Notes - Add OpenVPN and SSTP VPN Connections to NetworkManager in Ubuntu 18.04 Using CLI
This note originates from an effort to find ways to automate OpenVPN and SSTP VPN connections from an Ubuntu 18.04 machine using CLI. For setting VPN connection from GUI, NetworkManager GNOME has nice third-party packages for most VPN protocols. Only follow this note if you want to setup OpenVPN or SSTP VPN connection from CLI.
OpenVPN has a nice CLI tool (i.e.
openvpn). However, connecting to an SSTP
VPN server using CLI (e.g.,
sstpc) could be problematic since it may involve
some manual network setting tasks (e.g., changing the DNS
nameserver of the
local stub resolver in
/etc/resolv.conf, adding and deleting
the routing table). Perhaps, you were redirected to this note from my previous
effort to connect to an SSTP VPN server from
In order to follow steps in this note, you will need to have these packages installed in your Ubuntu 18.04 machine.
sudo apt-get update && sudo apt-get upgrade && sudo add-apt-repository -y ppa:eivnaes/network-manager-sstp && sudo apt-get update && sudo apt-get install -y network-manager && sudo apt-get install -y openvpn sstp-client&& sudo apt-get install -y network-manager-openvpn network-manager-sstp && sudo apt-get install -y network-manager-openvpn-gnome network-manager-sstp-gnome && # This line is only needed if you want a GUI in your NetworkManager. sudo apt-get update
For connecting to an OpenVPN server, you need to have a configuration
.ovpnfile, and sometimes authentication cert as well as login credentials. For connecting to an SSTP server, you need to know information about the server, including login credentials (i.e., username, password), server address (i.e., hostname or IP address), authentication protocol used by the server (e.g., MS-CHAP, etc..). The information is often provided to you by your VPN service provider.
IFF your VPN connection does not cover IPv6, make sure you disable IPv6 (if supported by your ISP). Otherwise, IPv6 leakage may ruin the whole purpose of using VPN. In case you are not sure whether your ISP provides you with an IPv6, you can visit this website: https://whatismyipaddress.com/. If you have an IPv6, it will be shown. Then, you can run these commands to disable IPv6 (if exists), and change
0if you want to re-enable IPv6.
sudo sysctl -w net.ipv6.conf.all.disable_ipv6=1 sudo sysctl -w net.ipv6.conf.default.disable_ipv6=1
1. Adding an OpenVPN VPN connection:
Nowadays, most VPN providers support OpenVPN protocol. Often time, together
with a username and a password, you will be provided with configuration
.ovpn files, a TLS Authentication
.key file, and a
ca.cert file. Thankfully, these files make adding OpenVPN connections to
NetworkManager easier. Once you have all of these files together in the
same directory, we can run the following command, from within that
import an OpenVPN connection. Note that the
<your_openvpn_file_name> will be treated as the
connection.id of your
OpenVPN connection. If you want to systematically manage many connections
later, you may need to change the name of all
.ovpn files in your desired
format before adding them. In my opinion, the name of
.ovpn files (if
provided by a VPN provider) are often well-formatted already (e.g.
Germany-Frankfurt-TCP.ovpn). And here is the command:
nmcli connection import type openvpn file <your_openvpn_file_name>.ovpn
This command will import all parameters needed to initiate the connection,
except for the login credentials (i.e. username and password). Again, you
can always open the NetworkManager GUI to add these credentials, but let me
do it the hard way (i.e. adding them from
nmcli). One may ask why we need
to go the hard way. Lets imagine that we have hundreds of
.ovpn files, and
we want to add them all to NetworkManager,
nmcli is our friend - not the
GUI! In that case, you will just need to get the name of all
put them in the
for clause, and run the command with
for ...; do <the_above_command_>; done.
nmcli connection modify id <your_openvpn_connection_name> \ +vpn.data password-flags=0,username=<your_username> \ +vpn.secrets password=<your_password>
The above command will add the username and password to your VPN configuration.
In case your VPN provider uses user certificate, user private key, and user key password for authentication, you will need to run this command to instead.
nmcli connection modify id <your_openvpn_connection_name> \ +vpn.data cert-pass-flags=0 \ +vpn.secrets cert-pass=<your_cert_password>
You can check it in
/etc/NetworkManager/system-connections/ directory. You
should only add the password IFF you are the only user of the machine. If
you share the machine, you may not want to add the last line. This way, you
will be prompted to input the password every time you want to activate your
connection. If you only need to add a OpenVPN connection, you can skip the
next session, and jump to activating connection.
2. Adding an SSTP VPN connection:
The following command will add an SSTP VPN connection to your machine, managed
by NetworkManager. In order to run this command, you need to replace all
<...> with your own values. (1)
<name_of_interface> can be found using
ifconfig command. (2)
<name_of_the_vpn_connection> can be any string
value, e.g. My-SSTP-VPN. (3)
<vpn_server_address> is given to you by the
VPN service provider. It can be in the form of IP address or hostname. (4)
<password> should also be provided to you by your VPN
1 nmcli connection add \ 2 save yes \ 3 type vpn \ 4 connection.interface-name <name_of_interface> \ 5 connection.id <name_of_the_vpn_connection> \ 6 vpn.data gateway=<vpn_server_address>,ignore-cert-warn=yes,lcp-echo-failure=5,lcp-echo-interval=30,nobsdcomp=yes,nodeflate=yes,password-flags=0,proxy-password-flags=0,refuse-chap=yes,refuse-eap=yes,refuse-pap=yes,user=<username> \ 7 vpn.secrets password=<password> \ 8 vpn.service-type org.freedesktop.NetworkManager.sstp 9
3. SSTP Command explanation:
You may ask how I could form this command. Of course! By reading the man
page, and use
'tab' autocompletion in the CLI environment of Ubuntu. Depend on
the information about your SSTP server, you may need to tweak the parameters
differently. To make it clear, I will briefly explain the purpose of each part
of the command below.
- L1: call the
nmcliof NetworkManager with
savethis connection into
- L3: define the
typeof this connection as
- L4: assign an interface for this connection, you can find the interface name
ifconfigcommand. For clarity, I use
connection.interface-name, but you can use
ifnametoo. Also note that all
connectionin this command can be replace by
connection.idis the name of the VPN connection you want to add. It can be any string value, e.g. My-SSTP-VPN. Note that it has to be unique among connections, if you have more than one connection. Otherwise, NetworkManager will append a long UUID to the end of the string to make it unique.
- L6: here comes the information (data) about the VPN connection. The string
vpn.datacomes in the form of dictionary
gatewayis the address of the VPN server.
ignore-cert-warn=yessince my VPN provider does not provide any certificate to authenticate the server. Which I think VERY BAD for security.
pppd(see man pppd). The values 5 and 30 are standard for most systems. Note that the VPN connection is actually wrapped inside a
pppdprocess. Therefore, your machine needs to have
pppd, which comes built-in in most Ubuntu versions.
nobsdcomp=yesis similar with unchecking the box “Allow BSD data compression”, and
nodeflate=yesis similar with unchecking the box “Allow Deflate data compression” on the GNOME GUI of NetworkManager.
password-flags=0allows you to store the password into the configuration, and won’t ask you input it when activating the connection later. If you share the machine with other people, you many want to set the value to
1, and remove line 7. For more details, see nm-settings man page.
proxy-password-flags=0means no proxy needed for this VPN connection.
refuse-pap=yesforce the authentication to use MSCHAP or MSCHAPv2 method. Having these three parameters is similar with unchecking three boxes: PAP, CHAP, and EAP in “SSTP Advanced Options” on the GNOME GUI of NetworkManager.
user=<username>is provided to you by your VPN provider.
- L7: input your password here. ONLY add this line if you’re the only user of the machine. If you are sharing your machine, you should remove this line.
- L8: define the
Now, if you have more than one SSTP server that you want to add to
for ...; do ...; done loop will do the trick. In my
case, I have some hundreds of servers. Manually adding them from the GUI is
definitely not an ideal way in which a CS guy should do. This is exactly one
of the foremost reasons why I want to explore the
And here is an example of how your command should look like:
1 for i in server_1 server_2 ... server_n; do \ 2 nmcli connection add \ 3 save yes \ 4 type vpn \ 5 connection.interface-name <name_of_interface> \ 6 connection.id $i \ 7 vpn.data gateway=$i,ignore-cert-warn=yes,lcp-echo-failure=5,lcp-echo-interval=30,nobsdcomp=yes,nodeflate=yes,password-flags=0,proxy-password-flags=0,refuse-chap=yes,refuse-eap=yes,refuse-pap=yes,user=<username> \ 8 vpn.secrets password=<password> \ 9 vpn.service-type org.freedesktop.NetworkManager.sstp; \ 10 done
4. Activating a connection (same for both OpenVPN and SSTP VPN):
After executing the above command successfully, you should see a similar output to this one:
Connection '<name_of_the_vpn_connection>' (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx) successfully added.
You can also check the existence of your connection using
This command will show you all connections managed by NetworkManager. Now, we
can start connecting to our VPN server using this command:
nmcli con up id <name_of_the_vpn_connection> # you may need sudo depend on your account privilege.
If the command succeeds activating the VPN connection, you will see an output like this after a couple seconds:
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/<number>)
Similarly, when you want to turn off the VPN connection, replace
down. When you want to remove the connection from NetworkManager, replace
If your machine couldn’t connect to the VPN server after all, you may want to make sure that:
- The SSTP server is online and accessible. Try
'ping'-ing it to check.
- The DNS stub resolver, which can be configured at
/etc/resolv.conf, functions properly. Especially, if your VPN server is configured to be a hostname, there is some chance that your current DNS resolver couldn’t resolve its IP address. In that case, you may need to get the root privilege by
sudo su, then
echo 'nameserver 126.96.36.199' > /etc/resolv.confto force the local stub resolver to use Google’s OpenDNS. You can also replace
188.8.131.52with any OpenDNS servers that work in your network.
NetworkManageris actually managing your machine’s physical interfaces. You may need to change the line
/etc/NetworkManager/NetworkManager.conf. AskUbuntu has some tricks.
- Your machine is “refreshed”. While dealing with computer, it is sometimes weird and magical that things get fixed when we restart/reinstall the software/machine. Crossing my fingers!