plasma-nm does not tell OpenVPN to perform server certificate verification. Consequently, anyone with the preshared key is able to perform a MITM attack by impersonating the server. OpenVPN warns about this on each boot: Nov 17 22:40:56 t520 nm-openvpn[29005]: WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. This issue has been around for years and was present in plasma-nm's predecessor.
By boot, I mean program invocation and that message is from dmesg.
Git commit 863851110191d0480375d6c86ba8082dae9ac950 by Jan Grulich. Committed on 26/11/2014 at 12:18. Pushed by grulich into branch 'master'. OpenVPN: Add option for server certificate verification M +1 -0 vpn/openvpn/nm-openvpn-service.h M +191 -111 vpn/openvpn/openvpnadvanced.ui M +15 -0 vpn/openvpn/openvpnadvancedwidget.cpp http://commits.kde.org/plasma-nm/863851110191d0480375d6c86ba8082dae9ac950
Git commit f612d1d473805a273812aa9ea2f4c561e338d9a9 by Jan Grulich. Committed on 26/11/2014 at 12:48. Pushed by grulich into branch '0.9.3'. OpenVPN: Add option for server certificate verification M +1 -0 vpn/openvpn/nm-openvpn-service.h M +179 -96 vpn/openvpn/openvpnadvanced.ui M +14 -0 vpn/openvpn/openvpnadvancedwidget.cpp http://commits.kde.org/plasma-nm/f612d1d473805a273812aa9ea2f4c561e338d9a9
Thanks for the prompt fix.