Fixing SELinux and Kernel Blacklist Issues for L2TP VPNs on Fedora

The problem

One of my projects requires L2TP VPN connection. Unfortunately it’s outdated protocol and not recommended anymore thus Linux disabled it by default. Which, if you need to use it, requires additional setup and potential issues when upgrading the system.

Symptoms

When trying to connect to previously setup VPN it just throw an error.

Troubleshooting & SELinux fix

We can use this command to see what went wrong with out connection:

$ sudo journalctl –no-hostname _COMM=nm-l2tp-service _COMM=ipsec _COMM=pluto _COMM=charon _COMM=kl2tpd _COMM=xl2tpd _COMM=pppd

In journalctl I could see entries like this:

lis 20 22:44:04 fedora NetworkManager[18340]: 2025/11/20 22:44:04 failed to instantiate application: failed to create L2TP context: failed to initialise data plane: failed to establish a netlink/L2TP connection: socket: permission denied

After quick search I’ve found that it’s an issue with selinux policies after upgrading to Fedora 43 ¹².

After applying the fix from this comment with policy taken from here I got a new error:

lis 20 22:57:02 fedora NetworkManager[20532]: 2025/11/20 22:57:02 failed to instantiate application: failed to create L2TP context: failed to initialise data plane: failed to establish a netlink/L2TP connection: netlink send: sendmsg: permission denied

Which looks like some write permissions. So these changes to the policy were also required.

here is the full policy and commands to make it work:

We need to create a file, it can be anywhere on your system, named kl2tpd.te, with contents:

module kl2tpd 1.0;

require {
	type l2tpd_t;
	type sysfs_t;
	class file { open read };
	class netlink_generic_socket { bind create getattr getopt read write };
}

#============= l2tpd_t ==============
allow l2tpd_t self:netlink_generic_socket { bind create getattr getopt read write };
allow l2tpd_t sysfs_t:file { open read };

Next we need to run this commands:

$ checkmodule -M -m -o kl2tpd.mod kl2tpd.te
$ semodule_package -o kl2tpd.pp -m kl2tpd.mod
$ sudo semodule -i kl2tpd.pp

This will apply new module with correct policies.

Troubleshooting & Kernel modules fix

After fixing SELinux polices, I’ve got my third error:

lis 20 23:07:58 fedora NetworkManager[11289]: 2025/11/20 23:07:58 failed to instantiate application: failed to create L2TP context: failed to initialise data plane: failed to establish a netlink/L2TP connection: netlink receive: no such file or directory

Which is quite different and is more about missing something, rather than selinux issues. To run properly L2TP/PPP VPN you need to enable them in the kernel as they are normally blacklisted. I did it previously but after kernel upgrade they were disabled again.

To enable them we need to update two files:

/etc/modprobe.d/l2tp_ppp-blacklist.conf

change blacklist l2tp_netlink to #blacklist l2tp_netlink

and

/etc/modprobe.d/l2tp_netlink-blacklist.conf

change blacklist l2tp_ppp to #blacklist l2tp_ppp.

You can do that by using this commands:

$ sudo sed -i 's/^blacklist l2tp_netlink/#blacklist l2tp_netlink/' /etc/modprobe.d/l2tp_ppp-blacklist.conf
$ sudo sed -i 's/^blacklist l2tp_ppp/#blacklist l2tp_ppp/' /etc/modprobe.d/l2tp_netlink-blacklist.conf

Reboot and everything should work just fine.