Private Tunnel is an OpenVPN-based VPN service provided by OpenVPN Technologies Inc. At some point I signed up for their service and found that while my phone used their Android app without any issues, NetworkManager part on my laptop was not really cooperating.
Eventually I've figured a workaround.
Update: The workaround can be found in Private Tunnel Knowledgebase.
Repeat the steps for the <extra-certs>..</extra-certs> section, and put this content at the end of the file usr.crt you have just saved previously.
NetworkManager does not support .ovpn files that you get from Private Tunnel, no matter how hard you try.
So, open e.g. San Jose.ovpn downloaded from Private Tunnel and you'll see:
setenv USERNAME "email@example.com" client dev tun remote us-ca-sj-001.privatetunnel.com 1194 udp [...] remote-cert-tls server comp-lzo no auth SHA1 nobind verb 3 sndbuf 0 rcvbuf 0 socket-flags TCP_NODELAY <ca> -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- </ca> <cert> -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- </cert> <extra-certs> -----BEGIN CERTIFICATE----- [...] -----END CERTIFICATE----- </extra-certs> <key> -----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY----- </key> key-direction 1 <tls-auth> -----BEGIN OpenVPN Static key V1----- [...] -----END OpenVPN Static key V1----- </tls-auth>
On Fedora, you'll need to extract the contents of the .ovpn file to pre-defined locations ~/.certs and ~/.pki, as SELinux will otherwise prevent NetworkManager from reading the files (a feature, not a bug).
Save the contents between <ca></ca> to ca.pem, <cert></cert> to cert.pem, same goes for key and tls-auth.
The trick to get Private Tunnel working with Network Manager is to add extra-certs data to cert since there is no way to add extra-certs to OpenVPN command line via NetworkManager.
Afterwards, you will need to reference the files created during OpenVPN setup:
After setting the endpoint (remote in .ovpn file above) and selecting the certificates clck "Advanced..."
Select "Use LZO"
Verify Peer - remote is Server, set the path to tls-auth you created before and select "1" as key direction.
Now, Private Tunnel has posted their Network Manager guide detailing these steps, and they also want you to patch the openvpn script, but according to OpenVPN Community Wiki this is no longer needed, as --remote-cert-tls option passed by NetworkManager is the proper one.
Here's the cool part - based on my experience, all the certificates and keys are the same across all Private Tunnel endpoint, so if you want to connect to a different location, you only need to change the endpoint address.
As always, logs may help you to figure out what's wrong: