diff -Nru network-manager-1.20.4/debian/changelog network-manager-1.20.4/debian/changelog
--- network-manager-1.20.4/debian/changelog	2019-12-04 18:17:37.000000000 +0100
+++ network-manager-1.20.4/debian/changelog	2019-12-06 15:20:19.000000000 +0100
@@ -1,3 +1,12 @@
+network-manager (1.20.4-2ubuntu4) focal; urgency=medium
+
+  * Add fix_updating_agent_vpn_secrets.patch fixes VPN password storing, see:
+    - https://gitlab.freedesktop.org/NetworkManager/NetworkManager/issues/230
+    - https://bugs.kde.org/show_bug.cgi?id=411512
+      (LP: #1858092)
+
+ -- José Manuel Santamaría Lema <panfaust@gmail.com>  Fri, 06 Dec 2019 15:20:19 +0100
+
 network-manager (1.20.4-2ubuntu3) focal; urgency=medium
 
   * d/t/killswitches-no-urfkill, d/t/urfkill-integration,
diff -Nru network-manager-1.20.4/debian/patches/fix_updating_agent_vpn_secrets.patch network-manager-1.20.4/debian/patches/fix_updating_agent_vpn_secrets.patch
--- network-manager-1.20.4/debian/patches/fix_updating_agent_vpn_secrets.patch	1970-01-01 01:00:00.000000000 +0100
+++ network-manager-1.20.4/debian/patches/fix_updating_agent_vpn_secrets.patch	2019-12-06 15:20:19.000000000 +0100
@@ -0,0 +1,97 @@
+diff --git a/libnm-core/nm-setting-vpn.c b/libnm-core/nm-setting-vpn.c
+index fc9c5184da2b670d8794a28fb309901a73765e43..a011be772b276d56ce0b880824ad0d2410e47834 100644
+--- a/libnm-core/nm-setting-vpn.c
++++ b/libnm-core/nm-setting-vpn.c
+@@ -905,6 +905,54 @@ clear_secrets (const NMSettInfoSetting *sett_info,
+ 	return changed;
+ }
+ 
++static gboolean
++vpn_secrets_from_dbus (NMSetting *setting,
++                       GVariant *connection_dict,
++                       const char *property,
++                       GVariant *value,
++                       NMSettingParseFlags parse_flags,
++                       GError **error)
++{
++	nm_auto_unset_gvalue GValue object_value = G_VALUE_INIT;
++
++	g_value_init (&object_value, G_TYPE_HASH_TABLE);
++	_nm_utils_strdict_from_dbus (value, &object_value);
++	return nm_g_object_set_property (G_OBJECT (setting), property, &object_value, error);
++}
++
++static GVariant *
++vpn_secrets_to_dbus (const NMSettInfoSetting *sett_info,
++                     guint property_idx,
++                     NMConnection *connection,
++                     NMSetting *setting,
++                     NMConnectionSerializationFlags flags,
++                     const NMConnectionSerializationOptions *options)
++{
++	gs_unref_hashtable GHashTable *secrets = NULL;
++	const char *property_name = sett_info->property_infos[property_idx].name;
++	GVariantBuilder builder;
++	GHashTableIter iter;
++	const char *key, *value;
++	NMSettingSecretFlags secret_flags;
++
++	g_variant_builder_init (&builder, G_VARIANT_TYPE ("a{ss}"));
++	g_object_get (setting, property_name, &secrets, NULL);
++
++	if (secrets) {
++		g_hash_table_iter_init (&iter, secrets);
++		while (g_hash_table_iter_next (&iter, (gpointer *) &key, (gpointer *) &value)) {
++			if (NM_FLAGS_HAS (flags, NM_CONNECTION_SERIALIZE_WITH_SECRETS_AGENT_OWNED)) {
++				if (   !nm_setting_get_secret_flags (setting, key, &secret_flags, NULL)
++				    || !NM_FLAGS_HAS (secret_flags, NM_SETTING_SECRET_FLAG_AGENT_OWNED))
++					continue;
++			}
++			g_variant_builder_add (&builder, "{ss}", key, value);
++		}
++	}
++
++	return g_variant_builder_end (&builder);
++}
++
+ /*****************************************************************************/
+ 
+ static void
+@@ -1123,11 +1171,12 @@ nm_setting_vpn_class_init (NMSettingVpnClass *klass)
+ 	                        NM_SETTING_PARAM_SECRET |
+ 	                        G_PARAM_STATIC_STRINGS);
+ 
+-	_properties_override_add_transform (properties_override,
+-	                                    obj_properties[PROP_SECRETS],
+-	                                    G_VARIANT_TYPE ("a{ss}"),
+-	                                    _nm_utils_strdict_to_dbus,
+-	                                    _nm_utils_strdict_from_dbus);
++	_properties_override_add_override (properties_override,
++	                                   obj_properties[PROP_SECRETS],
++	                                   G_VARIANT_TYPE ("a{ss}"),
++	                                   vpn_secrets_to_dbus,
++	                                   vpn_secrets_from_dbus,
++	                                   NULL);
+ 
+ 	/**
+ 	 * NMSettingVpn:timeout:
+diff --git a/libnm-core/nm-setting.c b/libnm-core/nm-setting.c
+index 4323b83c089afdc927983f14b63984d93684ff02..1010e4cc98bc4f2edec3a9278b798516ed0a7b1d 100644
+--- a/libnm-core/nm-setting.c
++++ b/libnm-core/nm-setting.c
+@@ -712,7 +712,14 @@ property_to_dbus (const NMSettInfoSetting *sett_info,
+ 		if (NM_FLAGS_HAS (property->param_spec->flags, NM_SETTING_PARAM_SECRET)) {
+ 			if (NM_FLAGS_HAS (flags, NM_CONNECTION_SERIALIZE_NO_SECRETS))
+ 				return NULL;
+-			if (NM_FLAGS_HAS (flags, NM_CONNECTION_SERIALIZE_WITH_SECRETS_AGENT_OWNED)) {
++
++			/* Check agent secrets. Secrets in the vpn.secrets property are special as
++			 * the flag for each of them is specified as a separate key in the
++			 * vpn.data property. They are handled separately in the to_dbus_fcn()
++			 * of VPN setting. */
++			if (   NM_FLAGS_HAS (flags, NM_CONNECTION_SERIALIZE_WITH_SECRETS_AGENT_OWNED)
++			    && !nm_streq (nm_setting_get_name (setting), NM_SETTING_VPN_SETTING_NAME)
++			    && !nm_streq (property->name, NM_SETTING_VPN_SECRETS)) {
+ 				NMSettingSecretFlags f;
+ 
+ 				/* see also _nm_connection_serialize_secrets() */
diff -Nru network-manager-1.20.4/debian/patches/series network-manager-1.20.4/debian/patches/series
--- network-manager-1.20.4/debian/patches/series	2019-12-04 18:17:37.000000000 +0100
+++ network-manager-1.20.4/debian/patches/series	2019-12-06 15:20:19.000000000 +0100
@@ -7,4 +7,4 @@
 Update-dnsmasq-parameters.patch
 Disable-core-with-expect.patch
 libnm-Check-self-still-NMManager-or-not.patch
-
+fix_updating_agent_vpn_secrets.patch