What changes does NetworkManager make installing an OpenVPN connection from a configuration file?

I’ve set up a vpn using NetworkManager on my system. The method I used was to import an .ovpn configuration file using NetworkManager (the VPN is Private Internet Access - if that makes a difference)

It works flawlessly, I now have a VPN in my connection options, but I noticed that it has added two PEM certificate files under ~/.cert (I’ve checked and they are the correct certificate files associated with the vpn connection).

So my question is hopefully very simple… Apart form the PEM certificates I’ve already spotted, what changes does the settings manager make to my system? I’m asking so that I can fully undo what was done in the case I want to remove the connection.

Moderator edit: Manjaro Settings Manager has nothing to do with networking let alone VPN management. FIFY–for posterity.

If you installed that VPN through the AUR then the PKGBUILD might have been this:

AUR (en) - private-internet-access-vpn

PKGBUILD - aur.git - AUR Package Repositories

in the “install” section you can see where the files are copied to.


possibly also some files in the /etc/NetworkManager directory get changed as you configure and use it

If you used this method to install then all the changes are rolled back when you uninstall it.

Thanks. Maybe I should have done that, but I didn’t.

My actual steps - to be clear were…

  1. Download a zip file from my VPN provider with loads of .ovpn files (one for each server)
  2. Go to Manjaro Settings Manager > Connections > add New Connection (‘+’) > Import VPN connection…
  3. The connection then turns up in my ‘Networks’ lists nmcli show connections shows it as active.

In ~/.config/QOpenVPN I have a .config file


I have nothing at all in etc/openvpn/client

Then you’ll have to look at that script
to find out where it writes to, where it puts some files

or simply use that very same script you used to install
to uninstall the program (there is likely a switch to have it do that)
and hope that it indeed cleans up everything it did when it ran in install mode

I got this:

We don’t know what you got or used. :man_shrugging:

Then there is this:

PIA Support Portal

if that is the provider you refer to

Sorry, I wasn’t perhaps clear. It’s an .ovpn file - just text configuration, it’s not a script so it doesn’t run anything.

It’s as follows (with certificates redacted)

dev tun
proto udp
remote us-newyorkcity.privacy.network 1198
resolv-retry infinite
cipher aes-128-cbc
auth sha1
remote-cert-tls server

verb 1
reneg-sec 0
-----BEGIN X509 CRL-----
-----END X509 CRL-----



Nothing in there that can run anything. It’s seemingly the process of ‘add New Connection’ in the settings manager which has made changes, hence it’s that process that I’m enquiring about.

I assume it uses network-manager?

This, as well as the thread title, should in all cases be ‘network-manager’

To the original question:
No changes. It’s a way to quickly add, start and stop a vpn via network-manager at a low threat level environment; you download the ovpn file (basically the address and login data of your vpn provider, the openvpn pkg handles the secure connection, all without adding any provider software.

Disadvantage in comparison to specific provider software:

  • no protection against dropped vpn connection, not advisable at a high threat level environment
  • no added hardening features like kill switch, pick fastest server etc
  • no auto-updating login certificates (eg proton ovpn files expire after about 6 month and you’ll have to dl the new one and setup a new connection in network-manager)

perhaps this helps:

Private Internet Access - ArchWiki

You have installed openvpn and then used the provider specific configuration data that they supply.
This will likely go into ~/.config - but I don’t know :man_shrugging:

This is similar to the way I used to use another VPN (Mullvad) - except I went to use wireguard instead of OpenVPN.
Download the list of servers (the file that you referenced)
and use the NetworkManager GUI to select the one you want to use.

Now I use their dedicated App - it’s easier.

That’s a little concerning then. As I said in the OP, after clicking on ‘add New Connection (‘+’) > Import VPN connection…’ changes were made.

Two certificates were added to my ~/.cert directory.

I’m not saying this is remotely suspicious, it’s just that changes clearly have been made to my system, I’m just trying to find out if anyone knows what other changes might have been made so that I can undo them if I ever remove the connection.

I get where you’re coming from on this, but actually, one of the things that shocked me was just how easy it was (assuming, of course, I’ve done it right) - just ‘add new connection’ point it to the ovpn, done.

Easier even than installing an AUR package, in fact.

It’s not. When setting up the vpn connection in network-manager you point it to the downloaded ovpn files and it copies them to the .cert folder (where openvpn can access them) in case you later delete the downloads.
Sorry, I should have said ‘no changes apart from that’.

Great. That’s cleared that up. Thanks for your help.

It is indeed easy no matter which way you choose - the dedicated app just makes the process of choosing a server and switching to a different one more transparent.

When you import a VPN connection setting, you point the file chooser to the location of the file that contains the server or the whole list of all severs.

AFAIK you can put that anywhere you like (inside your $HOME) - and you know where you put it, you have to in order to tell NetworkManager what and from where to import.

Delete that list - and nothing will work anymore.

I seem to not be able to understand what you want to know.

You could compare the contents of the /etc/NetworkManager directory or the contents of ~/.config
before and after you made some changes to your configuration - then you’d know.

… or: ask them? :grin: or perhaps the above link to the support portal yields some info about that …

No problem, It’s all been answered now. I just wanted to know what else network-manager did to my system on being pointed to an ovpn file (other than copying the PEM certificates - which I noticed it had done). Turns out, the answer is “nothing else”.

I gather (from my limited knowledge) that the settings manager GUI has essentially just run nmcli connection import type openvpn file {servername}.ovpn, so maybe the question should have been “what changes does nmcli make…”, but I wasn’t (and still am not) sure exactly what command the settings manager GUI ran.

Arch Wiki suggests

GUI configuration

In your desktop environment network settings (or nm-connection-editor). Click the plus sign to add a new connection and choose OpenVPN and manually enter the settings. You also can optionally import #The client configuration profile by selecting Import a saved VPN configuration… and selecting the appropriate file.

…which is pretty much exactly what I did, but the link to ‘client configuration profile’ suggests a client.config file in /etc/openvpn/client/ rather than a {servername}.ovpn which is where I got a bit confused.

Then it seems to suggest an alternative is…

CLI configuration

For importing a configuration:

$ nmcli connection import type openvpn file file.ovpn

… hence my assuming that’s the command the GUI ran.

Reason for posting here rather than asking PIA was that it was clearly network-manager doing the work, not the PIA ovpn file which was just plain text settings rather than code.

Thanks for your help.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.