Starting version 1.1, OpenVPN can be configured through the Manager UI.

Import a VPN profile

When using OpenVPN, you will generally have an OpenVPN configuration file generated by the server. To import such a .ovpn file, run:

sudo nmcli connection import type openvpn file <configuration.ovpn>
BASH

This will add a connection profile to the NetworkManager. You can see the new profile in /etc/NetworkManager/system-connections and with nmcli :

nmcli connection
CODE

Set passwords

By default, your configuration will generally not contain secrets like connection password or private key password. If your OpenVPN server requires this, you can add those secrets to your configuration.

To add a password:

Define connection password

sudo nmcli connection modify <connection> vpn.secrets password=<password>
CODE

To add a private certificate key password:

Define connection certificate private key password

sudo nmcli connection modify <connection> vpn.secrets cert-pass=<password>
CODE

Edit the profile

You can also edit the connection profile if you have to update some parameters. You can either change the configuration through the nmcli tools or by editing the profile file located in /etc/NetworkManager/system-connections.

To use nmcli tools, please refer to the official documentation.

If you edit the profile configuration file, you must reload the profile after the change by running:

sudo nmcli connection reload
CODE

Connect to the VPN server

Once your profile correctly set up, you can enable the connection with:

sudo nmcli connection up <connection>
CODE 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/14)

The first time you enable the connection, NetworkManager will create an additional connection : the tunnel used by the VPN.

You can then check the details of the connection with:

nmcli con show <connection>
CODE

Auto-connect at boot

You'll probably be interested in configuring the NetworkManager so that the VPN automatically connects after boot.

You can do this by telling to the carrier connection that it must connect the VPN after it connects itself successfully. The carrier connection is the connection that links the gateway to the VPN server.

Get the UUID of the VPN connection :

$ nmcli conection
NAME            UUID                                  TYPE      DEVICE
corporate-vpn   a669d583-7e82-4d71-acc6-cbad2d7f1635  vpn       eth0
backhaul        390e5c2b-7312-415e-80e6-7b94a5c24fc3  ethernet  eth0
tun0            8ea3e20f-0e05-4220-b037-9abc32c75d28  tun       tun0
service         a2d8dd17-b8e2-37ac-977b-3166fe55e16f  ethernet  --

In our example, it's a669d583-7e82-4d71-acc6-cbad2d7f1635.

Add it as secondaries property of the carrier connection:

sudo nmcli connection modify backhaul connection.secondaries a669d583-7e82-4d71-acc6-cbad2d7f1635
CODE

You may have multiple carrier connections. You can add the VPN UUID as secondaries of all of them.