How to Safely Replace an OpenVPN 3 Configuration on Linux

When you are using the OpenVPN 3 Linux client and need to replace an existing VPN profile (.ovpn file) with a new one, it helps to follow a clean, logical procedure. Doing this in the right order avoids issues like stale sessions, duplicate configurations, or confusing errors.

In this post, we will walk through:

• How to check which configuration is currently in use
• How to disconnect the active session
• How to remove the old configuration
• How to import a new .ovpn profile
• How to start a new session with the new configuration

The commands below use the standard openvpn3 CLI tools, and each step includes an explanation so you understand what is happening behind the scenes.

---

1. Check Your Current OpenVPN 3 Configuration

First, you need to know which configuration is currently active. OpenVPN 3 for Linux maintains its own internal configuration store and session tracking, so the profile name inside OpenVPN 3 can matter more than the raw filename.

openvpn3 sessions-list

What this command does:

• Lists all active VPN sessions managed by the OpenVPN 3 service.
• For each session, you typically see:
  • The configuration name (this is the key piece you need).
  • The session path (a D-Bus object path, mostly useful for debugging).
  • The connection status (e.g., connected, connecting, etc.).

Make a note of the config name for the session you want to replace. It might look like anna, work-vpn, or some other label you specified when you first imported the profile.

---

2. Disconnect the Current Session

Before touching the configuration itself, you should disconnect the session that uses it. Removing a configuration that is still in use can cause inconsistent states or leave behind network changes.

openvpn3 session-manage --config "CONFIG_NAME" --disconnect

Replace "CONFIG_NAME" with the actual name you found from openvpn3 sessions-list.

What this command does:

• session-manage allows you to control an existing session.
• --config "CONFIG_NAME" tells OpenVPN 3 which session to act on, using the config name.
• --disconnect sends a graceful disconnect signal to that VPN session.

Internally, this:

• Tears down the VPN tunnel.
• Releases the virtual network interface (commonly a tun device such as tun0).
• Cleans up routes and DNS settings applied by the VPN client.

After a brief moment, you can verify the session is gone or disconnected:

openvpn3 sessions-list

---

3. Remove the Old Configuration

Once the session is disconnected, it is safe to remove the old configuration from the OpenVPN 3 configuration store.

openvpn3 config-remove --config "CONFIG_NAME" --force

What this command does:

• config-remove deletes a stored configuration definition from the OpenVPN 3 service.
• --config "CONFIG_NAME" specifies which config to remove.
• --force ensures removal even if there are warnings (for example, if the service thinks it might still be in use).

After this:

• The configuration no longer appears in openvpn3 configs-list.
• You will not be able to start a session using this config name until you import a profile again.

Conceptually, this step is “unregistering” the old .ovpn file from the OpenVPN 3 system.

---

4. Import the New .ovpn Profile

Now that the old configuration is removed, you can import the new profile. This is where you tell OpenVPN 3 to read your new .ovpn file and store it under a chosen name.

openvpn3 config-import --config "$OVPN_FILE" --name "NEW CONFIG_NAME" --persistent

Where:

• $OVPN_FILE is the path to your new .ovpn file (for example, ~/vpn/anna-new.ovpn).
• "NEW CONFIG_NAME" is the label used inside OpenVPN 3 for this profile.

What this command does:

• config-import reads and parses the .ovpn file.
• --config "$OVPN_FILE" indicates which file to import.
• --name "NEW CONFIG_NAME" sets the human-readable name for this configuration.
• --persistent ensures the configuration is stored across reboots, not just for the current session.

You can reuse the same config name as before (for example, both old and new configurations are called "anna"), or choose a completely new name if you prefer to keep them distinct. If you want your workflow to stay simple and consistent, reusing the old name is often convenient.

To confirm that the new configuration was stored:

openvpn3 configs-list

You should see your "NEW CONFIG_NAME" listed in the output.

---

5. Start a New VPN Session Using the New Profile

With the new configuration imported, you can now establish a new VPN session.

For example, if your chosen config name is "anna":

openvpn3 session-start --config "anna"

What this command does:

• session-start tells OpenVPN 3 to create a new session based on a stored configuration.
• --config "anna" selects which configuration to use.

Internally, OpenVPN 3 will:

• Load and validate the stored configuration.
• Establish a secure tunnel to the VPN server.
• Set up the virtual network interface.
• Apply routing and DNS settings as specified by the profile.

You can verify the active session with:

openvpn3 sessions-list

If everything is configured correctly and the server is reachable, you should now see an active session associated with the new configuration.

---

Putting It All Together

Here is the complete sequence as a practical example. Assume:

• Old config name: "anna"
• New profile path: ~/vpn/anna-new.ovpn
• New config name: "anna" (reusing the same name)

# 1. Check current sessions and note the config name
openvpn3 sessions-list

# 2. Disconnect the running session (if any)
openvpn3 session-manage --config "anna" --disconnect

# 3. Remove the old configuration
openvpn3 config-remove --config "anna" --force

# 4. Import the new .ovpn profile
openvpn3 config-import --config ~/vpn/anna-new.ovpn --name "anna" --persistent

# 5. Start a new session with the updated configuration
openvpn3 session-start --config "anna"

---

Why This Order Matters

The sequence is important for consistency and stability:

1. Disconnect first
   This avoids conflicts between an active VPN tunnel and changes to its configuration. It also ensures that network routes and DNS settings managed by the VPN are cleaned up before you remove the configuration.
2. Remove the old config second
   Removing the old configuration after the session is closed prevents confusion from overlapping or duplicate profiles with similar names.
3. Import and then start the session
   By importing the new profile and then starting a session from it, you ensure that any new parameters (servers, certificates, routes, etc.) are reliably in effect.

By following this order, you keep your OpenVPN 3 environment predictable and easier to debug. If you encounter issues later, you will know exactly which configuration is active and which steps you performed.