How to activate VPN or other network interface from command line

[lovecraft1024]

Hi,

In my workflow, it would be much more convenient if I could connect to my company VPN from the command line, rather than through the network manager GUI in the task bar. Is there a way to do this?

I remember there was a way to do this with regular network interfaces like Ethernet, using some scripts under `/etc`, or commands like `ifup` and `ifdown`. Is there something similar for VPNs?

Thanks,

Charles

[rene]

ifup et al are old/obsolete. You can in a terminal list the NetworkManager-configured connections with nmcli con, then use

Code: Select all

nmcli con up "the connection name as displayed by first step"

(i.e., within double quotes if the connection name contains spaces; does not matter otherwise) to connect and nmcli con down <same> to disconnect.

[lovecraft1024]

Excellent! You made my day.

There are a few additional things to make it frictionless, though. First, I need to use sudo because of this:

Code: Select all

polkit-agent-helper-1: pam_authenticate failed: Authentication failure
Error: Connection activation failed: Not authorized to control networking.

Is there a group I can add myself to? I've tried netdev and nm-openvpn, but those weren't the right ones.

The other thing is I need to specify the VPN password. The simple way is like this:

Code: Select all

$ sudo nmcli --ask con up "My Exciting VPN"
A password is required to connect to 'My Exciting VPN'.
Password (vpn.secrets.password): 
VPN connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/22)

Entering the password gets me connected, and also I now know the name of the password property: vpn.secrets.password. So, I created a file with just this in it: `vpn.secrets.password:<password>` and now I can do this:

Code: Select all

$ sudo nmcli con up "My Exciting VPN" passwd-file ~/.ssh/vpn-pass 
VPN connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/23)

So, I hope this helps someone else, too, but it would be really nice to not need sudo.

Thanks!

Charles

[Termy]

To expand on the ifconfig(8) thing: it was deprecated in favor of ip(8). You might also want to know that netstat(8) was deprecated in favor of ss(8). You can take down and put up an interface with: ip link set IFACE [up|down] All that is of course in the man page, though. You can still install ifconfig(8) with the 'net-tools' package, but I think it'd be far better to learn to adapt, plus it doesn't seem to include the `if*` wrappers (IE: `ifup`). Although, it seems like you can get them separately, with the 'ifupdown' package. There's also 'ifupdown-extra' for even more related tools.

I have no idea about Network Manager, as I've never used it (I just use dhclient(8) for my Internet), but hopefully that info was somewhat helpful.

[rene]

So, I hope this helps someone else, too, but it would be really nice to not need sudo.

You in fact shouldn't need to -- admittedly maybe depending on how the VPN and/or the rest of your system is configured. First, if it's a VPN configured via the to NetworkManager built-in .opvn support the username/password is provided in the connection's settings, VPN tab, and when I as an admin user do the nmcli up thing for a so configured free-tier ProtonVPN connection I'm asked for nothing; it immediately connects. The sudo thing as such I can not place; the fact that you can even use sudo after all means you're an administrative user as well.

As to the password; I expect your VPN-setup is not as per that .opvn route and that you login automatically? I.e, that the system default keyring does not get unlocked automatically? That's in any case where NetworkManager tends to store passwords -- although I would suppose that the graphical route would in that case ask for the keyring password as well, so a difference I would again not be able to place. If however the keyring issue is the issue here you'd need/want to not login automatically or fudge around unlocking the keyring manually on login anyway.

In any case then; can not reproduce either of your two issues with the ProtonVPN connection I've set up, and although I expect that the second may then be a matter of you logging in to your desktop automatically, i.e., the keyring not getting unlocked -- and/or the second being a result of the first, but I've no idea what causes first for you.

[lovecraft1024]

Thanks for the tips. Although I know my way around a Linux machine pretty well, VPNs have been a black art for me. I strictly followed my IT department's installation and setup procedure. That involved these packages:

Code: Select all

sudo apt-get install network-manager-l2tp-gnome network-manager-strongswan
libstrongswanstandard-plugins libstrongswan-extra-plugins

I then configured a VPN connection using the Network Manager to add a L2TP connection.

I have no idea whether that has anything to do with .opvn, but I'm guessing "no". At any rate, using sudo isn't such a huge hassle, and I can stack commands after it (like "sshfs vpn-host:<something...>"). I'm just very happy to be able to do this from the command line, and also to have learned about nmcli.

[rene]

Indeed that's not OpenVPN, nor PPTP, which do both have that username/password thing integrated onto the VPN tab directly. This thread did make me wonder why NetworkManager support for those two types does not use the keyring to store the password by the way, but oh well, don't care much for for VPN details (either). If you're happy then I am