--- title: Importing an OpenVPN Profile on Fedora 36 slug: Importing-OpenVPN-Profile-on-Fedora-36 date: 2022-07-12 00:01:00 tags: - linux - networking --- To access my internal network & self-hosted services while I'm out of the house, I connect to an OpenVPN server running on my firewall. I recently upgraded to Fedora 36 and discovered (the hard way) that the VPN was _broken_ and I couldn't re-import it. Turns out there are **multiple** bugs in the process that prevent the GUI from "just working" the way it's supposed to. So, I read through the various bug reports so you don't have to. Here's how to import your OpenVPN connection file into Fedora 36. My god was this ever a massive pain in the ass. This assumes you have a `.ovpn` file, a `.key` file and a `.p12` file with your certificates. My VPN is using a "Password with Certificates" login system. On Fedora 36+ we need to re-enable legacy crypto providers in OpenSSL. To do this, modify `/etc/ssl/openssl.cnf` and uncomment the lines: ```txt [openssl_init] providers = provider_sect ssl_conf = ssl_module [provider_sect] default = default_sect legacy = legacy_sect [default_sect] activate = 1 [legacy_sect] activate = 1 ``` Next, because of a bug with OpenVPN, we need to extract the CA certificate from our `.p12` into a separate file, since OpenVPN doesn't (currently) support reading it: ```shell openssl pkcs12 -in my_certs.p12 -cacerts -nokeys -out my_ca.crt ``` Then, edit your `.ovpn` file to add the line: ```txt ca my_ca.crt ``` Because of a bug in the NetworkManager GUI, we have to import the `.ovpn` configuration by hand. ```shell sudo nmcli connection import type openvpn file my_config.ovpn ``` In the VPN GUI, edit the VPN and set your username and (optionally) the passwords. You may encounter a bug where the "Add" button is greyed out. This is because it wants you to enter _both_ the "Password" and "User key password" fields, but will not let you edit the "User key password" field. Currently, the only workaround is to click the little icon on the "User key password" field and click "Ask every time." Yes, this is really annoying. Oh, and on SELinux systems, you also need to update the security context of the certificate files to allow NetworkManager to access them. Most systems ship with a `home_cert_t` type that does the trick: ``` chcon -t home_cert_t vpn_millslan_net_glmdev.p12 chcon -t home_cert_t vpn_millslan_net_glmdev-tls.key chcon -t home_cert_t ca.crt ``` Now, at long last, the VPN should activate.