Ed Greshko writes:
On 2020-07-23 09:45, Ed Greshko wrote:
On 2020-07-23 09:20, Sam Varshavchik wrote:
I'm trying to save an OpenVPN password via nmcli, in Fedora 32. I believe
I should be executing:
nmcli connection modify CONNECTIONNAME vpn.secrets "password=[PASSWORD]"
So I execute this as root, and this initially produces very promising
noises in /var/log/messages:
Jul 22 20:41:35 jack NetworkManager[1525]: <info> [1595464895.3350]
audit: op="connection-update" uuid="UUID" name="CONNECTIONNAME" args="vpn.secrets" pid=67812 uid=0 result="success"
However, the password appears to disappear into a black hole:
nmcli --show-secrets connection CONNECTIONNAME | grep secrets vpn.secrets: --
And nmcli connection up fails because there's no password.
The VPN connection's configuration was imported from the VPN provider's
supplied ovpn file, via "nmcli connection import".
Some searching around found some hits suggesting that my
/etc/NetworkManager/system-connections/CONNECTIONNAME should have a [vpn- secrets] section, but mine does not. If I add it, run "nmcli connection reload", "nmcli connection modify", that just removes the [vpn-secrets] section.
What would be the right way to do this?
When you do....
nmcli connection show CONNECTNAME
What is the value of
802-11-wireless-security.psk-flags?
Also, what is the value of...
802-11-wireless-security.key-mgmt
None of them are set.
This is on an edge server with two Ethernet connections. A default route to the Internet, and a /24 route to the LAN. No wireless here.
The password in question is the VPN provider's password.
Here are all the properties. I masked a few bits in the vpn.data setting. With --show-secrets, vpn-secrets is always just a --. I can
nmcli connection modify CONNECTIONNAME vpn.secrets anything=whatever
And this gets parroted back to me by --show-secrets. But password=whatever is stubbornly ignored, not saved, and not used. If I manually hack it into the /etc/NetworkManager/system-connections/CONNECTIONNAME.nmconnection, and nmcli connection reload it, it gets stubbornly ignored. I cannot find any way to start the VPN other than with the --ask option, and prompt for the password, every time.
connection.id: CONNECTIONNAME connection.uuid: d5a4c828-ba14-46bb-866b-9d1b66a50668 connection.stable-id: -- connection.type: vpn connection.interface-name: -- connection.autoconnect: yes connection.autoconnect-priority: 0 connection.autoconnect-retries: -1 (default) connection.multi-connect: 0 (default) connection.auth-retries: -1 connection.timestamp: 1595467636 connection.read-only: no connection.permissions: -- connection.zone: -- connection.master: -- connection.slave-type: -- connection.autoconnect-slaves: -1 (default) connection.secondaries: -- connection.gateway-ping-timeout: 0 connection.metered: unknown connection.lldp: default connection.mdns: -1 (default) connection.llmnr: -1 (default) connection.wait-device-timeout: -1 ipv4.method: auto ipv4.dns: -- ipv4.dns-search: -- ipv4.dns-options: -- ipv4.dns-priority: 0 ipv4.addresses: -- ipv4.gateway: -- ipv4.routes: -- ipv4.route-metric: -1 ipv4.route-table: 0 (unspec) ipv4.routing-rules: -- ipv4.ignore-auto-routes: no ipv4.ignore-auto-dns: yes ipv4.dhcp-client-id: -- ipv4.dhcp-iaid: -- ipv4.dhcp-timeout: 0 (default) ipv4.dhcp-send-hostname: yes ipv4.dhcp-hostname: -- ipv4.dhcp-fqdn: -- ipv4.dhcp-hostname-flags: 0x0 (none) ipv4.never-default: no ipv4.may-fail: yes ipv4.dad-timeout: -1 (default) ipv6.method: auto ipv6.dns: -- ipv6.dns-search: -- ipv6.dns-options: -- ipv6.dns-priority: 0 ipv6.addresses: -- ipv6.gateway: -- ipv6.routes: -- ipv6.route-metric: -1 ipv6.route-table: 0 (unspec) ipv6.routing-rules: -- ipv6.ignore-auto-routes: no ipv6.ignore-auto-dns: no ipv6.never-default: no ipv6.may-fail: yes ipv6.ip6-privacy: -1 (unknown) ipv6.addr-gen-mode: stable-privacy ipv6.ra-timeout: 0 (default) ipv6.dhcp-duid: -- ipv6.dhcp-iaid: -- ipv6.dhcp-timeout: 0 (default) ipv6.dhcp-send-hostname: yes ipv6.dhcp-hostname: -- ipv6.dhcp-hostname-flags: 0x0 (none) ipv6.token: -- vpn.service-type: org.freedesktop.NetworkManager.openvpn vpn.user-name: MYUSERNAME vpn.data: auth = SHA512, ca = PEMFILEPATH, cipher = AES-256-CBC, comp-lzo = no-by-default, connection-type = password, dev = tun, mssfix = 1450, password-flags = 1, ping = 15, ping-restart = 0, remote = OP_ADDRESS, remote-cert-tls = server, remote-random = yes, reneg-seconds = 0, ta = /root/.cert/PEMFILE, ta-dir = 1, tunnel-mtu = 1500 vpn.secrets: <hidden> vpn.persistent: no vpn.timeout: 0 proxy.method: none proxy.browser-only: no proxy.pac-url: -- proxy.pac-script: --