NetworkManager VPN Plugin: Wireguard
Go to file
Max f2689562b6
Merge pull request #11 from Druco/hotfix/ip6_crash
Fix crash if IP6 address is specified.
2018-07-01 19:01:44 +02:00
appdata Start transition to nm-wireguard naming 2018-02-12 15:35:47 +01:00
auth-dialog Remove previously added debug stuff 2018-02-12 22:04:41 +01:00
examples/dbus Add DBUS communication in, update README and add changes to sources 2017-12-20 13:00:13 +01:00
m4 Copy openvpn project as base 2017-11-06 13:02:05 +01:00
po Remove languages, as they have been left over from a different project 2018-02-13 02:25:07 +01:00
properties Use scrolled UI in nm-connection-editor for small screens 2018-04-30 23:41:00 +02:00
shared Fix naming of created interface 2018-04-05 19:32:34 +02:00
src Fix crash if IP6 address is specified. 2018-06-30 16:55:47 -07:00
.gitignore Continue transition 2018-02-12 16:06:08 +01:00
AUTHORS Update AUTHORS 2018-02-13 02:25:43 +01:00
COPYING Copy openvpn project as base 2017-11-06 13:02:05 +01:00 Add WireGuard embeddable library to project 2018-03-08 21:22:03 +01:00 Fix WireGuard spelling in README 2018-02-13 13:39:49 +01:00 Start transition to nm-wireguard naming 2018-02-12 15:35:47 +01:00 Remove files that do not fit anymore 2018-02-13 02:36:24 +01:00 Add Convenience script to extract required include paths for VS Code from the generated Makefile 2017-11-06 13:11:07 +01:00
linker-script-binary.ver Copy openvpn project as base 2017-11-06 13:02:05 +01:00
network-manager-wireguard.doap Start transition to nm-wireguard naming 2018-02-12 15:35:47 +01:00
nm-wireguard-service.conf Deny permission to use d-bus name wireguard per default 2018-02-12 18:49:55 +01:00 Fix references to wrong shared objects in 2018-02-12 22:19:25 +01:00

Network-Manager VPN Plugin for WireGuard

This project is a VPN Plugin for NetworkManager that handles client-side WireGuard connections.
It is based on the OpenVPN Plugin and was started as a Bachelor's Thesis at SBA Research.



For compilation, the project uses autoconf and related things.

  • ./
  • make


In order to get the plugin running, its sources have to be compiled and the result has to be installed. This can be done by following these steps:

  • Compile the project
  • sudo make sysconfdir=/etc libdir=/usr/lib install (don't worry; for uninstalling, there is the target uninstall)


Once the installation is completed, the Plugin can be used per NetworkManager (usually graphically via the applet).

When a new WireGuard connection is created and configured via the NetworkManager GUI (can also be called via nm-connection-editor), it is the Connection Editor Plugin which is executed. When the connection is activated, it is the service plugin that is being called.

A very basic testing suite is provided in the form of the Python script examples/dbus/, which looks up the Plugin via name on D-BUS and sends it a Connect() instruction. More or less the same thing (and more) can however be achieved by just using NetworkManager after installing the package, so there should not be a need for this - except for the fact that the script is easily modifiable.

Viewing Logs

The logs that are created by NetworkManager can be viewed with journalctl -u NetworkManager (at least on Arch Linux). For following new input, journalctl also supports the follow flag, much like tail (-f).



Over the course of the project, I created some files that are not required for the project itself, but rather for its development.
Here is a brief overview over some of them:

  • Searches the input for -I flags (useful for extracting the include dirs from a Makefile)
  • examples/dbus/ A small script that tests the availability of the Plugin and its responsiveness to D-BUS messages


D-BUS Allowance

D-BUS does not allow just anybody to own any D-BUS service name they like. Thus, it may be necessary to tell D-BUS that it is not forbidden to use the name org.freedesktop.NetworkManager.wireguard.
This can be achieved by placing an appropriate file (like nm-wireguard-service.conf) inside the directory /etc/dbus-1/system.d or similar.

The following is an example for the content of such a file:

<!DOCTYPE busconfig PUBLIC
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"

	<policy context="default">
		<allow own_prefix="org.freedesktop.NetworkManager.wireguard"/>
		<allow send_destination="org.freedesktop.NetworkManager.wireguard"/>
		<deny own_prefix="org.freedesktop.NetworkManager.openvpn"/>
		<deny send_destination="org.freedesktop.NetworkManager.openvpn"/>

NetworkManager Plugin Configuration

NetworkManager has to be told where the plugins live in order to be able to call them. This is done via files, which usually reside in /etc/NetworkManager/VPN or /usr/lib/NetworkManager/VPN (e.g. /usr/lib/NetworkManager/VPN/

An example for the content of these files would be:

# This file is obsoleted by a file in /usr/local/lib/NetworkManager/VPN

[VPN Connection]




Service (the Plugin itself)

The service is responsible for setting up a VPN connection with the supplied parameters. For this, it has to implement a D-BUS interface and listen to incoming requests, which will be sent by NetworkManager in due time (i.e. when the user tells NM to set up the appropriate VPN connection).
If the binary service is not running at the time when NM wants to set up the connection, it will try to start the binary ad hoc.

In principle, this piece of software can be written in any language, but in order to make the implementation sane, there should at least exist convenient D-BUS bindings for the language. Further, there are parts of the code already implemented in C, which might make it more convenient to just stick to that.


The auth-dialog is responsible for figuring out missing bits of required sensitive information (such as passwords).

It reads the required secrets (and bits of data) for the VPN connection from STDIN in a key/value pair format (see below), until the string "DONE" occurs.
If there are still secrets (i.e. passwords) that are required but not supplied (which passwords are required can be determined by looking at the supplied hints flags), the auth-dialog will check if the keyring contains those secrets.
If there are still secrets missing (and user interaction is allowed per flag), a GTK dialog will be built up in order to prompt the user for passwords.

After all is said and done, the binary writes the found secrets to STDOUT (in a line-based format, as seen below) and waits for "QUIT" to be read from STDIN before exiting.

The behaviour of the binary can be modified by passing various options:

  • -u UUID: The UUID of the VPN connection, used for looking up secrets from the keyring
  • -n NAME: The name of the VPN connection, shown on the popup dialog
  • -s SERVICE: Specifies the name of the VPN service, e.g. org.freedesktop.NetworkManager.openvpn (used to check for compatibility)
  • -i: Allow interaction with the user (i.e. allow a GUI dialog to be created)
  • --external-ui-mode: Give a textual description of the dialog instead of creating a GTK dialog
  • -r: Force the creation of a dialog, even if all passwords were already found
  • -t HINT: Give hints about what passwords are required

Example input:


Example output:


Connection Editor Plugin

The Connection Editor Plugin is responsible for providing a GUI inside NetworkManager where all relevant properties for a VPN connection can be specified. If you don't know what I'm talking about, just think about the GUI where you entered the information needed to connect to your local Wifi. That's probably pretty similar.

The Editor Plugin is also responsible for providing means of importing and exporting VPN connections from and to external files in a custom format.

NetworkManager integrates the VPN editors by looking up shared objects in the above mentioned configuration file and accessing them at run-time.
This means however that the editor plugin GUI has to be provided by a shared object, which means that the editor cannot be written in just any language.

Storage of the Connections

Saved connections are stored in /etc/NetworkManager/system-connections, with owner root:root and access permissions 0700.
This guarantees that nobody can have a look at the saved system-wide connections (and their stored secrets) that isn't supposed to.

An example of such a system-connection file would be (one can see that the user-input data is stored as key-value pairs with internally used keys in the vpn section):







NM VPN Plugin:

Settings VPN (sent via DBus on Connect(a{sa{sv}}) method):