Created attachment 125319 [details] Shell script to generate a client .opvn file SUMMARY Adding a VPN-Connection by importing a OpenVPN .ovpn-file works without an error, but importing the TLS-Crypt parameter and tls-crypt cert is missing. STEPS TO REPRODUCE 1. Produce a .ovpn file with the server certificates on server site e.g. /etc/openvpn/openvpn-install.sh and follow the instructions to Add a new user /script is attached as i don't know whether it is part of the original apt-package 2. Download the generated .ovpn-file to client and import it as new VPN connection in the network-manager application 3. The .ovpn-file contains 4 certs: <ca> CA Cert <cert> Client Cert <key> Client Private Key <tls-crypt> OBSERVED RESULT The certs <ca> CA Cert <cert> Client Cert <key> Client Private Key were imported successfully, but the <tls-crypt> is MISSING, also or because property 'remote-cert-tls server' is probably ignored EXPECTED RESULT the <tls-crypt> should be imported and persisted at the file location of the other three certs and the appropriate settings in the network-manager should be done SOFTWARE/OS VERSIONS Windows: macOS: Linux/KDE Plasma: (available in About System) KDE Plasma Version: KDE Frameworks Version: Qt Version: ADDITIONAL INFORMATION
I can confirm, as this has happens on my system too. My current configuration is: Linux/KDE Plasma: linux-5.12.12-gentoo KDE Plasma Version: 5.22.1 KDE Frameworks Version: 5.83.0 Qt Version: 5.15.2 This was also happening on KDE Plasma version 5.21.5 too, haven't tested it before that. Finally, if I open a root shell and run openvpn manually, pointing it to the .opvn file like: # openvpn --config /path/to/some.ovpn then the connection establishes as expected, thus I'm sure the configuration file is valid.
Plasma-nm 5.20.5 here, same issue. Related: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn/-/issues/54 <tls-crypt> setting gets ignored, as a result, openvpn can't connect. What would be worse (and I haven't extensively tested this, but it seems possible), is that one of the security features in openvpn config gets ignored, while connecting still works. Result: user is not aware of ignored settings as everyting appears to work, all the while security is now less. I would suggest fixing this in such a way that either the full .ovpn file gets successfully parsed, every single line included - or importer throws an error at the user about unsupported settings in .ovpn file, to prevent this kind of "silent" failing.
Actually, please mind that it's not <tls-crypt> but <tlscrypt> or <tlscrypt-v2> for the per-client variant. This is somewhat confusing because the setting is "tls-crypt somefile" but the corresponding tag is "<tlscrypt>" without the dash. For v2 it's "tls-cryptv2 somefile" versus "<tlscrypt-v2>" so with a dash but at another location :D More details here: https://openvpn.net/vpn-server-resources/tls-control-channel-security-in-openvpn-access-server/ Anyway, <tlscrypt> tag gets ignored by importer so it's still the same issue, just wanted to point this out for clarity.
Plasma 5.27 changes the way vpn connections are imported to match what nmcli does, so this should be fixed.
Bulk transfer as requested in T17796