For Linux users managing VPN connections through Network Manager's GUI, switching to command-line control offers better automation possibilities. The typical workflow involves:
1. Boot system
2. Manual GUI connection via: Network Manager tray icon → VPN Connections → Select VPN
3. Establish internet accessUbuntu's nmcli (Network Manager Command Line Interface) provides complete control:
# List available VPN connections
nmcli con list | grep vpn
# Connect to specific VPN
nmcli con up id "Your_VPN_Name"Create a systemd service unit for reliable VPN connection on boot:
[Unit]
Description=Auto-connect VPN
After=network.target
[Service]
ExecStart=/usr/bin/nmcli con up id "Your_VPN_Name"
Type=oneshot
RemainAfterExit=yes
[Install]
WantedBy=multi-user.targetSave as /etc/systemd/system/auto-vpn.service, then:
sudo systemctl enable auto-vpn.service
sudo systemctl start auto-vpn.serviceImplement kill-switch functionality using iptables:
#!/bin/bash
# Flush existing rules
iptables -F
iptables -X
# Allow loopback
iptables -A OUTPUT -o lo -j ACCEPT
# Allow established connections
iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow VPN interface
iptables -A OUTPUT -o tun0 -j ACCEPT
# Block all other outgoing traffic
iptables -A OUTPUT -j DROP
# Make rules persistent
iptables-save > /etc/iptables.rulesCheck connection status:
nmcli con show --active
journalctl -u auto-vpn.service -bFor certificate-based authentication, ensure paths in your .ovpn file are absolute.
For more control, bypass Network Manager:
sudo openvpn --config /etc/openvpn/client.conf --daemonStore credentials securely:
# /etc/openvpn/auth.txt
username
passwordReference this in your config with auth-user-pass /etc/openvpn/auth.txt
When working with VPNs on Linux, GUI tools like NetworkManager are convenient but lack automation capabilities. Many developers need CLI-based solutions for:
- Headless server setups
- Startup automation
- Scriptable VPN management
First, let's verify your existing OpenVPN configurations stored by NetworkManager:
ls /etc/NetworkManager/system-connections/
These .nmconnection files contain your VPN settings. We'll convert them to standard OpenVPN config files.
For each VPN connection, export the configuration:
nmcli connection export SomeVPN /etc/openvpn/client/somevpn.ovpn
You may need to manually edit the resulting .ovpn file to include authentication details.
Create a systemd service to launch at startup:
[Unit]
Description=OpenVPN connection to SomeVPN
After=network.target
[Service]
Type=simple
ExecStart=/usr/sbin/openvpn --config /etc/openvpn/client/somevpn.ovpn
Restart=on-failure
RestartSec=5s
[Install]
WantedBy=multi-user.target
Enable and start the service:
sudo systemctl enable openvpn-somevpn.service
sudo systemctl start openvpn-somevpn.service
To ensure all traffic goes through the VPN, use iptables:
sudo iptables -A OUTPUT ! -o tun0 -m owner ! --uid-owner root -j DROP
Make these rules persistent:
sudo apt-get install iptables-persistent
sudo netfilter-persistent save
Check your VPN status with:
ip addr show tun0
curl ifconfig.me
For debugging, monitor OpenVPN logs:
journalctl -u openvpn-somevpn.service -f
If you prefer keeping NetworkManager integration:
nmcli connection up SomeVPN
Add this to your startup scripts or create a cron job with @reboot.
For password-protected VPNs, create an auth file:
/etc/openvpn/client/auth.txt
username
password
Then add this to your .ovpn config:
auth-user-pass /etc/openvpn/client/auth.txt