Setup Your VPN's Servers Easily In NetworkManager

Why A VPN?

The number of people using Virtual Private Networks (VPNs) for their online activities is definitely on the upswing. Growing fears borne from the increased governmental oversight and overreach, along with the constantly increasing threat from the unfettered collection of personally identifiable private data by both governments and corporations, have made the use of a VPN an attractive option. VPNs are a very attractive option for those who value their privacy, and those who want to perform their online activities with a good bit more anonymity.

Of course, once you log into a site, everything you do is recorded by that site, so a VPN won’t protect you from data collection about your activities on that site. It also (most likely) won’t protect you from the “Facebook Pixel.” That monstrosity is on a vast majority of websites (but NOT on the magazine website!), collecting information from all visitors, regardless if they are Facebook users or not. But a VPN will help protect you from having your activities recorded as you bounce from website to website.

One of the entities tracking you is your ISP. Your ISP tracks your usage of your internet account to ensure you're not doing anything “illegal” (I put that in quotes because what's considered illegal can vary by your location), and to serve up targeted ads based on what they perceive your interests are. Of course, those “interests” are based on what sites you visit and what you do while you're there. Yes, it's called “metadata,” and one or two pieces by themselves don't really reveal much about you. But, in aggregate with a huge number of pieces of metadata, it is quite revealing about what your interests are, who you are, your age, your income, whether you're married or single, if you have kids, what you like to eat, what your hobbies are, and a whole host of other data that really is no one else's business. Think of metadata as the pieces to a 10,000-piece jigsaw puzzle. One or two pieces by themselves don't reveal much. But, a literal ton of pieces of metadata all put together (like that jigsaw puzzle) reveals far more about you than you can possibly imagine or realize.

Fortunately, by using a VPN, the connection between your computer and your VPN provider’s server(s) is encrypted, so your ISP cannot see what you’re doing. All they see is traffic. Just be certain that you don’t have a DNS leak that’s surreptitiously leaking your activities to your ISP. You can check for DNS leaks by heading over to one of two sites. The first site is IPLeak.net. There, it will display the IP address of the server you’re connected to, and the IP address of the DNS server you’re connected to. The second site is DNSLeakTest.com. That second site checks ONLY the IP address of the DNS server that you are connected to.

On either site, if you see the IP address of your ISP displayed under the DNS section of the page, you’re leaking data via your DNS server settings. A DNS leak will provide all the information your ISP needs to track your travels across the web, even if you use a VPN. Fortunately, that’s easy enough to change. When setting up NetworkManager, you can specify an alternate DNS service provider. I use CloudFlare’s free DNS servers (1.1.1.1 and 1.0.0.1), rather than Google’s (8.8.8.8 and 8.8.4.4). Google already knows too much about me, so I don’t need to “spoon-feed” my DNS information to them, as well.

Like I mentioned last month in my Firefox TOU article, I’m not really all that “conspiracy minded.” However, I do expect some modicum of privacy in my online travels. I don’t figure it’s anyone else’s concern what I’m doing, where I’m going, to whom I’m talking, or anything else. It’s kind of like a snail-mail letter. When I send a letter via snail-mail to another person, I have a reasonable expectation that the contents of that letter remain private between me and its intended recipient. My online activities should be no different.

I also am not of the mind, “I’ve done nothing wrong, so I have nothing to hide.” It simply isn’t anyone else’s business what I do online. It’s called privacy. How privacy online is treated so differently than that snail-mail letter is eternally baffling to me. The former is just a more modern version of the latter, yet the latter has far greater protections. Things that make your mind go “POOF!”

Also keep in mind that some sites don’t like you connecting to them over a VPN. They are hellbent on preventing your use of a VPN on their site for a variety of reasons. In that case, you have three options. First, you can avoid that site altogether, which may not always be practical or possible. Second, you can try a different VPN server. One server may be “blocked,” while another of the VPN servers from your VPN provider will work. Your third choice is to temporarily turn off your VPN while connecting to that site, and then resume/restart your VPN connection once you’ve completed your tasks on that particular site.

VPN’s & NetworkManager

Until NetworkManager showed up for PCLinuxOS users, the choices for managing your online connection were either net_applet or wicd. And, when it came to setting up a VPN, I think there were only two people on the entire planet who could successfully set up a VPN connection using the tool in PCC. Seriously! I wasn’t one of them, by the way. So, I came up with an alternate way to access my VPN under net_applet. Thankfully, with the arrival of NetworkManager, that “old” script is no longer needed, nor relevant any longer.

NetworkManager not only made it far, far easier to set up your online connection, but it also made setting up your VPN way, way, way easier. And, that’s really what this article is all about.

Back in September 2023, something went awry with an update to NetworkManager. For some reason that I’ve since forgotten, users couldn’t edit their connections in NetworkManager. The dialog where the NetworkManager connections were edited was crashing. Fortunately, that situation didn’t last too long, as a subsequent update “righted the ship,” so to speak. But, in discussing the issue in the forum, greater minds than mine came up with a solution for importing ALL of the servers for your VPN.

To be perfectly honest, I was planning on writing this script up for the magazine way back then, but I forgot about it … until I messed up the install on my “travel” laptop (which I talked about in the March 2025 issue), and went to reinstall everything after replacing the SSD in that laptop. Of course, I wanted access to my VPN from my travel laptop, so that meant revisiting the script(s) that came out of that forum discussion.

And, until this script came along to import all of the available VPN servers for your given VPN (my VPN provider is Private Internet Access, a.k.a. PIA), I had only ever had no more than six of the 99 available PIA servers across the world set up for my own use. I had set each up manually … by hand. But, the script made all 99 VPN servers accessible to me for the first time!

Before you can proceed, however, you will need to download the OpenVPN files from your VPN provider. I tend to use OpenVPN files that are labeled as having “strong” encryption. Hey, I don’t want to make it easy for anyone to be able to spy on my online activities. Just unpack the archive file containing your OpenVPN files into a directory of your choosing. For the purposes of this script, you can unpack them into their own directory in your Downloads directory. However, to ensure that any user on my computer has access to the VPN (even though I am the only “defined” user on any of my computers), I tend to copy those files to /etc/openvpn. You are free to unpack them there, as well, if you choose. But, for the purposes of running the script, having them unpacked into their own directory in your Downloads directory will work just fine.

Below is the script that sixte came up with in the forum. I’ve added the line numbers to improve readability. You don't need to type them in. However, do ensure that you make the script (and any of the ones that follow) executable after you type it in and save it, and before you try to run it.

1. #!/bin/bash
2. USERNAME=“xxxxxxxxxxxxxxxx”
3. PASS=“yyyyyyyyyyyyyyyyyy”
4. 
   
5. 
   
6. for f in *.ovpn
7. do
8.     name=`basename -s .ovpn $f`;
9.     nmcli connection import type openvpn file $f
10.     nmcli connection modify "${name}" +vpn.data connection-type=password-tls
11.     nmcli connection modify "${name}" +vpn.data username="${USERNAME}"
12.     nmcli connection modify "${name}" +vpn.data password-flags="0"
13.     nmcli connection modify "${name}" +vpn.secrets password="${PASS}"
14. done

Open a terminal session, and change directories until you’re in the directory where you’ve stored your OpenVPN files. You will need to replace the “xxxxxxxxxxxxxxxx” with the username for your VPN, and “yyyyyyyyyyyyyyyyyy” with the password for your VPN account.

In less than one minute, every OpenVPN server for your VPN will be imported and set up for your use in NetworkManager. On my computers, I call this script vpn-import.sh.

So, yes, in this version of the script, your username and password are “hard coded” into the script. If you’re the only user on your computer, that might not be all that much of a security concern.

So, tbs came up with another version of the script (below).

1. #!/bin/bash
2. #
3. read -p "User name: " vname
4. read -p "Password : " vpass
5. vpndir=<path-to-.ovpn-files>
6. cd $vpndir
9. for vpnfile in *.ovpn; do
10.     nmcli connection import type openvpn file $vpnfile
11.     vpnname=$(basename -s .ovpn $vpnfile)
12.     nmcli connection modify "${vpnname}" +vpn.data connection-type=password-tls
13.     nmcli connection modify "${vpnname}" +vpn.data password-flags="0"
14.     nmcli connection modify "${vpnname}" +vpn.data username="${vname}"
15.     nmcli connection modify "${vpnname}" +vpn.secrets password="${vpass}"
16. done

In his version of the script, the user is prompted to input the username and password. It’s probably the most secure way to provide the username and password. There is no written “record” of those vital credentials. Everything is in the user’s mind. Granted, you only have to enter this information once, when you initially import the OpenVPN files into NetworkManager. But for me, my VPN account’s username is very difficult for me to remember. It’s a cryptic ensemble of letters and numbers that I don’t use often enough to memorize.

So, I remembered something that I used with my old-no-longer-relevant VPN script that I used to connect to my VPN with net_applet. With that, I stored all of my credentials in a simple text file, called login. I kept that file in /etc/openvpn, in the directory with the rest of the OpenVPN files on my computer. The format for those credentials couldn’t possibly be more simple. On the first line is your username. On the second line is your password. That’s it. Two lines. So, literally, the entire file looks something like this:

your_username
your_password

Now, I can’t put this “login” file in /etc/openvpn, due to permission issues. I want and need to run the script as a regular user, and a regular user can’t access the files that belong to the root user. So, I did the next best thing, and stored the file elsewhere in my user’s /home directory. To further “hide” it from prying eyes, I made it a hidden file, by making the first character a period. So, my most recent version of this script points to this hidden file, which I store in my /home directory. No subdirectory. Just in my /home directory. Since it’s “hidden,” no one really notices it. Of course, anyone looking at the script will know exactly where to find the file with my VPN login credentials, but they’re going to have to work a little to access it. In other words, don’t mistake obfuscation and hidden files for “security.”

Here’s my most recent version of that script:

1. #!/bin/bash
3. # Your login information is stored in a plain text file
4. # with your username on the first line, and your
5. # password on the second line
7. IFS=$'\n' read -d '' -r -a data < ~/.login
8. USERNAME="${data[0]}"
9. PASS="${data[1]}"
11. for f in *.ovpn
12. do
13.     name=`basename -s .ovpn $f`;
14.     nmcli connection import type openvpn file $f
15.     nmcli connection modify "${name}" +vpn.data connection-type=password-tls
16.     nmcli connection modify "${name}" +vpn.data username="${USERNAME}"
17.     nmcli connection modify "${name}" +vpn.data password-flags="0"
18.     nmcli connection modify "${name}" +vpn.secrets password="${PASS}"
19. done

This version of the script reads my login credentials from that singular file in my /home directory, as shown in the first line that starts with IFS. That file is ~/.login. Notice the “period” before the name “login.” That makes the file a hidden file. Now, you can call it whatever name you want and store it wherever you want (within your /home directory), as long as you point the read command to the appropriate file (you could call it “shopping-list” if you want). The read command fills an array with the lines from the .login file, and those lines are read into the string variables USERNAME and PASS, which are then used by the nmcli command.

Really, the ONLY difference between the three scripts is with the login credentials. In sixte’s script, they are hard coded into the script. In tbs’ script, it asks for the user to type them in, one at a time. In mine, the login credentials (username and password) are stored in a separate file, and read from that file. Everything else between the three scripts is exactly the same (from the for-do loop through to the end). If you’re worried about security, then the first version is probably the least secure, the second version most secure, and the third version is somewhere in between. Of course, a user would have to be sitting at your computer for that information to be compromised (unless you accidentally share the script with your login information hard coded with someone else), and in that case, you probably have bigger things to worry about.

Caveats

IF you’re unfortunate enough to run this script twice (or more) on the same computer, you could end up with multiple entries among the VPN servers of your VPN provider.

Now, you could go in and manually delete all of those duplicate entries, and while that is doable, it’ll take you some time. But, if you’re interested in going down this path, NetworkManager saves its configuration files for the VPN servers at /etc/NetworkManager/system-connections.

Probably a quicker way is to just empty out that directory by deleting all of its contents, and just starting over with the import script.

Fortunately, tbs also came up with another script that makes this task much easier. He calls it nm-vpn-delete. Here it is:

1. #!/bin/bash
3. # Shut down active VPN connection
4. vpnactive=$(nmcli con show --active | grep vpn | cut -d' ' -f1)
5. nmcli con down $vpncon
7. # Delete existing VPN connections
8. vpnlist=$(nmcli con show | grep vpn | cut -d' ' -f1)
9. for vpncon in $vpnlist; do
10.     nmcli con down $vpncon
11.     nmcli con delete $vpncon
12. done

All you have to do is run this script to clear out the defined VPN connections, and then rerun the first script (whichever of the three versions you decide to use) to re-setup your VPN servers to choose from.

Summary

Without a doubt, the addition of NetworkManager to PCLinuxOS has made a HUGE improvement to managing network connections. And when it comes to setting up VPN connections, NetworkManager is light years ahead of the “old” method from PCC. Even setting them up manually is infinitely easier than that old method that virtually no one understood how to use. These scripts give you complete control over your VPN connections, and do so easily and very quickly.