequency) are best (c5.large). For large deployments several small nodes with fewer connections per node is better then fewer larger nodes with more connections per node. For the best performance it is recommended to spend $0.50-$1.00 per concurrent connection each month on server costs. More information on AWS recommendations can be found in the Scaling documentation.

[AWS] Oracle Linux Install​

Amazon Linux does not support SELinux and should not be used with Pritunl. Pritunl includes full SELinux policies and an isolated web server process that significantly improve security. Only the Red Hat Enterprise Linux (includes software fee), Oracle Linux and CentOS support SELinux on AWS.

To install Pritunl on AWS open the create instance interface and search for the Oracle Linux owner ID 131827586825 then select the Community AMIs tab. Select the latest Oracle Linux 8 AMI currently OL8.5-x86_64-HVM-2021-11-24. This will use the free official Oracle Linux 8 image with SELinux support. To find the latest release number check the Oracle Linux ISO Repository The left column will show a number such as 8.5, then find this number with the latest date in the AMI server results.

The AWS community AMI and marketplace sections contain public images that can be uploaded without any verification. These sections contain several packages with names containing Oracle Linux, CentOS and Pritunl. Using these unverified images could compromise the security of your network. Pritunl does not publish any AMIs or marketplace images. Only the Amazon provided images in the Quick Start section and the official Oracle Linux images from the Oracle owner ID above should be used.

After creating the EC2 instance SSH to the server with the username ec2-user and run the commands below to install Pritunl and MongoDB.

Both iptables-services and firewalld must be disabled on the server to prevent interference with the Pritunl iptables rules. If the Pritunl iptables configuration is incorrectly modified by other software this can cause connection issues or inadvertent access to networks that are not permitted in the Pritunl server route configuration.

AWS Install
sudo tee /etc/yum.repos.d/mongodb-org-6.0.repo << EOF
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc
EOF

sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/8/
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc
EOF

sudo yum -y install oracle-epel-release-el8
sudo yum-config-manager --enable ol8_developer_EPEL
sudo yum -y update

# WireGuard server support
sudo yum -y install wireguard-tools

sudo yum -y remove iptables-services
sudo systemctl stop firewalld.service
sudo systemctl disable firewalld.service

# Install updated openvpn package from pritunl
sudo yum -y --allowerasing install pritunl-openvpn

sudo yum -y install pritunl mongodb-org
sudo systemctl enable mongod pritunl
sudo systemctl start mongod pritunl

[Oracle Cloud] Install​

To install Pritunl on Oracle Cloud click Create Instance and use the latest Oracle Linux 8 image. Then add SSH keys and create the instance.

After creating the instance SSH to the server with the username opc and run the commands below to install Pritunl and MongoDB.

Both iptables-services and firewalld must be disabled on the server to prevent interference with the Pritunl iptables rules. If the Pritunl iptables configuration is incorrectly modified by other software this can cause connection issues or inadvertent access to networks that are not permitted in the Pritunl server route configuration.

Oracle Cloud Install
sudo tee /etc/yum.repos.d/mongodb-org-6.0.repo << EOF
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc
EOF

sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/8/
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc
EOF

sudo yum -y install oracle-epel-release-el8
sudo yum-config-manager --enable ol8_developer_EPEL
sudo yum -y update

# WireGuard Server Support
sudo yum -y install wireguard-tools

sudo yum -y remove iptables-services
sudo systemctl stop firewalld.service
sudo systemctl disable firewalld.service

# Install updated openvpn package from pritunl
sudo yum -y --allowerasing install pritunl-openvpn

sudo yum -y install pritunl mongodb-org
sudo systemctl enable mongod pritunl
sudo systemctl start mongod pritunl

[Other Providers] Oracle Linux/AlmaLinux/Rocky Linux/RHEL​

Run the commands below to install Pritunl on any other provider with Oracle Linux 8 or any other RHEL based distribution. The Oracle EPEL oracle-epel-release-el8 is only available on Oracle Linux for other distributions use the Fedora EPEL shown below.

Oracle Linux Install
sudo tee /etc/yum.repos.d/mongodb-org-6.0.repo << EOF
[mongodb-org-6.0]
name=MongoDB Repository
baseurl=https://repo.mongodb.org/yum/redhat/8/mongodb-org/6.0/x86_64/
gpgcheck=1
enabled=1
gpgkey=https://www.mongodb.org/static/pgp/server-6.0.asc
EOF

sudo tee /etc/yum.repos.d/pritunl.repo << EOF
[pritunl]
name=Pritunl Repository
baseurl=https://repo.pritunl.com/stable/yum/oraclelinux/8/
gpgcheck=1
enabled=1
gpgkey=https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc
EOF

# Oracle Linux only
sudo yum -y install oracle-epel-release-el8
sudo yum-config-manager --enable ol8_developer_EPEL
# AlmaLinux/Rocky Linux/RHEL
sudo yum -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm

sudo yum -y update

# WireGuard server support
sudo yum -y install wireguard-tools

sudo yum -y remove iptables-services
sudo systemctl stop firewalld.service
sudo systemctl disable firewalld.service

# Install updated openvpn package from pritunl
sudo yum -y --allowerasing install pritunl-openvpn

sudo yum -y install pritunl mongodb-org
sudo systemctl enable mongod pritunl
sudo systemctl start mongod pritunl

[Other Providers] Ubuntu 22.04​

Older versions of Ubuntu have encountered issues with outdated OpenVPN builds. The Pritunl repository provides continuous testing and updates only for RHEL distributions to ensure future support. Future support with Ubuntu installations is not tested or guaranteed.

Run the commands below to install Pritunl on any other provider with Ubuntu 22.04

Ubuntu Jammy Install
sudo tee /etc/apt/sources.list.d/mongodb-org.list << EOF
deb [ signed-by=/usr/share/keyrings/mongodb-server-7.0.gpg ] https://repo.mongodb.org/apt/ubuntu jammy/mongodb-org/7.0 multiverse
EOF

sudo tee /etc/apt/sources.list.d/openvpn.list << EOF
deb [ signed-by=/usr/share/keyrings/openvpn-repo.gpg ] https://build.openvpn.net/debian/openvpn/stable jammy main
EOF

sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb [ signed-by=/usr/share/keyrings/pritunl.gpg ] https://repo.pritunl.com/stable/apt jammy main
EOF

sudo apt --assume-yes install gnupg

curl -fsSL https://www.mongodb.org/static/pgp/server-7.0.asc | sudo gpg -o /usr/share/keyrings/mongodb-server-7.0.gpg --dearmor --yes
curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg | sudo gpg -o /usr/share/keyrings/openvpn-repo.gpg --dearmor --yes
curl -fsSL https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc | sudo gpg -o /usr/share/keyrings/pritunl.gpg --dearmor --yes
sudo apt update
sudo apt --assume-yes install pritunl openvpn mongodb-org wireguard wireguard-tools

sudo ufw disable

sudo systemctl start pritunl mongod
sudo systemctl enable pritunl mongod

OpenVPN Update​

The Pritunl Oracle Linux 7 and Oracle Linux 8 repositories provide the pritunl-openvpn package that replaces the openvpn package from the EPEL. This package provides a newer version of OpenVPN than is available on the EPEL. This package is currently required on RHEL distributions including Oracle Linux due to the issue explained in RHEL Connection Fix. The command below will install the pritunl-openvpn package and replace the existing openvpn package.

It's recommended to always use this package when available as it will provide the latest release of OpenVPN and replace the often outdated OpenVPN builds on the EPEL. Only the Oracle Linux 7 and 8 repositories provide this package. It is recommended to use these repositories on all RHEL Linux distributions including CentOS. Oracle Linux shares full compatibility with RHEL.

Install OpenVPN RHEL 7
sudo yum swap openvpn pritunl-openvpn


Install OpenVPN RHEL 8
sudo yum --allowerasing install pritunl-openvpn

Linux Repositories​

Pritunl is packaged for several Linux distributions. All available distributions can be found on the Repositories page.

Configuration​