I’m currently trying to automate a VPN qube with salt, using the native wireguard/network-manager setup. I’m basically using salt to copy/paste the .nmconnection file from /rw/config/NM-system-connecitons/vpn.nmconnection, but it doesn’t recognize it. I know everything esle is done right because I did it manually on the original machine, and the connection is up.
The file looks like this:
[connection]
id=vpn # same as filename
# I removed the UUID
type=wireguard
interface-name=vpn # same as id
[wireguard]
private-key=# I double-checked that this was correct
[wireguard-peer.keystring] # I also double-checked this key
endpoint=#ip-address:port
allowed-ips=0.0.0.0/0;
[ipv4]
address1=10.2.0.2/32
dns=10.2.0.1;
dns-search=~;
method=manual
[ipv6]
addr-gen-mode=default
method=disabled
I’ve done some looking in docs and manuals and can find no reference to how to do this by just creating the file(s).
Is NetworkManager actually running in the target VM?
It is. nm-applet is also running, and I cannot see the option to even connect to the vpn profile.
NetworkManager Wireguard Plugin installed?
Wireguard Tools installed?
Network config files with proper owner and perms?
I have them running off the exact same templates, and have the files owned by root with 0600 (rw-------) permissions.
Is it visible in nmcli c?
No sir. It’s like it’s ignoring them. But this gave me an idea. I’m going to test if it will recognize a wifi file.
Okay, so I tested on the original machine. I tested adding a wifi file (didn’t recognize) as well as a different VPN profile (both .nmconnection files taken from a working qube and correctly restored).
Neither worked, and now I’m lost as to what’s happening. Why wouldn’t a working qube recognize the profile?
Restarted NetworkManager service after changing files?
The ini file having every key=value under a [Section], no standalones at the top?
uuid=someuuid present? (Shouldnt matter and normally be autogenerated on first load)
The path up to /rw/config/NM-system-connections usually has root:root drwxr-xrx and the .nmconnection files have -rw-------
Is it in a Fedora VM?
In newer templates they have selinux active.
The files are tagged as system_u:object_r:NetworkManager_etc_rw_t:s0
You can use restorecon -F <path> to put the default label for that location onto files.
(stat shows you the current tag, setfattr under the namespace security.selinux can change them)
Is the setting in the qvm-prefs on that it provides network to other vms?
Can you start wireguard manually?
Is the interface name too long? There is some length and character restriction.
What does systemctl status NetworkManager say?
What does the log in journalctl -u NetworkManager -b say?
So I tried the new files on the original VM. This has the files manually loaded via nmcli import (or whatever it was) with the wireguard .conf file and works, so everything should be fine.
As a side note, I did forget to restart the VM when I added the new files. Now the WiFi and VPN shows on nmcli c. The problem is somewhere in my system, so I’ll just have to track it down. I’ll report once I’ve found it; thanks for your help!
It was literally just the UUID. Thanks.
However, it can’t be just any uuid. It didn’t work with the fake one I put.
Do you know why it won’t just accept anything and what the rules are?
There are a bunch of uuid kinds, each with valid ranges. I dont know which kind it uses but it will be written somewhere. At least in the code lol.
If you just do something like 00000-0000-000-00000001 it will not be valid in all kinds. But a deterministic unfancy value inside the range should work.
The field also accepts the values of “new”, “generate”.
( nmcli c edit connectionname, then describe connection.uuid)
Extra context:
Thanks. The problem I had was that you have to run # nmcli c reload in order for it to generate a new UUID.