Ed Greshko writes:
On 2020-07-23 09:45, Ed Greshko wrote: > On 2020-07-23 09:20, Sam Varshavchik wrote:>> I'm trying to save an OpenVPN password via nmcli, in Fedora 32. I believe I should be executing:>> >> nmcli connection modify CONNECTIONNAME vpn.secrets "password=[PASSWORD]" >>>> So I execute this as root, and this initially produces very promising noises in /var/log/messages:>>>> Jul 22 20:41:35 jack NetworkManager[1525]: <info> [1595464895.3350] audit: op="connection-update" uuid="UUID" name="CONNECTIONNAME" args="vpn.secrets" pid=67812 uid=0 result="success">> >> However, the password appears to disappear into a black hole: >> >> nmcli --show-secrets connection CONNECTIONNAME | grep secrets >> vpn.secrets: -- >> >> And nmcli connection up fails because there's no password. >>>> The VPN connection's configuration was imported from the VPN provider's supplied ovpn file, via "nmcli connection import".>>>> Some searching around found some hits suggesting that my /etc/NetworkManager/system-connections/CONNECTIONNAME should have a [vpn- secrets] section, but mine does not. If I add it, run "nmcli connection reload", "nmcli connection modify", that just removes the [vpn-secrets] section.>> >> What would be the right way to do this? > When you do.... > > nmcli connection show CONNECTNAME > > What is the value of > > 802-11-wireless-security.psk-flags? > Also, what is the value of... 802-11-wireless-security.key-mgmt
None of them are set.This is on an edge server with two Ethernet connections. A default route to the Internet, and a /24 route to the LAN. No wireless here.
The password in question is the VPN provider's password. Here are all the properties. I masked a few bits in the vpn.data setting. With --show-secrets, vpn-secrets is always just a --. I can nmcli connection modify CONNECTIONNAME vpn.secrets anything=whateverAnd this gets parroted back to me by --show-secrets. But password=whatever is stubbornly ignored, not saved, and not used. If I manually hack it into the /etc/NetworkManager/system-connections/CONNECTIONNAME.nmconnection, and nmcli connection reload it, it gets stubbornly ignored. I cannot find any way to start the VPN other than with the --ask option, and prompt for the password, every time.
connection.id: CONNECTIONNAME connection.uuid: d5a4c828-ba14-46bb-866b-9d1b66a50668 connection.stable-id: -- connection.type: vpn connection.interface-name: -- connection.autoconnect: yes connection.autoconnect-priority: 0 connection.autoconnect-retries: -1 (default) connection.multi-connect: 0 (default) connection.auth-retries: -1 connection.timestamp: 1595467636 connection.read-only: no connection.permissions: -- connection.zone: -- connection.master: -- connection.slave-type: -- connection.autoconnect-slaves: -1 (default) connection.secondaries: -- connection.gateway-ping-timeout: 0 connection.metered: unknown connection.lldp: default connection.mdns: -1 (default) connection.llmnr: -1 (default) connection.wait-device-timeout: -1 ipv4.method: auto ipv4.dns: -- ipv4.dns-search: -- ipv4.dns-options: -- ipv4.dns-priority: 0 ipv4.addresses: -- ipv4.gateway: -- ipv4.routes: -- ipv4.route-metric: -1 ipv4.route-table: 0 (unspec) ipv4.routing-rules: -- ipv4.ignore-auto-routes: no ipv4.ignore-auto-dns: yes ipv4.dhcp-client-id: -- ipv4.dhcp-iaid: -- ipv4.dhcp-timeout: 0 (default) ipv4.dhcp-send-hostname: yes ipv4.dhcp-hostname: -- ipv4.dhcp-fqdn: -- ipv4.dhcp-hostname-flags: 0x0 (none) ipv4.never-default: no ipv4.may-fail: yes ipv4.dad-timeout: -1 (default) ipv6.method: auto ipv6.dns: -- ipv6.dns-search: -- ipv6.dns-options: -- ipv6.dns-priority: 0 ipv6.addresses: -- ipv6.gateway: -- ipv6.routes: -- ipv6.route-metric: -1 ipv6.route-table: 0 (unspec) ipv6.routing-rules: -- ipv6.ignore-auto-routes: no ipv6.ignore-auto-dns: no ipv6.never-default: no ipv6.may-fail: yes ipv6.ip6-privacy: -1 (unknown) ipv6.addr-gen-mode: stable-privacy ipv6.ra-timeout: 0 (default) ipv6.dhcp-duid: -- ipv6.dhcp-iaid: -- ipv6.dhcp-timeout: 0 (default) ipv6.dhcp-send-hostname: yes ipv6.dhcp-hostname: -- ipv6.dhcp-hostname-flags: 0x0 (none) ipv6.token: -- vpn.service-type: org.freedesktop.NetworkManager.openvpn vpn.user-name: MYUSERNAME vpn.data: auth = SHA512, ca = PEMFILEPATH, cipher = AES-256-CBC, comp-lzo = no-by-default, connection-type = password, dev = tun, mssfix = 1450, password-flags = 1, ping = 15, ping-restart = 0, remote = OP_ADDRESS, remote-cert-tls = server, remote-random = yes, reneg-seconds = 0, ta = /root/.cert/PEMFILE, ta-dir = 1, tunnel-mtu = 1500 vpn.secrets: <hidden> vpn.persistent: no vpn.timeout: 0 proxy.method: none proxy.browser-only: no proxy.pac-url: -- proxy.pac-script: --
Attachment:
pgpbWxlPK9TFE.pgp
Description: PGP signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
