To access my internal network & self-hosted services while I'm out of the house, I connect to an OpenVPN server running on my firewall.

I recently upgraded to Fedora 36 and discovered (the hard way) that the VPN was broken and I couldn't re-import it. Turns out there are multiple bugs in the process that prevent the GUI from "just working" the way it's supposed to.

So, I read through the various bug reports so you don't have to. Here's how to import your OpenVPN connection file into Fedora 36.

My god was this ever a massive pain in the ass.

This assumes you have a .ovpn file, a .key file and a .p12 file with your certificates. My VPN is using a "Password with Certificates" login system.

On Fedora 36+ we need to re-enable legacy crypto providers in OpenSSL. To do this, modify /etc/ssl/openssl.cnf and uncomment the lines:

[openssl_init]
providers = provider_sect
ssl_conf = ssl_module

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

Next, because of a bug with OpenVPN, we need to extract the CA certificate from our .p12 into a separate file, since OpenVPN doesn't (currently) support reading it:

openssl pkcs12 -in my_certs.p12 -cacerts -nokeys -out my_ca.crt

Then, edit your .ovpn file to add the line:

ca my_ca.crt

Because of a bug in the NetworkManager GUI, we have to import the .ovpn configuration by hand.

sudo nmcli connection import type openvpn file my_config.ovpn

In the VPN GUI, edit the VPN and set your username and (optionally) the passwords. You may encounter a bug where the "Add" button is greyed out. This is because it wants you to enter both the "Password" and "User key password" fields, but will not let you edit the "User key password" field. Currently, the only workaround is to click the little icon on the "User key password" field and click "Ask every time."

Yes, this is really annoying.

Oh, and on SELinux systems, you also need to update the security context of the certificate files to allow NetworkManager to access them. Most systems ship with a home_cert_t type that does the trick:

chcon -t home_cert_t vpn_millslan_net_glmdev.p12
chcon -t home_cert_t vpn_millslan_net_glmdev-tls.key
chcon -t home_cert_t ca.crt

Now, at long last, the VPN should activate.