Setting openvpn connection declaratively & switching on/off through gnome network manager

dav.dap · October 11, 2022, 11:14pm

Hi,
I have got a .myvpn.ovpn file and a mycertificate.pem certificate which I managed to make work correctly with the following configuration:

environment.etc.openvpn.source = "${pkgs.update-resolv-conf}/libexec/openvpn";
networking.networkmanager.enable = true;
environment.systemPackages = with pkgs; [ openvpn update-resolv-conf ];

I am able to correctly switch the vpn on by typing sudo openvpn my/path/to/myvpn.ovpn followed by username & password.

The question is: is there a way to edit my configuration in such a way that myvpn appears in my gnome network manager, and can be switched on/off via network manager?

Thank you
Davide

peterhoeg · October 12, 2022, 2:38am

There’s nothing wrong with creating files in the format that NetworkManager expects (it’s just ini files). I’m doing that to generate different configurations for when I’m on-site with various customers.

Take a look in /etc/NetworkManager/system-connections.

One thing to keep in mind is that NM needs the permissions to be 0600, so you cannot link them to the store, but instead copy them into place:

{
  environment.etc = listToAttrs (map (e: nameValuePair "NetworkManager/system-connections/${e.name}.nmconnection" { inherit (e) source; mode = "0600"; }) connections);
}

Not tried with VPNs, but no reason it shouldn’t work.

dav.dap · October 12, 2022, 10:22am

Thank you for your help.

Yes I found the .nmconnection file in the folder you indicated, after manually configuring the vpn on network manager.
Can you please explain a little more? Unfortunately I am no expert at all in nixos language. I guess the line you posted should stay inside my configuration.nix and provide network manager the right permissions. Next thing I guess I need to do is to copy the test of the .nmconfiguration file into another file somewhere into my $HOME. But then, how to tell network manager where to look to find it?

peterhoeg · October 12, 2022, 11:25am

2 Can you please explain a little more? Unfortunately I am no expert at all in nixos language. I guess the line you posted should stay inside my configuration.nix and provide network manager the right permissions.

I have a collection of connections, but if you were just doing one which is easier to get started, something like this should work (you would have to adjust it for whatever a VPN looks like):

{
  environment.etc =
    let
      conn = (pkgs.formats.ini { }).generate "test.nmconnection" {
        connection = {
          id = "some id";
          autoconnect = true;
          autoconnect-priority = 100;
          type = "ethernet";
          uuid = "some-uuid";
        };

        ethernet.auto-negotiate = true;

        ipv4 = {
          may-fail = false;
          method = "auto";
        };

        ipv6 = {
          addr-gen-mode = "stable-privacy";
          method = "auto";
        };
      };

    in
    {
      "NetworkManager/system-connections/${conn.name}" = {
        source = conn;
        mode = "0600";
      };
    };
}

Next thing I guess I need to do is to copy the test of the .nmconfiguration file into another file somewhere into my $HOME. But then, how to tell network manager where to look to find it?

I don’t know where NM looks for definition files other than the directory I mentioned earlier, but yes, you can also make it put the files there. Assuming those are under $HOME, you probably want to do it via home-manager instead (it’s the same principle).