Need help setting up NetworkManager as a VPN client, please

Help
1

I’m trying to setup NetworkManager as a declarative vpn client(like native vpn network settings on a device); ipsec, l2tp, openvpn and wireguard.

I know wireguard is supported by default especially in the tui.

By adding the networking.networkmanager.plugins, it adds those options to the gui (nm-applet/nm-connection-editor) when adding a connection.

I tried ipsec(username, password, pre-shared key), l2tp(username, password) and openvpn(import .ovpn config) and connecting through nmcli(nmcli connection up vpnname), nmtui(activate a connection) and nm-applet(right click system tray icon, vpn connections, turn on vpn connection).

All fail.

I tried multiple vpns on vpngate(my go-to vpn source, works on my other devices through native networking settings) but to no avail.

I am setting it up in a module to be reused by my other nixos hosts, like here.

{ pkgs, ... }:
{
  networking.firewall.checkReversePath = "loose";
    
  networking.networkmanager = {
    enable = true;
    plugins = with pkgs; [
      networkmanager-fortisslvpn
      networkmanager-l2tp
      networkmanager-openvpn
      networkmanager_strongswan
    ];
  };
    
  programs = {
    nm-applet = {
      enable = true;
    };
    openvpn3 = {
      enable = true;
    };
  };
    
  services = {
    mullvad-vpn = {
      enable = true;
    };
    softether = {
      enable = true;
    };
    strongswan = {
      enable = true;
    };
    tailscale = {
      enable = true;
    };
    wg-netmanager = {
      enable = true;
    };
    xl2tpd = {
      enable = true;
    };
  };
}

logs from nmcli

❯ nmcli connection up vpngate_vpn973081969.opengw.net_udp_1931
Error: Connection activation failed: The connection attempt timed out
Hint: use 'journalctl -xe NM_CONNECTION=47745bf3-bbbe-4452-8b2a-714382e04a4d + NM_DEVICE=enp88s0' to get more details.

NetworkManager[2277]: <warn>  [1754281183.4190] vpn[0x1ee22830,47745bf3-bbbe-4452-8b2a-714382e04a4d,"vpngate_vpn973081969.opengw.net_udp_1931"]: connect timeout exceeded

when using openvpn outside of network manager

❯ openvpn3 session-start --config vpngate_vpn973081969.opengw.net_udp_1931.ovpn
Using pre-loaded configuration profile 'vpngate_vpn973081969.opengw.net_udp_1931.ovpn'
openvpn3/session-start: ** ERROR ** Could not start new VPN session: New tunnel did not respond
2

Fix:

L2TP IPSec tunnel

Got an L2TP → IPSec tunnel working, unfortunately I haven’t got the direct L2TP working but IPSec is fine for me for now.

An empty strongswan.conf file has to be /etc.

networkmanager-l2tp works with strongswan and not strongswan-swanctl even with the empty strongswan.conf file.

{ pkgs, ... }:
{
  networking.firewall.checkReversePath = "loose";

  networking.networkmanager = {
    enable = true;
    plugins = with pkgs; [
      networkmanager-fortisslvpn
      networkmanager-l2tp
      networkmanager-openvpn
    ];
  };

  programs = {
    nm-applet = {
      enable = true;
    };
  };

  services = {
    strongswan = {
      enable = true;
    };
  };

  environment.etc."strongswan.conf" = {
    text = '''';
  };

}

Related issues

OpenVPN

OpenVPN worked from the very beginning, is just that the servers or the server I chose from VPNGate uses a AES-128-CBC cipher.

In my logs I get

OPTIONS ERROR: failed to negotiate cipher with server.  Add the server's cipher ('AES-128-CBC') to --data-ciphers (currently 'AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305') if you want to connect to this server.

Unfortunately it is a pain in the ass to change it, though I could have just added it in the client .ovpn configuration like: data-ciphers AES-128-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305 but to no avail.

I edited the connection in /etc/NetworkManager/system-connections/<connection-name> then add the data-ciphers line to it

[vpn]
cipher=AES-128-CBC
data-ciphers=AES-128-CBC:AES-256-GCM:AES-128-GCM:CHACHA20-POLY1305

then reload nmcli with sudo nmcli connection reload and start the connection.

Related issues

1 Like