unable to import config with inlined ca, cert, key or tls-auth

Bug #606365 reported by Till Klampaeckel on 2010-07-16
This bug affects 112 people
Affects Status Importance Assigned to Milestone
Fix Released
network-manager-openvpn (Ubuntu)

Bug Description

Binary package hint: network-manager-openvpn-gnome

So a client of mine runs an OpenVPN setup. It exported a client.ovpn file but it fails to completely import this file using the network-manager (gnome) on Ubuntu 10.04.

When I import the file, it gives me the name ("client") and gateway ("vpn.example.org") on the initial screen. No other fields are populated even though the client.ovpn file also includes a user certificate, server certifikate and a private key.

When I go to advanced, some (most) of the settings obviously seem to import correct, others not at all. E.g. none of the TLS settings (key and key direction) are imported.

From what I understand I should be able to use this without any additional settings.

The following software is installed through aptitude:

 * openvpn (2.1.0)
 * openvpn-blacklist
 * network-manager-openvpn
 * network-manager-openvpn-gnome

Till Klampaeckel (till-php) wrote :

I wanted to share the configuration (dummy):

remote vpn.example.org
proto tcp
port 443
dev tun
ns-cert-type server
auth-retry interact
verb 3




key-direction 1
# 2048 bit OpenVPN static key (Server Agent)
-----BEGIN OpenVPN Static key V1-----
-----END OpenVPN Static key V1-----

So the quickfix here is that you can dissect the file and import it all once you figured out the corresponding dropdown/whatever in the network manager. So for example in the example above I needed to select "Passwords with certificates (TLS)" and enter another user/pass along with it, no password for the key and also the TLS key and direction in advanced.

One more note - the following settings seemed to get imported:
proto, port, comp-lzo, remote

The rest was ignored.

I hope this helps.

emilio (emiliomaggio) wrote :

I have the same problem in importing the ovpn file provided by my company system administrators

emilio (emiliomaggio) on 2010-09-03
Changed in network-manager-openvpn (Ubuntu):
status: New → Confirmed
AlexConrad (aconrad-tlv) wrote :

Same problem for me under Ubuntu 10.04.

Running "sudo openvpn --config client.ovpn" works though.

Mitch Goldenberg (kgolden) wrote :

Same problem in Ubuntu 10.10.

Again, "sudo openvpn --config client.ovpn" works properly.

Till Klampaeckel (till-php) wrote :

Thanks for posting the workaround, it's definitively a small bug in network-manager-openvpn.

kapetr (kapetr) wrote :

I can confirm that in Ubuntu 10.10:

Specially: statements auth-user-pass and route are ignored.

So most config are not possible to import.
To set auth-user-pass manually in applet is trivial, but add e.g. 20 route statements via this interface is quite impossible.

See for example attached config for popular USA IP service with man routes.

BTW - in this example - OpenVPN do not addd route to host (--remote) via the old GW. I'm not sure, if it is not also a bug, but the config fails. It is necessary to add also this route statement:

route remote_host net_gateway


kapetr (kapetr) wrote :
Till Klampaeckel (till-php) wrote :

To add to this - the export feature is broken too.

I tried to rescue a couple profiles which I had done on another workstation for backup purposes, but it didn't work at all in 10.04.1.

lordbinky (lordbink) wrote :

I have the same issue in Ubuntu 11.04 where importing a .ovpn file isn't completely imported.

Justin (justin-wzy) wrote :

same issue in Oneiric

Stephan Fabel (sfabel) wrote :

This problem still exists in Precise.

Todd Howe (tehowe) wrote :

Can't hook up to my ISP's VPN. IT'S 2012

Todd Howe (tehowe) wrote :

Found a way to do this that works under GUI network-manager


lenzai (lenzai) wrote :

paqma.net website is down but the work around i still published at

almost 2 years .... maybe we should write a bash to break down the ovpn into certificate files if this bug can't be fixed ?

exactt (giesbert) wrote :

2013... Ubuntu 12.10... still not working...

Claus Lensbøl (cmol) wrote :

Used the workaround from #14 and got it working, but without the fix I'm having the same issues.

kingtiger01 (mnovick1988) wrote :

Come on, were Weeks away from Raring(13.04) Quit Dropping the ball on things like this Ubuntu Team!

Parasit (parasit-go2) wrote :

2013... Ubuntu 13.04... still not working...
Eg. certs configuration are imported (#14 method) but still not connecting from GUI.

bagl0312 (bagl0312) wrote :

I confirm the same problem.
ovpn conf files produced by the openvpn/privatetunnel site:


are not imported correctly by the network-manager on ubuntu 13.04.
They instead work giving the command

openvpn --config xxx.ovpn

Carla Sella (carla-sella) wrote :

I am having the same problem importing a file for Watchguard on Saucy with all updates using network manager (today is July 20th 2013).
The "sudo openvpn --config client.ovpn" works properly.

Jakob (jmollerhoj) wrote :

same problem, ubuntu 13.10 here

bagl0312 (bagl0312) wrote :

Confirmed, same problem in 13.10
This bug is around since more than two years now :(

Bachi (m-bachmann) wrote :

Proud to be the first posting 2014. Wow. C'mon folks...

Giovanni Panozzo (giox069) wrote :

This is the more related upstream bug:


Please add your comments there explaining all problems importing .ovpn files (certs not imported, invalid TLS selection and other badly imported parameters).
Maybe someone will notice it one day... :(

Monty Cantsin (open-pop-star) wrote :

same in Trusy Tahr 14.04

Martin (getmartin) wrote :

Confirmed, same bug in 14.04.
Well, the workaround "sudo openvpn --config client.ovpn" is still working.

I am having issues with 14.04 lts openvpn client for gnome as well. I get the same freezing and not loading the config file issues. I had to revert back to 12.04 lts as this feature is needed in my line of work. Any fix available?

Simon Déziel (sdeziel) on 2014-05-23
summary: - client.ovpn file is not completely imported
+ unable to import config with inlined ca, cert, key or tls-auth
Changed in network-manager-openvpn:
importance: Undecided → Unknown
status: New → Unknown
Changed in network-manager-openvpn:
importance: Unknown → Medium
status: Unknown → Confirmed
Tomislav (hefest) wrote :

Same as #25 and #26.

Tomislav (hefest) wrote :

Actually, I'm not having luck with the workaround: it seems that DNS settings have not been updated to find recources in the VPN.

Solitaire (bill-s0l) wrote :

This bug affects me as well.

Anyone got a script working to automate the creation of the separate certificates and keys from inside the .ovpm file?
Would be a great workaround till this gets fixed

Frol (frolvlad) wrote :

2015... Nothing was done yet. Let's make some movements.

Here is the import function:

and here are the lines of ca/cert/key tags parsing:

My suggestion is to save inline ca/cert/key inside of a Network Manager configurations file encoded into base64 (again) with "inline:" prefix, e.g.:

ca=inline:<base64 coded>
cert=inline:<base64 coded>
key=inline:<base64 coded>

Another approach would be to parse as much information from *.ovpn file as we can, remove parsed parts, encode rest of the file into a base64 string, and save it into a Network Manager connection config file. This may help to deal with extra options like inline certificates, but may also cause unexpected configuration conflicts.

Ryan Hendry (ryanhendry123) wrote :

I am experiencing the same problem.

Mehdi Fattahi (mehdifattahi) wrote :

Can somebody please fix this?

Lars (stecklars-r) wrote :

Would be really nice if somebody could take a look at this and work on it. Thanks :)

seebk (seebk) wrote :

I have created a small python script to extract the embedded certificates and to rewrite the ovpn config to use separate key and cert files.


Maybe it helps to simplify the error prone manual setup until this bug is fixed.

zao (zao-d) wrote :

Hope this bug will be addressed - five years without a fix - is far too long...

Nyr (nyr-nzone) wrote :

Come on, many of the latest OpenVPN implementations use in-line certificates by default... how can this bug be still there five years later?

Nicolas Diogo (nicolasdiogo) wrote :

Happy Birthday to this Bug !!!

Sarcasm apart - it is amazing that such an important piece of software is not been supported properly - particularly with the corporate market requesting it.

if the suggestion here:

is correct - that it is not possible to handle inline certificates & it will be necessary to manually edit the ovpn file.

could we have an article/wiki explaining the steps to do so?

or a small utility that could do this work?


Frol (frolvlad) wrote :

@Nicolas It is not the answer for *inlined* certificates. You can extract inline certificates into separate files, but it is not what people requested here.

Markus Majer (mpathy) wrote :

I thought I have another look, and wow, the bug is still existant.. Wow! Years!
Even though it is so easy to fix it, and there are already solutions present, it just have to get upstream.
Can somebody state what the problem is?
Its a quite enterprisey thing that doesnt work for years now, no wonder they still use RHEL everywhere.. :/

Markus Majer (mpathy) wrote :

Btw for those people who looking here for bugfixes, which they dont get, look at this:

Yes, there is:

And even a little python script who breaks it apart:

So, as you see, its would be so damn easy for the Network Manager to read these kind of files, which are very very common for OpenVPN, because you only have to provide ONE file.

Spayder26 (spayder26) wrote :

I just hit this bug. And this is how Ubuntu will never get enterprise acceptance.

Yavvsy (yavanna-spring) wrote :

Confirmed for 15.04: Still an issue for in-line *.ovpn files
still works with sudo openvpn --config client.ovpn

Off to do this manually, but... this IS an issue for larger deployments.

Frol (frolvlad) wrote :

Just FYI, this feature is already implemented in KDE (plasma-nm) - https://bugs.kde.org/show_bug.cgi?id=349282

Tanguy Herrmann (dolanor) wrote :

It seems we have a hero!

For my use case (.ovpn file created by https://hub.docker.com/r/kylemanna/openvpn/ ), I guess I will still lack the TLS-AUTH file blob.
Maybe I'll add it myself if I have time.

But meanwhile I also created a tool for that at: https://github.com/dolanor/ovpnsplit
It is in go, and if you want binaries directly, here they are: https://github.com/dolanor/ovpnsplit/releases

Diego (gran-diego) wrote :

Will this ever be addressed?

Changed in network-manager-openvpn:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.