diff -Nru network-manager-openvpn-1.2.6/debian/changelog network-manager-openvpn-1.2.6/debian/changelog
--- network-manager-openvpn-1.2.6/debian/changelog	2016-10-05 22:12:06.000000000 +0200
+++ network-manager-openvpn-1.2.6/debian/changelog	2017-02-22 15:21:59.000000000 +0100
@@ -1,3 +1,9 @@
+network-manager-openvpn (1.2.6-2ubuntu2) zesty; urgency=medium
+
+  * Fallback to verify-x509-name if tls-remote is used. (LP: #1666912)
+
+ -- Dariusz Gadomski <dariusz.gadomski@canonical.com>  Wed, 22 Feb 2017 15:21:59 +0100
+
 network-manager-openvpn (1.2.6-2ubuntu1) yakkety; urgency=medium
 
   * Merge with Debian (LP: #1629132) Remaining changes:
diff -Nru network-manager-openvpn-1.2.6/debian/patches/handle-tls-remote-for-openvpn-2.4.patch network-manager-openvpn-1.2.6/debian/patches/handle-tls-remote-for-openvpn-2.4.patch
--- network-manager-openvpn-1.2.6/debian/patches/handle-tls-remote-for-openvpn-2.4.patch	1970-01-01 01:00:00.000000000 +0100
+++ network-manager-openvpn-1.2.6/debian/patches/handle-tls-remote-for-openvpn-2.4.patch	2017-02-22 15:21:59.000000000 +0100
@@ -0,0 +1,154 @@
+Description: for OpenVPN 2.4 and newer, handle --tls-remote
+ option via --verify-x509-name
+ 
+ The tls-remote option got removed from OpenVPN 2.4. This requires users
+ to fix their existing configurations to use verify-x509-name instead.
+ 
+ Using tls-remote on a recent OpenVPN binary thus fails to establish
+ the connection, which is an annoyance for the user. Let the plugin
+ automatically convert the "tls-remote $NAME" option to "verify-x509-name
+ $NAME name". Note that the two options are not entirely equivalent, thus
+ the is a chance that this wrongly rejects a server that would have worked
+ before, or ever worse, that it wronlgy accepts a server that would have
+ been rejected.
+ 
+ But in most common cases, the workaround should work fine.
+ The user is still strongly encouraged to update his configuration.
+ .
+ network-manager-openvpn (1.2.6-2ubuntu2) zesty; urgency=medium
+ .
+   * Fallback to verify-x509-name if tls-remote is used. (LP: #1666912)
+Origin: upstream, https://github.com/NetworkManager/network-manager-openvpn/commit/f7421ef277222bd640c432afefc21ef5a98477bc
+Bug: https://bugzilla.gnome.org/show_bug.cgi?id=776045
+Bug-Debian: https://bugs.debian.org/848062
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/1666912
+
+--- network-manager-openvpn-1.2.6.orig/src/nm-openvpn-service.c
++++ network-manager-openvpn-1.2.6/src/nm-openvpn-service.c
+@@ -91,6 +91,13 @@ typedef struct {
+ 	char *mgt_path;
+ } NMOpenvpnPluginPrivate;
+ 
++typedef enum {
++	OPENVPN_BINARY_VERSION_INVALID,
++	OPENVPN_BINARY_VERSION_UNKNOWN,
++	OPENVPN_BINARY_VERSION_2_3_OR_OLDER,
++	OPENVPN_BINARY_VERSION_2_4_OR_NEWER,
++} OpenvpnBinaryVersion;
++
+ typedef struct {
+ 	const char *name;
+ 	GType type;
+@@ -308,6 +315,64 @@ pids_pending_wait_for_processes (GMainLo
+ 	}
+ }
+ 
++static OpenvpnBinaryVersion
++openvpn_binary_detect_version (const char *exepath)
++{
++	gs_free char *s_stdout = NULL;
++	const char *s;
++	int exit_code;
++	int n;
++
++	g_return_val_if_fail (exepath && exepath[0] == '/', OPENVPN_BINARY_VERSION_UNKNOWN);
++
++	if (!g_spawn_sync (NULL,
++	                   (char *[]) { (char *) exepath, "--version", NULL },
++	                   NULL,
++	                   G_SPAWN_STDERR_TO_DEV_NULL,
++	                   NULL,
++	                   NULL,
++	                   &s_stdout,
++	                   NULL,
++	                   &exit_code,
++	                   NULL))
++		return OPENVPN_BINARY_VERSION_UNKNOWN;
++
++	if (   !WIFEXITED (exit_code)
++	    || WEXITSTATUS (exit_code) != 1) {
++		/* expect return code 1 (OPENVPN_EXIT_STATUS_USAGE) */
++		return OPENVPN_BINARY_VERSION_UNKNOWN;
++	}
++
++	/* the output for --version starts with title_string, which starts with PACKAGE_STRING,
++	 * which looks like "OpenVPN 2.#...". Do a strict parsing here... */
++	if (   !s_stdout
++	    || !g_str_has_prefix (s_stdout, "OpenVPN 2."))
++		return OPENVPN_BINARY_VERSION_UNKNOWN;
++	s = &s_stdout[NM_STRLEN ("OpenVPN 2.")];
++
++	if (!g_ascii_isdigit (s[0]))
++		return OPENVPN_BINARY_VERSION_UNKNOWN;
++
++	n = 0;
++	do {
++		if (n > G_MAXINT / 100)
++			return OPENVPN_BINARY_VERSION_UNKNOWN;
++		n = (n * 10) + (s[0] - '0');
++	} while (g_ascii_isdigit ((++s)[0]));
++
++	if (n <= 3)
++		return OPENVPN_BINARY_VERSION_2_3_OR_OLDER;
++	return OPENVPN_BINARY_VERSION_2_4_OR_NEWER;
++}
++
++static OpenvpnBinaryVersion
++openvpn_binary_detect_version_cached (const char *exepath, OpenvpnBinaryVersion *cached)
++{
++	if (G_UNLIKELY (*cached == OPENVPN_BINARY_VERSION_INVALID))
++		*cached = openvpn_binary_detect_version (exepath);
++	return *cached;
++}
++
+ /*****************************************************************************/
+ 
+ static gboolean
+@@ -1120,10 +1185,13 @@ nm_openvpn_start_openvpn_binary (NMOpenv
+ 	gboolean dev_type_is_tap;
+ 	char *stmp;
+ 	const char *defport, *proto_tcp;
++	const char *tls_remote = NULL;
+ 	const char *nm_openvpn_user, *nm_openvpn_group, *nm_openvpn_chroot;
+ 	gs_free char *bus_name = NULL;
+ 	NMSettingVpn *s_vpn;
+ 	const char *connection_type;
++	OpenvpnBinaryVersion openvpn_binary_version = OPENVPN_BINARY_VERSION_INVALID;
++
+ 
+ 	s_vpn = nm_connection_get_setting_vpn (connection);
+ 	if (!s_vpn) {
+@@ -1454,8 +1522,17 @@ nm_openvpn_start_openvpn_binary (NMOpenv
+ 	/* tls-remote */
+ 	tmp = nm_setting_vpn_get_data_item (s_vpn, NM_OPENVPN_KEY_TLS_REMOTE);
+ 	if (tmp && strlen (tmp)) {
+-		add_openvpn_arg (args, "--tls-remote");
+-		add_openvpn_arg (args, tmp);
++		if (openvpn_binary_detect_version_cached (openvpn_binary, &openvpn_binary_version) != OPENVPN_BINARY_VERSION_2_4_OR_NEWER) {
++			_LOGW ("the tls-remote option is deprecated and removed from OpenVPN 2.4. Update your connection to use verify-x509-name");
++			add_openvpn_arg (args, "--tls-remote");
++			add_openvpn_arg (args, tmp);
++		} else {
++			_LOGW ("the tls-remote option is deprecated and removed from OpenVPN 2.4. For compatibility, the plugin uses \"verify-x509-name\" \"%s\" \"name\" instead. Update your connection to use verify-x509-name", tmp);
++			add_openvpn_arg (args, "--verify-x509-name");
++			add_openvpn_arg (args, tmp);
++			add_openvpn_arg (args, "name");
++		}
++		tls_remote = tmp;
+ 	}
+ 
+ 	/* verify-x509-name */
+@@ -1464,6 +1541,13 @@ nm_openvpn_start_openvpn_binary (NMOpenv
+ 		const char *name;
+ 		gs_free char *type = NULL;
+ 
++		if (tls_remote) {
++			g_set_error (error, NM_VPN_PLUGIN_ERROR,
++			             NM_VPN_PLUGIN_ERROR_BAD_ARGUMENTS,
++			             _("Invalid configuration with tls-remote and verify-x509-name."));
++			return FALSE;
++		}
++
+ 		name = strchr (tmp, ':');
+ 		if (name) {
+ 			type = g_strndup (tmp, name - tmp);
diff -Nru network-manager-openvpn-1.2.6/debian/patches/series network-manager-openvpn-1.2.6/debian/patches/series
--- network-manager-openvpn-1.2.6/debian/patches/series	2016-10-05 22:12:06.000000000 +0200
+++ network-manager-openvpn-1.2.6/debian/patches/series	2017-02-22 15:21:59.000000000 +0100
@@ -1 +1,2 @@
 Support-IPv6-Servers.patch
+handle-tls-remote-for-openvpn-2.4.patch