Failing to connect to vpn on boot-up

Support Network
1

i’m trying to get the “connect automatically” option in NetworkManager working for a WG peer - this has never worked and i suspect it may be because the password is not accessible by root on boot/reboot

ArchWiki - Automatic connect to VPN on boot is not working

The problem occurs when the system (i.e. NetworkManager running as the root user) tries to establish a VPN connection, but the password is not accessible because it is stored in the GNOME Keyring of a particular user.

(KDE in my case, but i suspect the issue is the same)

if i reboot, i have no internet connection, but if i disconnect and then re-connect the WG peer, all is fine

ok, so then i …

ArchWiki - Use dispatcher to connect to a VPN after a network connection is established

… and added the following to /etc/NetworkManager/system-connections/myWgVpnConfig

[vpn]
password-flags=0

[vpn-secrets]
password=your_password

on reboot the VPN connection is AWOL (not listed in NM GUI)

what am i screwing up?

ps: if i auto-connect on boot with wg-quick@..., that works fine, but i’d rather avoid the systemd method

2

If you used

/etc/NetworkManager/dispatcher.d/vpn-up

#!/bin/sh
VPN_NAME="name of VPN connection defined in NetworkManager"
ESSID="Wi-Fi network ESSID (not connection name)"

interface=$1 status=$2
case $status in
  up|vpn-down)
    if iwgetid | grep -qs ":\"$ESSID\""; then
      nmcli connection up id "$VPN_NAME"
    fi
    ;;
  down)
    if iwgetid | grep -qs ":\"$ESSID\""; then
      if nmcli connection show --active | grep "$VPN_NAME"; then
        nmcli connection down id "$VPN_NAME"
      fi
    fi
    ;;
esac

Try replacing it with

/etc/NetworkManager/dispatcher.d/vpn-up

#!/bin/sh

VPN_NAME="your vpn name"
ESSID="your essid"

interface=$1 status=$2
case $status in
  up|vpn-down)
    if iwgetid | grep -qs ":\"$ESSID\""; then
		if !(nmcli connection show --active | grep "$VPN_NAME"); then
		  nmcli connection up id "$VPN_NAME";
		fi
    fi
    ;;
esac

Obviously you must replace the values for ESSID and VPN_NAME with the correct values.

Also note that all versions of those scripts rely on iwgetid provided by wireless_tools package.

3

i didn’t use any script - all i did was add a few lines to the config in /etc/NetworkManager/system-connections/ as per the Arch wiki

4

Sorry for the misunderstanding.

But the linked section includes a script

It then goes on to describe ways of making sure the script has access to your secrets via

So if you have literally only created that config file then please review the linked instructions.

5

the confusion was due to me being as brief as i could in the description of the problem - i should have included the relevant quote from…

Automatic connect to VPN on boot is not working

emphasis added…

A solution is to keep the password to your VPN in plaintext, as described in step (2.) of #Use dispatcher to connect to a VPN after a network connection is established.

… which leads to this…

2: Alternatively, change the password-flags and put the password directly in the configuration file adding the section vpn-secrets:

[vpn]
....
password-flags=0

[vpn-secrets]
password=your_password

but when i do that the connection profile doesn’t appear in NM, i assume because there’s a problem reading the config

first of all, it seems that the [vpn] section is supposed to be there by default, but it isn’t, so i added it (minus the … of course)

6

Ah, that first link does state

So if you have done that (set the ‘auto-connect VPN’ option in networkmanager GUI) along with the necessary changes to /etc/NetworkManager/system-connections/name of your VPN connection then I am not sure.

The wiki states the script method should not be necessary … but if this approach continues to fail you may consider using the previous method with the script. Worth a try right?

7

i try to keep things as simple as possible - if i cannot get it working without using a script, i’ll go back to wg-quick

these scripts and important changes to files get forgotten about and seem to have a way of biting me in the ass at some future point … nevertheless, thanks for the trying :slight_smile:
appreciated