网络管理器:存储自动 openvpn 连接的机密

tag-icon tag-icon openvpn networkmanager alpine-linux
网络管理器:存储自动 openvpn 连接的机密

因为我无法访问 GUI,所以我使用以下命令将我的 openvpn 密码添加到网络管理器连接:

$ sudo nmcli con mod CONNAME vpn.secrets "password=MYPASS"

我可以通过查看 /etc/NetworkManager/system-connections/CONNAME 中带有连接名称的文件来确认密码是否已存储。

我希望能够通过执行以下操作来激活此 VPN 连接

$ sudo nmcli c up CONNAME

然而,它仍然失败了

Warning: password for 'vpn.secrets.cert-pass' not given in 'passwd-file' and nmcli cannot ask without '--ask' option. 
Error: Connection activation failed: No valid secrets

我如何存储我的密码,以便无需交互即可连接到我的 VPN?

答案1

需要一个不同的密码。

在您的 /etc/NetworkManager/system-connections/CONNAME 中尝试添加:

[vpn]
...
cert-pass-flags=0

答案2

请参阅“秘密标志类型:”部分

man 5 nm-settings

目前,它就在页面底部(在传呼机中按 G 键)并显示

   Secret flag types:
       Each password or secret property in a setting has an associated flags property that describes how to handle that
       secret. The flags property is a bitfield that contains zero or more of the following values logically OR-ed together.

       •   0x0 (none) - the system is responsible for providing and storing this secret. This may be required so that secrets
           are already available before the user logs in. It also commonly means that the secret will be stored in plain text
           on disk, accessible to root only. For example via the keyfile settings plugin as described in the "PLUGINS"
           section in NetworkManager.conf(5).

       •   0x1 (agent-owned) - a user-session secret agent is responsible for providing and storing this secret; when it is
           required, agents will be asked to provide it.

       •   0x2 (not-saved) - this secret should not be saved but should be requested from the user each time it is required.
           This flag should be used for One-Time-Pad secrets, PIN codes from hardware tokens, or if the user simply does not
           want to save the secret.

       •   0x4 (not-required) - in some situations it cannot be automatically determined that a secret is required or not.
           This flag hints that the secret is not required and should not be requested from the user.

因此,为了为我的 vpn 设置它,我做了

vim /etc/NetworkManager/system-connections/myVpnName

然后在该vpn部分下:

[vpn]
...
password-flags=0

并且您在问题中列出的命令应该已经创建了该vpn-secrets部分:

[vpn-secrets]
password=myvpnpassword

记得重新加载配置并使用测试

# save the file
nmcli connection reload
nmcli connection up myVpnName

为了确认,我对此进行了测试,password-flags=1并得到了与 OP 问题中描述的相同的错误。

答案3

这对我有用:

password-flags=1 改为 password-flags=0 并添加 [vpn-secrets] password=mypassword

我的 openvpn 密码存储在其他地方,可能是 pam 文件,并且执行顺序导致该文件无法及时解锁以便桌面加载。

否则,登录 Gnome 会话时总会弹出需要 openvpn 密码的提示。切换 LAN 会自动连接,但我不想一直按那个按钮。

相关内容