Import of saved VPN configuration overwrites existing data
SW: NetworkManager-openvpn-1.8.10_2, NetworkManager-1.22.10_2, Void Linux
NetworkManager CAN under some conditions OVERWRITE your OpenVPN client files in $HOME/.cert/nm-openvpn
directory!
Imagine you have a TM OpenVPN connection profile in Network Manager. Its definition would have similar lines:
# egrep '^(ca|cert|key|ta)=' /etc/NetworkManager/system-connections/jbelka.nmconnection
ca=/home/jiri/.cert/nm-openvpn/jbelka-ca.pem
cert=/home/jiri/.cert/nm-openvpn/jbelka-cert.pem
key=/home/jiri/.cert/nm-openvpn/jbelka-key.pem
ta=/home/jiri/.cert/nm-openvpn/jbelka-tls-auth.pem
An import of OpenVPN '.ovpn' config file extracted embedded TLS files into paths to $HOME/.cert/nm-openvpn/jbelka-*.pem
.
The problem seems to be that if you import another '.ovpn' file with name eg. 'jbelka.ovpn', the filename minus suffix will be taken as pattern for new filenames which would contain embedded TLS data - thus existing files WILL BE OVERWRITTEN!
Original situation:
$ for i in 'md5sum' 'ls -l'; do $i jbelka-{ca,cert,key,tls-auth}.pem; done
67c237f9ee66bb25e2aaa292c8c90735 jbelka-ca.pem
c2cfcc1a7c720865dd29f14ea9a1a675 jbelka-cert.pem
97013c99049ca4429a9979c4ebce2d21 jbelka-key.pem
4f290ea248d3c15d04d99dce71ff2fde jbelka-tls-auth.pem
-rw------- 1 jiri jiri 1005 May 31 16:46 jbelka-ca.pem
-rw------- 1 jiri jiri 1017 May 31 16:46 jbelka-cert.pem
-rw------- 1 jiri jiri 1704 May 31 16:46 jbelka-key.pem
-rw------- 1 jiri jiri 651 May 31 16:46 jbelka-tls-auth.pem
After import of another 'jbelka.ovpn' file.
$ for i in 'md5sum' 'ls -l'; do $i jbelka-{ca,cert,key,tls-auth}.pem; done
9eca11f408b1cf0e177cdcbd5bb53e53 jbelka-ca.pem
9e9754d89da955f9b38a2f25ef5282a3 jbelka-cert.pem
2fb8021168b203e6847b79ed6e877c63 jbelka-key.pem
79b2460daa9b45dce6471a3f0d1f4e2b jbelka-tls-auth.pem
-rw------- 1 jiri jiri 1005 May 31 16:56 jbelka-ca.pem
-rw------- 1 jiri jiri 1017 May 31 16:56 jbelka-cert.pem
-rw------- 1 jiri jiri 1704 May 31 16:56 jbelka-key.pem
-rw------- 1 jiri jiri 651 May 31 16:56 jbelka-tls-auth.pem
Reproduction steps:
- import an 'ovpn' config file with name
foobar.ovpn
(eg. via./sacli --user foobar GetUserLogin > foobar.ovpn
) for i in 'md5sum' 'ls -l'; do $i $HOME/.cert/nm-openvpn/foobar-{ca,cert,key,tls-auth}.pem; done
- import another 'ovpn' config file with name
foobar.ovpn
(eg. via./sacli --user joe GetUserLogin > foobar.ovpn
) for i in 'md5sum' 'ls -l'; do $i $HOME/.cert/nm-openvpn/foobar-{ca,cert,key,tls-auth}.pem; done
After last step, files are overwritten.
IMO, the filenames should contain UUID of the connection to be unique.