NetworkManager

NetworkManager is a program for providing detection and configuration for systems to automatically connect to networks. NetworkManager's functionality can be useful for both wireless and wired networks. For wireless networks, NetworkManager prefers known wireless networks and has the ability to switch to the most reliable network. NetworkManager-aware applications can switch from online and offline mode. NetworkManager also prefers wired connections over wireless ones, has support for modem connections and certain types of VPN. NetworkManager was originally developed by Red Hat and now is hosted by the GNOME project.

Installation

NetworkManager can be installed with the package networkmanager, which contains a daemon, a command line interface (nmcli) and a curses‐based interface (nmtui).

Enable NetworkManager

After installation, you should start/enable NetworkManager.service. Once the NetworkManager daemon is started, it will automatically connect to any available "system connections" that have already been configured. Any "user connections" or unconfigured connections will need nmcli or an applet to configure and connect.

Additional interfaces

• nm-connection-editor for a graphical user interface,
• network-manager-applet for a system tray applet (nm-applet).

Mobile broadband support

NetworkManager uses ModemManager for mobile broadband connection support.

Install modemmanager and usb_modeswitch. Afterwards enable and start ModemManager.service.

It may be necessary to restart NetworkManager.service for it to detect ModemManager. After you restart it, re-plug the modem again and it should be recognized.

Add connections from a front-end (e.g. nm-connection-editor) and select mobile broadband as the connection type. After selecting your ISP and billing plan, APN and other settings should be filled in automatically using information from mobile-broadband-provider-info.

PPPoE / DSL support

Install rp-pppoe package for PPPoE / DSL connection support. To actually add PPPoE connection, use nm-connection-editor and add new DSL/PPPoE connection.

VPN support

NetworkManager since version 1.16 has native support for WireGuard, all it needs is the wireguard kernel module. Read the WireGuard in NetworkManager blog post for details.

Support for other VPN types is based on a plug-in system. They are provided in the following packages:

• networkmanager-openconnect for OpenConnect
• networkmanager-openvpn for OpenVPN
• networkmanager-pptp for PPTP Client
• networkmanager-strongswan for strongSwan
• networkmanager-vpnc
• networkmanager-fortisslvpn^AUR
• networkmanager-iodine-git^AUR
• networkmanager-libreswan^AUR
• networkmanager-l2tp
• networkmanager-ssh-git^AUR
• network-manager-sstp

Usage

NetworkManager comes with nmcli(1) and nmtui(1).

nmcli examples

List nearby Wi-Fi networks:

$ nmcli device wifi list

Connect to a Wi-Fi network:

$ nmcli device wifi connect SSID_or_BSSID password password

Connect to a hidden Wi-Fi network:

$ nmcli device wifi connect SSID_or_BSSID password password hidden yes

Connect to a Wi-Fi on the wlan1 interface:

$ nmcli device wifi connect SSID_or_BSSID password password ifname wlan1 profile_name

Disconnect an interface:

$ nmcli device disconnect ifname eth0

Get a list of connections with their names, UUIDs, types and backing devices:

$ nmcli connection show

Activate a connection (i.e. connect to a network with an existing profile):

$ nmcli connection up name_or_uuid

Delete a connection:

$ nmcli connection delete name_or_uuid

See a list of network devices and their state:

$ nmcli device

Turn off Wi-Fi:

$ nmcli radio wifi off

Edit a connection

For a comprehensive list of settings, see nm-settings(5).

Firstly, you need to get a list of connections:

$ nmcli connection

NAME                UUID                                  TYPE      DEVICE
Wired connection 2  e7054040-a421-3bef-965d-bb7d60b7cecf  ethernet  enp5s0
Wired connection 1  997f2782-f0fc-301d-bfba-15421a2735d8  ethernet  enp0s25
MY-HOME-WIFI-5G     92a0f7b3-2eba-49ab-a899-24d83978f308  wifi       --

Here you can use the first column as connection-id used later. In this example, we pick Wired connection 2 as a connection-id.

You have three methods to configure a connection Wired connection 2 after it has been created:

nmcli interactive editor

nmcli connection edit 'Wired connection 2'.
Usage is well documented from the editor.

nmcli command line interface

nmcli connection modify 'Wired connection 2' setting.property value. See nmcli(1) for usage. For example, you can change its IPv4 route metric to 200 using nmcli connection modify 'Wired connection 2' ipv4.route-metric 200 command.

To remove a setting, pass an empty field ("") to it like this:

nmcli connection modify 'Wired connection 2' setting.property ""

Connection file

In /etc/NetworkManager/system-connections/, modify the corresponding Wired connection 2.nmconnection file .
Do not forget to reload the configuration file with nmcli connection reload.

Front-ends

To provide integration with a desktop environment, most users will want to install an applet. This not only provides easy access to network selection and configuration, but also provides the agent necessary for securely storing secrets. Various desktop environments have their own applet; otherwise, you can use #nm-applet.

GNOME

GNOME has a built-in tool, accessible from the Network settings.

KDE Plasma

Install the plasma-nm package. After that, add it to the KDE taskbar via the Panel options > Add widgets > Networks menu.

nm-applet

network-manager-applet is a GTK 3 front-end which works under Xorg environments with a systray.

To store connection secrets install and configure an application which implements the Secret Service D-Bus API such as GNOME/Keyring, KDE Wallet, or KeePassXC.

Be aware that after enabling the tick-box option Make available to other users for a connection, NetworkManager stores the password in plain-text, though the respective file is accessible only to root (or other users via nm-applet). See #Encrypted Wi-Fi passwords.

In order to run nm-applet without a systray, you can use trayer or stalonetray. For example, you can add a script like this one in your path:

nmgui

#!/bin/sh
nm-applet    2>&1 > /dev/null &
stalonetray  2>&1 > /dev/null
killall nm-applet

When you close the stalonetray window, it closes nm-applet too, so no extra memory is used once you are done with network settings.

The applet can show notifications for events such as connecting to or disconnecting from a WiFi network. For these notifications to display, ensure that you have a notification server installed - see Desktop notifications. If you use the applet without a notification server, you might see some messages in stdout/stderr, and the applet might hang. See [2].

In order to run nm-applet with such notifications disabled, start the applet with the following command:

$ nm-applet --no-agent

Exec=nm-applet --no-agent

Appindicator

As of version 1.18.0 Appindicator support is available in the official network-manager-applet package. To use nm-applet in an Appindicator environment start the applet with the following command:

$ nm-applet --indicator

networkmanager-dmenu

Alternatively there is networkmanager-dmenu-git^AUR which is a small script to manage NetworkManager connections with dmenu or rofi instead of nm-applet. It provides all essential features such as connection to existing NetworkManager wifi or wired connections, connect to new wifi connections, requests passphrase if required, connect to existing VPN connections, enable/disable networking, launch nm-connection-editor GUI, connect to Bluetooth networks.

switchboard

Pantheon's switchboard offers a desktop environment-agnostic way to configure NetworkManager when combined with switchboard-plug-network and nm-connection-editor. It can be ran with the following command:

$ io.elementary.settings

Configuration

NetworkManager will require some additional steps to be able run properly. Make sure you have configured /etc/hosts as described in Network configuration#Set the hostname section.

NetworkManager has a global configuration file at /etc/NetworkManager/NetworkManager.conf. Additional configuration files can be placed in /etc/NetworkManager/conf.d/. Usually no configuration needs to be done to the global defaults.

After editing a configuration file, the changes can be applied by running:

# nmcli general reload

NetworkManager-wait-online

Enabling NetworkManager.service also enables NetworkManager-wait-online.service, which is a oneshot system service that waits for the network to be configured. The latter has WantedBy=network-online.target, so it will finish only when network-online.target itself is enabled or pulled in by some other unit. See also systemd#Running services after the network is up.

By default, NetworkManager-wait-online.service waits for NetworkManager startup to complete, rather than waiting for network connectivity specifically (see nm-online(1)). If NetworkManager-wait-online.service finishes before the network is really up, resulting in failed services on boot, extend the unit to remove the -s from the ExecStart line:

[Service]
ExecStart=
ExecStart=/usr/bin/nm-online -q

Be aware that this can cause other issues.

In some cases, the service will still fail to start successfully on boot due to the timeout setting being too short. Edit the service to change NM_ONLINE_TIMEOUT from 60 to a higher value.

Set up PolicyKit permissions

By default, all users in active local sessions are allowed to change most network settings without a password. See General troubleshooting#Session permissions to check your session type. In most cases, everything should work out of the box.

Some actions (such as changing the system hostname) require an administrator password. In this case, you need to add yourself to the wheel group and run a Polkit authentication agent which will prompt for your password.

For remote sessions (e.g. headless VNC), you have several options for obtaining the necessary privileges to use NetworkManager:

1. Add yourself to the wheel group. You will have to enter your password for every action. Note that your user account may be granted other permissions as well, such as the ability to use sudo without entering the root password.
2. Add yourself to the network group and create /etc/polkit-1/rules.d/50-org.freedesktop.NetworkManager.rules with the following content:

   polkit.addRule(function(action, subject) {
     if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && subject.isInGroup("network")) {
       return polkit.Result.YES;
     }
   });
   

   All users in the network group will be able to add and remove networks without a password (which means you do not have to run a Polkit authentication agent, so this option will also work in SSH sessions).

Proxy settings

NetworkManager does support some proxy settings. While they can not be directly modified using nmtui, nm-applet and nmcli support those. See the proxy settings in nm-settings-nmcli(5).

Additionally, custom proxy commands can always be run using dispatcher scripts, see #Dispatcher examples.

See also Proxy settings.

Checking connectivity

NetworkManager can try to reach a webserver after connecting to a network in order to determine if it is e.g behind a captive portal. The default host (configured in /usr/lib/NetworkManager/conf.d/20-connectivity.conf) is ping.archlinux.org (a CNAME alias of redirect.archlinux.org). To use a different webserver or to disable connectivity checking, create /etc/NetworkManager/conf.d/20-connectivity.conf, see NetworkManager.conf(5) § CONNECTIVITY SECTION. Below is an example of using GNOME servers (it does not require the use of GNOME):

/etc/NetworkManager/conf.d/20-connectivity.conf

[connectivity]
uri=http://nmcheck.gnome.org/check_network_status.txt

To disable NetworkManager's connectivity check, use the following configuration. This can be useful when connected to a VPN that blocks connectivity checks.

/etc/NetworkManager/conf.d/20-connectivity.conf

[connectivity]
enabled=false

Captive portals

For those behind a captive portal, the desktop manager may automatically open a window asking for credentials. If your desktop does not, you can use capnet-assist package (however, it currently it has a broken NetworkManager dispatcher script). Alternatively, you can create a NetworkManager dispatcher script with the following content:

/etc/NetworkManager/dispatcher.d/90-open_captive_portal

#!/bin/sh -e
# Script to dispatch NetworkManager events
#
# Runs shows a login webpage on walled garden networks.
# See NetworkManager(8) for further documentation of the dispatcher events.

PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

if [ -x "/usr/bin/logger" ]; then
    logger="/usr/bin/logger -s -t captive-portal"
else
    logger=":"
fi

wait_for_process() {
    PNAME=$1
    while [ -z "$(/usr/bin/pgrep $PNAME)" ]; do
        sleep 3;
    done
}

#launch the browser, but on boot we need to wait that nm-applet starts
start_browser() {
    local user="$1"
    local display="$2"

    export DISPLAY="$display"
    wait_for_process nm-applet

    export XAUTHORITY="/home/$user/.Xauthority"

    $logger "Running browser as '$user' with display '$display' to login in captive portal"
    sudo -u "$user" --preserve-env=DISPLAY,XAUTHORITY -H xdg-open http://capnet.elementary.io 2>&1 > /dev/null
}

# Run the right scripts
case "$2" in
    connectivity-change)
    $logger -p user.debug "dispatcher script triggered on connectivity change: $CONNECTIVITY_STATE"
    if [ "$CONNECTIVITY_STATE" = "PORTAL" ]; then
        # Match last column of who's output with ' :[at least one digit] '
        who | awk '$NF ~ /\(:[0-9]+\)/ { print $1 " " substr($NF, 2, length($NF)-2) };' | \
        while read user display; do
            start_browser $user $display || $logger -p user.err "Failed for user: '$user' display: '$display'"
        done
    fi
    ;;
    *)
    # In a down phase
    exit 0
    ;;
esac

Make the script executable. But that script assumes you use X and simply opens http page. It might not work for everyone.

You will need to restart NetworkManager.service or reboot for this to start working. Once you do, the dispatcher script should open a login window once it detects you are behind a captive portal.

Simple solution is captive-portal-sh - shell script that obtains captive portal URL and opens it in your default browser (for Wayland users only).

Another solution is captive-browser-git^AUR based on Google Chrome.

DHCP client

By default NetworkManager uses its internal DHCP client. The internal DHCPv4 plugin is based on the nettools' n-dhcp4 library, while the internal DHCPv6 plugin is made from code based on systemd-networkd.

To use a different DHCP client install one of the alternatives:

• dhclient - dhclient.
• dhcpcd - dhcpcd.

To change the DHCP client backend, set the option main.dhcp=dhcp_client_name with a configuration file in /etc/NetworkManager/conf.d/. E.g.:

/etc/NetworkManager/conf.d/dhcp-client.conf

[main]
dhcp=dhclient

DNS management

NetworkManager's DNS management is described in the GNOME project's wiki page—Projects/NetworkManager/DNS.

DNS caching and conditional forwarding

NetworkManager has a plugin to enable DNS caching and conditional forwarding (previously called "split DNS" in NetworkManager's documentation) using dnsmasq or systemd-resolved. The advantages of this setup is that DNS lookups will be cached, shortening resolve times, and DNS lookups of VPN hosts will be routed to the relevant VPN's DNS servers. This is especially useful if you are connected to more than one VPN.

dnsmasq

Make sure dnsmasq has been installed. Then set main.dns=dnsmasq with a configuration file in /etc/NetworkManager/conf.d/:

/etc/NetworkManager/conf.d/dns.conf

[main]
dns=dnsmasq

Now run nmcli general reload as root. NetworkManager will automatically start dnsmasq and add 127.0.0.1 to /etc/resolv.conf. The original DNS servers can be found in /run/NetworkManager/no-stub-resolv.conf. You can verify dnsmasq is being used by doing the same DNS lookup twice with drill example.com and verifying the server and query times.

Custom dnsmasq configuration

Custom configurations can be created for dnsmasq by creating configuration files in /etc/NetworkManager/dnsmasq.d/. For example, to change the size of the DNS cache (which is stored in RAM):

/etc/NetworkManager/dnsmasq.d/cache.conf

cache-size=1000

You can check the configuration file syntax with:

$ dnsmasq --test --conf-file=/dev/null --conf-dir=/etc/NetworkManager/dnsmasq.d

See dnsmasq(8) for all available options.

IPv6

Enabling dnsmasq in NetworkManager may break IPv6-only DNS lookups (i.e. drill -6 [hostname]) which would otherwise work. In order to resolve this, creating the following file will configure dnsmasq to also listen to the IPv6 loopback:

/etc/NetworkManager/dnsmasq.d/ipv6-listen.conf

listen-address=::1

In addition, dnsmasq also does not prioritize upstream IPv6 DNS. Unfortunately NetworkManager does not do this (Ubuntu Bug). A workaround would be to disable IPv4 DNS in the NetworkManager config, assuming one exists.

DNSSEC

The dnsmasq instance started by NetworkManager by default will not validate DNSSEC since it is started with the --proxy-dnssec option. It will trust whatever DNSSEC information it gets from the upstream DNS server.

For dnsmasq to properly validate DNSSEC, thus breaking DNS resolution with name servers that do not support it, create the following configuration file:

/etc/NetworkManager/dnsmasq.d/dnssec.conf

conf-file=/usr/share/dnsmasq/trust-anchors.conf
dnssec

systemd-resolved

NetworkManager can use systemd-resolved as a DNS resolver and cache. Make sure that systemd-resolved is properly configured and that systemd-resolved.service is started before using it.

systemd-resolved will be used automatically if /etc/resolv.conf is a symlink to /run/systemd/resolve/stub-resolv.conf, /run/systemd/resolve/resolv.conf or /usr/lib/systemd/resolv.conf.

You can enable it explicitly by setting main.dns=systemd-resolved with a configuration file in /etc/NetworkManager/conf.d/:

/etc/NetworkManager/conf.d/dns.conf

[main]
dns=systemd-resolved

DNS resolver with an openresolv subscriber

If openresolv has a subscriber for your local DNS resolver, set up the subscriber and configure NetworkManager to use openresolv.

Because NetworkManager advertises a single "interface" to resolvconf, it is not possible to implement conditional forwarding between two NetworkManager connections. See NetworkManager issue 153.

This can be partially mitigated if you set private_interfaces="*" in /etc/resolvconf.conf[6]. Any queries for domains that are not in search domain list will not get forwarded. They will be handled according to the local resolver's configuration, for example, forwarded to another DNS server or resolved recursively from the DNS root.

Custom DNS servers

Setting custom global DNS servers

To set DNS servers for all connections, specify them in NetworkManager.conf(5) using the syntax servers=serveripaddress1,serveripaddress2,serveripaddress3 in a section named [global-dns-domain-*]. For example:

/etc/NetworkManager/conf.d/dns-servers.conf

[global-dns-domain-*]
servers=::1,127.0.0.1

Setting custom DNS servers in a connection

Setting custom DNS servers in a connection (GUI)

Setup will depend on the type of front-end used; the process usually involves right-clicking on the applet, editing (or creating) a profile, and then choosing DHCP type as Automatic (specify addresses). The DNS addresses will need to be entered and are usually in this form: 127.0.0.1, DNS-server-one, ....

Setting custom DNS servers in a connection (nmcli / connection file)

To setup DNS Servers per connection, you can use the dns field (and the associated dns-search and dns-options) in the connection settings.

If method is set to auto (when you use DHCP), you need to set ignore-auto-dns to yes.

/etc/resolv.conf

NetworkManager's /etc/resolv.conf management mode is configured with the main.rc-manager setting. networkmanager sets it to symlink as opposed to the upstream default auto. The setting and its values are documented in the NetworkManager.conf(5) man page.

NetworkManager also offers hooks via so called dispatcher scripts that can be used to alter the /etc/resolv.conf after network changes. See #Network services with NetworkManager dispatcher and NetworkManager(8) for more information.

Unmanaged /etc/resolv.conf

To stop NetworkManager from touching /etc/resolv.conf, set main.dns=none with a configuration file in /etc/NetworkManager/conf.d/:

/etc/NetworkManager/conf.d/dns.conf

[main]
dns=none

After that /etc/resolv.conf might be a broken symlink that you will need to remove. Then, just create a new /etc/resolv.conf file.

Use openresolv

To configure NetworkManager to use openresolv, set main.rc-manager=resolvconf with a configuration file in /etc/NetworkManager/conf.d/:

/etc/NetworkManager/conf.d/rc-manager.conf

[main]
rc-manager=resolvconf

Firewall

You can assign a firewalld zone based on your current connection. For example a restrictive firewall when at work, and a less restrictive one when at home.

This can also be done with NetworkManager dispatcher.

Network services with NetworkManager dispatcher

There are quite a few network services that you will not want running until NetworkManager brings up an interface. NetworkManager has the ability to start services when you connect to a network and stop them when you disconnect (e.g. when using NFS, SMB and NTPd).

To activate the feature you need to enable and start the NetworkManager-dispatcher.service.

Once the service is active, scripts can be added to the /etc/NetworkManager/dispatcher.d directory.

Scripts must be owned by root, otherwise the dispatcher will not execute them. For added security, set group ownership to root as well:

# chown root:root /etc/NetworkManager/dispatcher.d/10-script.sh

Make sure the file is executable.

The scripts will be run in alphabetical order at connection time, and in reverse alphabetical order at disconnect time. To ensure what order they come up in, it is common to use numerical characters prior to the name of the script (e.g. 10-portmap or 30-netfs (which ensures that the portmapper is up before NFS mounts are attempted).

Scripts will receive the following arguments:

• Interface name: e.g. eth0
• Action: up, down, vpn-up, vpn-down, ... (see NetworkManager-dispatcher(8) for the complete list)

Avoiding the dispatcher timeout

If the above is working, then this section is not relevant. However, there is a general problem related to running dispatcher scripts which take longer to be executed. Initially an internal timeout of three seconds only was used. If the called script did not complete in time, it was killed. Later the timeout was extended to about 20 seconds (see the Bugtracker for more information). If the timeout still creates the problem, a work around may be to use a drop-in file for the NetworkManager-dispatcher.service to remain active after exit:

/etc/systemd/system/NetworkManager-dispatcher.service.d/remain_after_exit.conf

[Service]
RemainAfterExit=yes

Now start and enable the modified NetworkManager-dispatcher service.

Dispatcher examples

Automatically set the timezone

Install tzupdate^AUR and create an executable script:

/etc/NetworkManager/dispatcher.d/update-timezone.sh

#! /bin/bash
# Automatically set time zone when connected to the network
iface=$1
action=$2

if [[ $iface != lo && $action == up ]]; then
    tz=$(tzupdate -s 1 -p 2>/dev/null)
    if [[ -n $tz && -r /usr/share/zoneinfo/$tz ]]; then
	timedatectl set-timezone $tz
    fi
fi

Change the condition $iface != lo to match a specific interface if desired.

Mount remote directory with sshfs

As the script is run in a very restrictive environment, you have to export SSH_AUTH_SOCK in order to connect to your SSH agent. There are different ways to accomplish this, see this message for more information. The example below works with GNOME Keyring, and will ask you for the password if not unlocked already. In case NetworkManager connects automatically on login, it is likely gnome-keyring has not yet started and the export will fail (hence the sleep). The UUID to match can be found with the command nmcli connection status or nmcli connection list.

#!/bin/sh
USER='username'
REMOTE='user@host:/remote/path'
LOCAL='/local/path'

interface=$1 status=$2
if [ "$CONNECTION_UUID" = "uuid" ]; then
  case $status in
    up)
      # sleep 10
      SSH_AUTH_SOCK=$(find /tmp -maxdepth 1 -type s -user "$USER" -name 'ssh')
      export SSH_AUTH_SOCK
      su "$USER" -c "sshfs $REMOTE $LOCAL"
      ;;
    down)
      fusermount -u "$LOCAL"
      ;;
  esac
fi

Mounting of SMB shares

Some SMB shares are only available on certain networks or locations (e.g. at home). You can use the dispatcher to only mount SMB shares that are present at your current location.

The following script will check if we connected to a specific network and mount shares accordingly:

/etc/NetworkManager/dispatcher.d/30-mount-smb.sh

#!/bin/sh

# Find the connection UUID with "nmcli connection show" in terminal.
# All NetworkManager connection types are supported: wireless, VPN, wired...
if [ "$2" = "up" ]; then
  if [ "$CONNECTION_UUID" = "uuid" ]; then
    mount /your/mount/point & 
    # add more shares as needed
  fi
fi

The following script will unmount all SMB shares before a software initiated disconnect from a specific network:

/etc/NetworkManager/dispatcher.d/pre-down.d/30-umount-smb.sh

#!/bin/sh

if [ "$CONNECTION_UUID" = "uuid" ]; then
  umount -a -l -t cifs
fi

The following script will attempt to unmount all SMB shares following an unexpected disconnect from a specific network:

/etc/NetworkManager/dispatcher.d/40-umount-smb.sh

#!/bin/sh

if [ "$CONNECTION_UUID" = "uuid" ]; then
  if [ "$2" = "down" ]; then
    umount -a -l -t cifs
  fi
fi

An alternative is to use the script as seen in NFS#Using a NetworkManager dispatcher:

/etc/NetworkManager/dispatcher.d/30-smb.sh

#!/bin/sh

# Find the connection UUID with "nmcli con show" in terminal.
# All NetworkManager connection types are supported: wireless, VPN, wired...
WANTED_CON_UUID="CHANGE-ME-NOW-9c7eff15-010a-4b1c-a786-9b4efa218ba9"

if [ "$CONNECTION_UUID" = "$WANTED_CON_UUID" ]; then
    
    # Script parameter $1: network interface name, not used
    # Script parameter $2: dispatched event
    
    case "$2" in
        "up")
            mount -a -t cifs
            ;;
        "down"|"pre-down"|"vpn-pre-down")
            umount -l -a -t cifs >/dev/null
            ;;
    esac
fi

Create a symlink inside /etc/NetworkManager/dispatcher.d/pre-down/ to catch the pre-down events:

# ln -s ../30-smb.sh /etc/NetworkManager/dispatcher.d/pre-down.d/30-smb.sh

Mounting of NFS shares

See NFS#Using a NetworkManager dispatcher.

Use dispatcher to automatically toggle wireless depending on LAN cable being plugged in

The idea is to only turn Wi-Fi on when the LAN cable is unplugged (for example when detaching from a laptop dock), and for Wi-Fi to be automatically disabled, once a LAN cable is plugged in again.

Create the following dispatcher script[7], replacing LAN_interface with yours.

Note that there is a fail-safe for the case when the LAN interface was connected when the computer was last on, and then disconnected while the computer was off. That would mean the radio would still be off when the computer is turned back on, and with a disconnected LAN interface, you would have no network.

/etc/NetworkManager/dispatcher.d/wlan_auto_toggle.sh

#!/bin/sh

if [ "$1" = "LAN_interface" ]; then
    case "$2" in
        up)
            nmcli radio wifi off
            ;;
        down)
            nmcli radio wifi on
            ;;
    esac
elif [ "$(nmcli -g GENERAL.STATE device show LAN_interface)" = "20 (unavailable)" ]; then
    nmcli radio wifi on
fi

Use dispatcher to connect to a VPN after a network connection is established

In this example we want to connect automatically to a previously defined VPN connection after connecting to a specific Wi-Fi network. First thing to do is to create the dispatcher script that defines what to do after we are connected to the network.

/etc/NetworkManager/dispatcher.d/vpn-up

#!/bin/sh
VPN_NAME="name of VPN connection defined in NetworkManager"
ESSID="Wi-Fi network ESSID (not connection name)"

interface=$1 status=$2
case $status in
  up|vpn-down)
    if iwgetid | grep -qs ":\"$ESSID\""; then
      nmcli connection up id "$VPN_NAME"
    fi
    ;;
  down)
    if iwgetid | grep -qs ":\"$ESSID\""; then
      if nmcli connection show --active | grep "$VPN_NAME"; then
        nmcli connection down id "$VPN_NAME"
      fi
    fi
    ;;
esac

If you would like to attempt to automatically connect to VPN for all Wi-Fi networks, you can use the following definition of the ESSID: ESSID=$(iwgetid -r). Remember to set the script's permissions accordingly.

Trying to connect with the above script may still fail with NetworkManager-dispatcher.service complaining about 'no valid VPN secrets', because of the way VPN secrets are stored. Fortunately, there are different options to give the above script access to your VPN password.

1: One of them requires editing the VPN connection configuration file to make NetworkManager store the secrets by itself rather than inside a keyring that will be inaccessible for root: open up /etc/NetworkManager/system-connections/name of your VPN connection and change the password-flags and secret-flags from 1 to 0.

If that alone does not work, you may have to create a passwd-file in a safe location with the same permissions and ownership as the dispatcher script, containing the following:

/path/to/passwd-file

vpn.secrets.password:YOUR_PASSWORD

The script must be changed accordingly, so that it gets the password from the file:

/etc/NetworkManager/dispatcher.d/vpn-up

#!/bin/sh
VPN_NAME="name of VPN connection defined in NetworkManager"
ESSID="Wi-Fi network ESSID (not connection name)"

interface=$1 status=$2
case $status in
  up|vpn-down)
    if iwgetid | grep -qs ":\"$ESSID\""; then
      nmcli connection up id "$VPN_NAME" passwd-file /path/to/passwd-file
    fi
    ;;
  down)
    if iwgetid | grep -qs ":\"$ESSID\""; then
      if nmcli connection show --active | grep "$VPN_NAME"; then
        nmcli connection down id "$VPN_NAME"
      fi
    fi
    ;;
esac

2: Alternatively, change the password-flags and put the password directly in the configuration file adding the section vpn-secrets:

 [vpn]
 ....
 password-flags=0
 
 [vpn-secrets]
 password=your_password

Use dispatcher to disable IPv6 on VPN provider connections

Many commercial VPN providers support only IPv4. That means all IPv6 traffic bypasses the VPN and renders it virtually useless. To avoid this, dispatcher can be used to disable all IPv6 traffic for the time a VPN connection is up.

/etc/NetworkManager/dispatcher.d/10-vpn-ipv6

#!/bin/sh

case "$2" in
	vpn-up)
		echo 1 > /proc/sys/net/ipv6/conf/all/disable_ipv6
		;;
	vpn-down)
		echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6
		;;
esac

As an alternative, dispatcher can be used to temporarily set the IPv6 mode of the device used by the VPN connection to link-local. This will avoid NetworkManager log spam about IPv6 being disabled. This script will not work if multiple devices or connections provide IPv6 connectivity, but could be adapted to iterate over multiple devices. Note that any change to the connection (using nmcli(1) or a desktop environment) will reapply the entire connection to the device and re-enable IPv6 (if it is enabled in the connection).

/etc/NetworkManager/dispatcher.d/10-vpn-ipv6

#!/bin/sh

case "$2" in
	vpn-up)
		nmcli device modify "${DEVICE_IFACE}" ipv6.method link-local
		;;
	vpn-down)
		nmcli device reapply "${DEVICE_IFACE}"
		;;
esac

OpenNTPD

See OpenNTPD#Using NetworkManager dispatcher.

Dynamically set NTP servers received via DHCP with systemd-timesyncd

When roaming between different networks (e.g. a company's LAN, WiFi at home, various other WiFi now and then) you might want to set the NTP server(s) used by timesyncd to those provided by DHCP. However, NetworkManager itself is not capable to communicate with systemd-timesyncd to set the NTP server(s).

The dispatcher can work around it.

Create the overlay directory for your systemd-timesyncd configuration /etc/systemd/timesyncd.conf.d if it does not already exist. Inside /etc/NetworkManager/dispatcher.d, put the following:

/etc/NetworkManager/dispatcher.d/10-update-timesyncd

#!/bin/sh

[ -z "$CONNECTION_UUID" ] && exit 0
INTERFACE="$1"
ACTION="$2"

case $ACTION in
up | dhcp4-change | dhcp6-change)
	[ -n "$DHCP4_NTP_SERVERS" ] || exit 0
	mkdir -p /etc/systemd/timesyncd.conf.d
	cat <<-THE_END >"/etc/systemd/timesyncd.conf.d/${CONNECTION_UUID}.conf"
		[Time]
		NTP=$DHCP4_NTP_SERVERS
	THE_END
	systemctl restart systemd-timesyncd.service
	;;
down)
	rm -f "/etc/systemd/timesyncd.conf.d/${CONNECTION_UUID}.conf"
	systemctl restart systemd-timesyncd.service
	;;
esac

Every time NetworkManager sets up a new network connection (ACTION=up) or gets some update for an existing connection (ACTION=dhcp4-change or ACTION=dhcp6-change) and the provided connection data contains information about NTP server(s) (DHCP4_NTP_SERVERS), a connection specific overlay configuration file is written to /etc/systemd/timesyncd.conf.d, containing the provided NTP server(s). Whenever a connection is taken down (ACTION=down) the connection specific overlay file is removed. After each change to the configuration of systemd-timesyncd, this service is restarted to pick up the updated configuration. The use of connection specific configuration files is intentional so that when two or more connections are managed by NetworkManager in parallel the different NTP server names in the configuration are not overwritten as up, dhcp4-change, dhcp6-change and down actions might come in in an arbitrary order.

Testing

NetworkManager applets are designed to load upon login so no further configuration should be necessary for most users. If you have already disabled your previous network settings and disconnected from your network, you can now test if NetworkManager will work. The first step is to start NetworkManager.service.

Some applets will provide you with a .desktop file so that the NetworkManager applet can be loaded through the application menu. If it does not, you are going to either have to discover the command to use or logout and login again to start the applet. Once the applet is started, it will likely begin polling network connections with for auto-configuration with a DHCP server.

To start the GNOME applet in non-xdg-compliant window managers like awesome:

nm-applet --sm-disable &

For static IP addresses, you will have to configure NetworkManager to understand them. The process usually involves right-clicking the applet and selecting something like 'Edit Connections'.

Tips and tricks

Encrypted Wi-Fi passwords

By default, NetworkManager stores passwords in clear text in the connection files at /etc/NetworkManager/system-connections/. To print the stored passwords, use the following command:

# grep -r '^psk=' /etc/NetworkManager/system-connections/

The passwords are accessible to the root user in the filesystem and to users with access to settings via the GUI (e.g. nm-applet).

It is preferable to save the passwords in encrypted form in a keyring instead of clear text. The downside to this is that the connections have to be set up for each user.

In order to read and write to the keyring, there must be a secret agent available. This can be one of:

• nmcli with the --ask option
• One of the graphical interfaces from #Front-ends

If you make neither of these available, then authentication will fail with the error no secrets: No agents were available for this request.

Using GNOME Keyring

The keyring daemon has to be started and the keyring needs to be unlocked for the following to work.

Furthermore, NetworkManager needs to be configured not to store the password for all users. Using GNOME's network-manager-applet, run nm-connection-editor from a terminal, select a network connection, click Edit, select the Wi-Fi Security tab and click on the right icon of password and check Store the password only for this user.

Using KDE Wallet

Using KDE's plasma-nm, click the applet, click on the top right Settings icon, click on a network connection, in the General configuration tab, untick All users may connect to this network. If the option is ticked, the passwords will still be stored in clear text, even if a keyring daemon is running.

If the option was selected previously and you un-tick it, you may have to use the reset option first to make the password disappear from the file. Alternatively, delete the connection first and set it up again.

Sharing internet connection over Wi-Fi

You can share your internet connection (e.g. 3G or wired) with a few clicks. Please note that a firewall may interfere with internet sharing.

You will need a Wi-Fi card which supports AP mode, see Software access point#Wi-Fi device must support AP mode for details.

Install the dnsmasq package to be able to actually share the connection. Note that NetworkManager starts its own instance of dnsmasq, independent of dnsmasq.service, as a DHCP server. See #dnsmasq for the caveats.

Create the shared connection:

• Click on applet and choose Create new wireless network.
• Follow wizard (choose WPA2 or higher, be sure to use at least 8 character long password, lower lengths will fail).
  • Choose either Hotspot or Ad-hoc as Wi-Fi mode.

The connection will be saved and remain stored for the next time you need it.

Sharing internet connection over Ethernet

Scenario: your device has internet connection over Wi-Fi and you want to share the internet connection to other devices over Ethernet.

Requirements:

• Install the dnsmasq and nm-connection-editor packages to be able to actually share the connection. Note that NetworkManager starts its own instance of dnsmasq, independent of dnsmasq.service, as a DHCP server. See #dnsmasq for the caveats.
• Your internet connected device and the other devices are connected over a suitable Ethernet cable (this usually means a cross over cable or a switch in between).
• Internet sharing is not blocked by a firewall.

Steps:

• Run nm-connection-editor from terminal.
• Add a new Ethernet connection.
• Give it some sensible name. For example "Shared Internet"
• Go to "IPv4 Settings".
• For "Method:" select "Shared to other computers".
• Save

Now you should have a new option "Shared Internet" under the Wired connections in NetworkManager.

Checking if networking is up inside a cron job or script

Some cron jobs require networking to be up to succeed. You may wish to avoid running these jobs when the network is down. To accomplish this, add an if test for networking that queries NetworkManager's nm-tool and checks the state of networking. The test shown here succeeds if any interface is up, and fails if they are all down. This is convenient for laptops that might be hardwired, might be on wireless, or might be off the network.

if [ $(nm-tool|grep State|cut -f2 -d' ') == "connected" ]; then
    #Whatever you want to do if the network is online
else
    #Whatever you want to do if the network is offline - note, this and the else above are optional
fi

This is useful for a cron.hourly script that runs fpupdate for the F-Prot virus scanner signature update, as an example. Another way it might be useful, with a little modification, is to differentiate between networks using various parts of the output from nm-tool; for example, since the active wireless network is denoted with an asterisk, you could grep for the network name and then grep for a literal asterisk.

Connect to network with secret on boot

By default, NetworkManager will not connect to networks requiring a secret automatically on boot. This is because it locks such connections to the user who makes it by default, only connecting after they have logged in. To change this, do the following:

1. Right click on the nm-applet icon in your panel and select Edit Connections and open the Wireless tab
2. Select the connection you want to work with and click the Edit button
3. Check the boxes “Connect Automatically” and “Available to all users”
4. Additionally, ensure that under "Wi-Fi Security", "Store password for all users (not encrypted)" is selected

Log out and log back in to complete.

OpenConnect with password in KWallet

While you may type both values at connection time, plasma-nm 0.9.3.2-1 and above are capable of retrieving OpenConnect username and password directly from KWallet.

Open "KDE Wallet Manager" and look up your OpenConnect VPN connection under "Network Management|Maps". Click "Show values" and enter your credentials in key "VpnSecrets" in this form (replace username and password accordingly):

form:main:username%SEP%username%SEP%form:main:password%SEP%password

Next time you connect, username and password should appear in the "VPN secrets" dialog box.

Ignore specific devices

Sometimes it may be desired that NetworkManager ignores specific devices and does not try to configure addresses and routes for them. You can quickly and easily ignore devices by MAC or interface-name by using the following in /etc/NetworkManager/conf.d/unmanaged.conf:

[keyfile]
unmanaged-devices=mac:00:22:68:1c:59:b1;mac:00:1E:65:30:D1:C4;interface-name:eth0

After editing the file, run nmcli general reload as root. Afterwards you should be able to configure interfaces without NetworkManager altering what you have set.

Configuring MAC address randomization

MAC randomization can be used for increased privacy by not disclosing your real MAC address to the network.

NetworkManager supports two types MAC Address Randomization: randomization during scanning, and for network connections. Both modes can be configured by modifying /etc/NetworkManager/NetworkManager.conf or by creating a separate configuration file in /etc/NetworkManager/conf.d/ which is recommended since the aforementioned configuration file may be overwritten by NetworkManager.

Randomization during Wi-Fi scanning is enabled by default, but it may be disabled by adding the following lines to /etc/NetworkManager/NetworkManager.conf or a dedicated configuration file under /etc/NetworkManager/conf.d:

/etc/NetworkManager/conf.d/wifi_rand_mac.conf

[device]
wifi.scan-rand-mac-address=no

MAC randomization for network connections can be set to different modes for both wireless and ethernet interfaces. See the GNOME blog post for more details on the different modes.

In terms of MAC randomization the most important modes are stable and random. stable generates a random MAC address when you connect to a new network and associates the two permanently. This means that you will use the same MAC address every time you connect to that network. In contrast, random will generate a new MAC address every time you connect to a network, new or previously known. You can configure the MAC randomization by adding the desired configuration under /etc/NetworkManager/conf.d:

/etc/NetworkManager/conf.d/wifi_rand_mac.conf

[device-mac-randomization]
# "yes" is already the default for scanning
wifi.scan-rand-mac-address=yes
 
[connection-mac-randomization]
# Randomize MAC for every ethernet connection
ethernet.cloned-mac-address=random
# Generate a random MAC for each WiFi and associate the two permanently.
wifi.cloned-mac-address=stable

See the following GNOME blog post for more details.

Enable IPv6 Privacy Extensions

See IPv6#NetworkManager.

Configure a unique DUID per connection

The DHCPv6 Unique Identifier (DUID) is a value used by the DHCPv6 client to identify itself to DHCPv6 servers. NetworkManager supports 3 types of DUID:

• DUID-UUID (RFC 6355): generated from an Universally Unique IDentifier (UUID).
• DUID-LL (RFC 3315): generated from the Link-Layer address (aka MAC address).
• DUID-LLT (RFC 3315): generated from the Link-Layer address plus a timestamp.

If the internal NetworkManager's DHCP client is in use (the default) it will identify itself with a global and permanent DUID-UUID generated from the machine-id (/etc/machine-id). This means that all connections share the same UUID, which may be a privacy breach.

Fortunately, NetworkManager is able to provide unique DUIDs per connection, derived from the connection's stable-id and a per-host unique key. You can enable that by adding the following configuration under /etc/NetworkManager/conf.d:

/etc/NetworkManager/conf.d/duid.conf

[connection]
ipv6.dhcp-duid=stable-uuid

The stable-ll and stable-llt values are also supported. For further information read the description for dhcp-duid in nm-settings(5) § ipv6 setting.

Working with wired connections

By default, NetworkManager generates a connection profile for each wired ethernet connection it finds. At the point when generating the connection, it does not know whether there will be more Ethernet adapters available. Hence, it calls the first wired connection "Wired connection 1". You can avoid generating this connection, by configuring no-auto-default (see NetworkManager.conf(5)), or by simply deleting it. Then NetworkManager will remember not to generate a connection for this interface again.

You can also edit the connection (and persist it to disk) or delete it. NetworkManager will not re-generate a new connection. Then you can change the name to whatever you want. You can use something like nm-connection-editor for this task.

Using iwd as the Wi-Fi backend

To enable the experimental iwd backend, first install iwd and then create the following configuration file:

/etc/NetworkManager/conf.d/wifi_backend.conf

[device]
wifi.backend=iwd

Alternatively, you can install networkmanager-iwd^AUR, a modified package configured to build NetworkManager working exclusively with iwd, with the main difference being that iwd is required and wpa_supplicant can be uninstalled after building.

Running in a network namespace

If you would like to run NetworkManager inside a network namespace (e.g., to manage a specific device which should be used by selected applications), bring the device down before moving it to the namespace:

$ ip link set dev MY_DEVICE down
$ ip link set dev MY_DEVICE netns MY_NAMESPACE
$ ip netns exec MY_NAMESPACE NetworkManager
...
$ ip netns exec MY_NAMESPACE killall NetworkManager

otherwise NetworkManager will later fail to establish the connection with a device is strictly unmanaged error.

Automatically connect to VPN

NetworkManager can be set to automatically connect to a VPN when connecting to the internet, on a per network basis. The VPN connection itself can be added in GNOME's NetworkManager front-end, but to make it automatically use the VPN nmcli must be used. Other front-ends might not have this limitation.

First, make sure to make the VPN connection available to all users. In the GNOME this is a matter of checking a box under the details tab. Under the Identity tab, in the password field, click the icon on the right side in the field, and set it to Store the password for all users.

Then find the UUID of the VPN connection, and add that to connection.secondaries of the Internet connection:

# UUID=$(nmcli --get-values connection.uuid connection show name-of-VPN-connection)
# nmcli connection modify name-of-Internet-connection connection.secondaries "$UUID"

Now when NetworkManager is restarted and you connect to the Internet connection you have configured, you should automatically get connected to the VPN.

Troubleshooting

No prompt for password of secured Wi-Fi networks

When trying to connect to a secured Wi-Fi network, no prompt for a password is shown and no connection is established. This happens when no keyring package is installed. An easy solution is to install gnome-keyring. If you want the passwords to be stored in encrypted form, follow GNOME Keyring to set up the gnome-keyring-daemon.

Network management disabled

When NetworkManager shuts down but the pid (state) file is not removed, you will see a Network management disabled message. If this happens, remove the file manually:

# rm /var/lib/NetworkManager/NetworkManager.state

Problems with internal DHCP client

If you have problems with getting an IP address using the internal DHCP client, consider using another DHCP client, see #DHCP client for instructions. This workaround might solve problems in big wireless networks like eduroam.

DHCP problems with dhclient

If you have problems with getting an IP address via DHCP, try to add the following to your /etc/dhclient.conf:

 interface "eth0" {
   send dhcp-client-identifier 01:aa:bb:cc:dd:ee:ff;
 }

Where aa:bb:cc:dd:ee:ff is the MAC address of this NIC. The MAC address can be found using the ip link show interface command from the iproute2 package.

3G modem not detected

See Mobile broadband modem#NetworkManager.

Switching off WLAN on laptops

Sometimes NetworkManager will not work when you disable your Wi-Fi adapter with a switch on your laptop and try to enable it again afterwards. This is often a problem with rfkill. To check if the driver notifies rfkill about the wireless adapter's status, use:

$ watch -n1 rfkill list all

If one identifier stays blocked after you switch on the adapter you could try to manually unblock it with (where X is the number of the identifier provided by the above output):

# rfkill event unblock X

Static IP address settings revert to DHCP

Due to an unresolved bug, when changing default connections to a static IP address, nm-applet may not properly store the configuration change, and will revert to automatic DHCP.

To work around this issue you have to edit the default connection (e.g. "Auto eth0") in nm-applet, change the connection name (e.g. "my eth0"), uncheck the "Available to all users" checkbox, change your static IP address settings as desired, and click Apply. This will save a new connection with the given name.

Next, you will want to make the default connection not connect automatically. To do so, run nm-connection-editor (not as root). In the connection editor, edit the default connection (e.g. "Auto eth0") and uncheck "Connect automatically". Click Apply and close the connection editor.

Cannot edit connections as normal user

See #Set up PolicyKit permissions.

Forget hidden wireless network

Since hidden networks are not displayed in the selection list of the Wireless view, they cannot be forgotten (removed) with the GUI. You can delete one with the following command:

# rm /etc/NetworkManager/system-connections/SSID

This also works for any other connection.

VPN not working in GNOME

When setting up OpenConnect or vpnc connections in NetworkManager while using GNOME, you will sometimes never see the dialog box pop up and the following error appears in /var/log/errors.log:

localhost NetworkManager[399]: <error> [1361719690.10506] [nm-vpn-connection.c:1405] get_secrets_cb(): Failed to request VPN secrets #3: (6) No agents were available for this request.

This is caused by the GNOME NetworkManager Applet expecting dialog scripts to be at /usr/lib/gnome-shell, when NetworkManager's packages put them in /usr/lib/networkmanager. As a "temporary" fix (this bug has been around for a while now), make the following symlink(s):

• For OpenConnect: ln -s /usr/lib/networkmanager/nm-openconnect-auth-dialog /usr/lib/gnome-shell/
• For VPNC (i.e. Cisco VPN): ln -s /usr/lib/networkmanager/nm-vpnc-auth-dialog /usr/lib/gnome-shell/

This may need to be done for any other NetworkManager VPN plugins as well, but these are the two most common.

Unable to connect to visible European wireless networks

WLAN chips are shipped with a default regulatory domain. If your access point does not operate within these limitations, you will not be able to connect to the network. Fixing this is easy:

1. Install wireless-regdb.
2. Uncomment the correct country code in /etc/conf.d/wireless-regdom.
3. Reboot the system, because the setting is only read on boot.

Automatic connect to VPN on boot is not working

The problem occurs when the system (i.e. NetworkManager running as the root user) tries to establish a VPN connection, but the password is not accessible because it is stored in the GNOME Keyring of a particular user.

A solution is to keep the password to your VPN in plaintext, as described in step (2.) of #Use dispatcher to connect to a VPN after a network connection is established.

You do not need to use the dispatcher described in step (1.) to auto-connect anymore, if you use the new "auto-connect VPN" option from the nm-applet GUI.

Systemd Bottleneck

Over time the log files (/var/log/journal) can become very large. This can have a big impact on boot performance when using NetworkManager, see: Systemd#Boot time increasing over time.

Regular network disconnects, latency and lost packets (WiFi)

NetworkManager does a scan every 2 minutes.

Some WiFi drivers have issues when scanning for base stations whilst connected/associated. Symptoms include VPN disconnects/reconnects and lost packets, web pages failing to load and then refresh fine.

Running journalctl -f as root will indicate that this is taking place, messages like the following will be contained in the logs at regular intervals.

NetworkManager[410]: <info>  (wlp3s0): roamed from BSSID 00:14:48:11:20:CF (my-wifi-name) to (none) ((none))

If roaming is not important, the periodic scanning behavior can be disabled by locking the BSSID of the access point in the WiFi connection profile.

Unable to turn on Wi-Fi with Lenovo laptop (IdeaPad, Legion, etc.)

There is an issue with the ideapad_laptop module on some Lenovo models due to the Wi-Fi driver incorrectly reporting a soft block. The card can still be manipulated with netctl, but managers like NetworkManager break. You can verify that this is the problem by checking the output of rfkill list after toggling your hardware switch and seeing that the soft block persists.

Unloading the ideapad_laptop module should fix this. (warning: this may disable the laptop keyboard and touchpad also!).

Turn off hostname sending

NetworkManager by default sends the hostname to the DHCP server. Hostname sending can only be disabled per connection not globally (Issue #584).

To disable sending your hostname to the DHCP server for a specific connection, add the following to your network connection file:

/etc/NetworkManager/system-connections/your_connection_file

...
[ipv4]
dhcp-send-hostname=false
...
[ipv6]
dhcp-send-hostname=false
...

nm-applet disappears in i3wm

If you use the xfce4-notifyd.service for notifications you must edit the unit and add the following:

/etc/systemd/user/xfce4-notifyd.service.d/display_env.conf

[Service]
Environment="DISPLAY=:0.0"

After reloading the daemons restart xfce4-notifyd.service. Exit i3 and start it back up again and the applet should show on the tray.

Unit dbus-org.freedesktop.resolve1.service not found

If systemd-resolved.service is not started, NetworkManager will try to start it using D-Bus and fail:

dbus-daemon[991]: [system] Activating via systemd: service name='org.freedesktop.resolve1' unit='dbus-org.freedesktop.resolve1.service' requested by ':1.23' (uid=0 pid=1012 comm="/usr/bin/NetworkManager --no-daemon ")
dbus-daemon[991]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.resolve1.service': Unit dbus-org.freedesktop.resolve1.service not found.
dbus-daemon[991]: [system] Activating via systemd: service name='org.freedesktop.resolve1' unit='dbus-org.freedesktop.resolve1.service' requested by ':1.23' (uid=0 pid=1012 comm="/usr/bin/NetworkManager --no-daemon ")

This is because NetworkManager will try to send DNS information to systemd-resolved regardless of the main.dns= setting in NetworkManager.conf(5).[10]

This can be disabled with a configuration file in /etc/NetworkManager/conf.d/:

/etc/NetworkManager/conf.d/no-systemd-resolved.conf

[main]
systemd-resolved=false

See FS#62138.

Secrets were required, but not provided

If you received the following error when attempting to connect to a network:

$ nmcli device wifi connect SSID password password

Error: Connection activation failed: (7) Secrets were required, but not provided

This error can have numerous causes and you should read the journal (filter it with -u NetworkManager). For example, if NetworkManager took too long to establish connection, it will believe that the password is incorrect:

NetworkManager[1372]: <warn>  [1643991888.3808] device (wlan0): Activation: (wifi) association took too long
NetworkManager[1372]: <info>  [1643991888.3809] device (wlan0): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')
NetworkManager[1372]: <warn>  [1643991888.3838] device (wlan0): Activation: (wifi) asking for new secrets

You can try deleting the connection profile and creating a new one:

$ nmcli connection delete SSID
$ nmcli device wifi connect SSID password password

You can also try disabling MAC address randomization:

/etc/NetworkManager/conf.d/wifi_rand_mac.conf

[device]
wifi.scan-rand-mac-address=no

WPA Enterprise connection with iwd

If you try to connect to an WPA Enterprise network like 'eduroam' with NetworkManager with the iwd backend then you will get the following error from NetworkManager:

 Connection 'eduroam' is not avialable on device wlan0 because profile is not compatible with device (802.1x connections must have IWD provisioning files)

This is because NetworkManager can not configure a WPA Enterprise network. Therefore you have to configure it using an iwd configuration file /var/lib/iwd/essid.8021x like described in iwd#WPA Enterprise.

Failed to request VPN secrets

If you get this error:

Failed to request VPN secrets #1: No agents were available for this request.

It is either because the password is empty or you have to set up PolicyKit permissions.

OpenVPN connections fail with OpenSSL "ca md too weak" error

Since openssl was updated to version 3, certificates generated with legacy cryptographic algorithms are rejected by default. Attempting to use networkmanager-openvpn with such a setup can result in the following error in the logs:

nm-openvpn[14359]: OpenSSL: error:0A00018E:SSL routines::ca md too weak
nm-openvpn[14359]: Cannot load certificate file /home/archie/.local/share/networkmanagement/certificates/my_issued_cert.crt
nm-openvpn[14359]: Exiting due to fatal error

The correct approach is to have the OpenVPN server administrator generate and re-issue more secure certificates. However, as an immediate work-around, OpenVPN requires tls-cipher "DEFAULT:@SECLEVEL=0". This may not be possible through the plugin GUI, but it is possible with nmcli. Separately, you will also need to enable the legacy provider in OpenSSL.

Firstly, obtain the name of the VPN connection with the issue, from the output of the following:

$ nmcli connection show

Assuming the connection name is vpn.example.com, use nmcli like so:

$ nmcli connection modify vpn.example.com +vpn.data tls-cipher=DEFAULT:@SECLEVEL=0

The change should instantly be reflected in /etc/NetworkManager/system-connections/vpn.example.com.nmconnection.

As for OpenSSL, edit /etc/ssl/openssl.cnf as described on the OpenSSL wiki.

Specifically, at the end of the [provider_sect] section add legacy = legacy_sect. Under [default_sect] uncomment activate = 1. Lastly, add a new section [legacy_sect] that also contains the line activate = 1. Excluding most other preexisting configuration sections, the end result will look something like:

/etc/ssl/openssl.cnf

openssl_conf = openssl_init

[openssl_init]
providers = provider_sect

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

Finally, restart the NetworkManager.service to have the new OpenSSL configuration take effect.

WPA Enterprise connections fail to authenticate with OpenSSL "unsupported protocol" error

Since openssl was updated to version 3, "SSL 3, TLS 1.0, TLS 1.1, and DTLS 1.0 only work at security level 0" by default. Attempting to authenticate to a WiFi only supporting lower standards result in the following error in the logs:

wpa_supplicant[3320]: SSL: SSL3 alert: write (local SSL3 detected an error):fatal:protocol version
wpa_supplicant[3320]: OpenSSL: openssl_handshake - SSL_connect error:0A000102:SSL routines::unsupported protocol
wpa_supplicant[3320]: wlp3s0: CTRL-EVENT-EAP-FAILURE EAP authentication failed

The correct approach is to have the WiFi administrator support TLS 1.3 and optionally dropping support for low security standard including TLS 1.0/1.1, DTLS 1.0, SSL 1-3. However, as an immediate work-around, there are multiple ways to allow TLS 1.0 by default. One way would be to manually patch or revert the breaking change in OpenSSL ([11]). As this also lowers security for all other programs using OpenSSL level 1, it is not recommended. Instead, one can directly set the level used by wpa_supplicant, like described in BBS#286417. To only change the affected connection, it is possible to set phase1-auth-flags=32 in the [802-1x] section of the connection. This may not be possible through GUIs, but it is possible with nmcli.

Firstly, obtain the name of the WiFi connection with the issue, from the output of the following:

$ nmcli connection show

Assuming the connection name is Example WiFi, use nmcli like so:

$ nmcli connection modify Example\ WiFi 802-1x.phase1-auth-flags 32

The change should instantly be reflected in /etc/NetworkManager/system-connections/Example\ WiFi.nmconnection.

Finally, restart the NetworkManager.service to have the new OpenSSL configuration take effect.

See also

• NetworkManager for Administrators Part 1
• Wikipedia:NetworkManager
• NetworkManager official website