------------------------------------------------------------------------------- nmcli Network Manager CLI, Control of network ------------------------------------------------------------------------------- General Networking Note: you can use the short commands, like "con" instead of "connection" nmcli connection show --active # is it connected and how nmcli connection show enp1s0 # all info about this interface nmcli connection modify enp1s0 \ connection.autoconnect yes \ ipv4.method auto # set interface to DHCP nmcli connection modify enp1s0 \ connection.autoconnect yes \ ipv4.method manual \ ipv4.address "10.250.130.156/24" \ ipv4.dns "132.234.241.1,132.234.241.10" \ ipv4.gateway "10.250.130.209" \ ipv4.dns-search "example.com" nmcli con down enp1s0 ; nmcli con up enp1s0 # restart network after changes (one command line!) ------------------------------------------------------------------------------- Wireless Networking nmcli radio wifi # Get Wifi status nmcli radio wifi # Turn wifi on or off nmcli device wifi list # List available access points (AP) nmcli device wifi rescan # Refresh previous list nmcli device wifi connect # Connect to an open AP nmcli device wifi connect password # connect to a password protected AP Password is stored in [wifi-security] psk=PASSWORD ------------------------------------------------------------------------------- WiFi certificates via nmcli nmcli connection add type 802-11-wireless \ con-name "Cert Secured WiFi" \ ifname wlp3s0 \ ipv4.method auto \ 802-1x.eap tls \ 802-1x.identity {username}@example.com \ 802-1x.ca-cert $HOME/.ssl/63527b867df7538020500e125f5c836.cer \ 802-1x.client-cert $HOME/.ssl/gu_wifi_cert.p12 \ 802-1x.private-key $HOME/.ssl/gu_wifi_cert.p12 \ 802-11-wireless.ssid 'Corporate Example Domain' \ 802-11-wireless.mode infrastructure \ 802-11-wireless-security.key-mgmt wpa-eap \ 802-1x.domain-suffix-match wireless.example.com \ 802-1x.private-key-password XXXXXXXXXXX \ autoconnect true \ nmcli connection show # show the connection nmcli connection up "Cert Secured WiFi" --ask Passwords or encryption keys are required... Identity (802-1x.identity): {username}@example.com} Passwords or encryption keys are required... Private key password (802-1x.private-key-password): •••••••••••• Connection successfully activated... Using the NM GUI... Go to wifi.example.com * select "unknown' as the device, so you actually get the certificate! * Download the "p12" private key, encrypted with a Password (remember it) * Download Quovadis Root CA Certificate In Network Manager (under "Wifi Security" if Editing) * Connect to "Secure Wifi" * In WiFi Settings: Identity: {username}@example.com Domain: wireless.example.com CA certificate: {set the Quovadis Root CA file} User certificate: {set the 'p12' certificate file} User key password: {Set the cert password used when downloading} You should now be able to connect to the wifi network, and use it. ------------------------------------------------------------------------------- VPN Connections {Connection} can be ... {Connection_Name} uuid {connection_uuid} Commands... nmcli connection | grep -i vpn # is it connected nmcli connection up {Connection} # set up VPN nmcli connection down {Connection} # take down a VPN nmcli connection up {Connection} passwd-file /my/vpn/password nmcli connection modify {Connection} vpn.secrets "password=VPNPASS" May fail with "Error: Connection activation failed: no valid VPN secrets." If that happens to you, it's likely that the VPN password is stored in your user's gnome-keyring, which will make it inaccessible to the root user. --- For most connection types, the default handling is that NM stores passwords itself. However, for certain connections, e.g. VPN, the passwords are regarded as personal and thus they are stored by default in clients (e.g. the gnome keyring). So, if you have configured my-openvpn connection for a user, but activate that under root, the password in a user's keyring is not accessible. Setting 'password-flags=2' gets it to always ask the user for the password You can set password-flags in [vpn] to 0 and add your password to [vpn-secrets] to let NM manage the password and thus be able to activate the connection by any user: [vpn] .... password-flags=0 [vpn-secrets] password=your_password OR [vpn-secrets] passwd-file=some_file where the file contains vpn.secrets.password:PASSWORD or vpn.secrets.cert-pass:PASSWORD You can modify that file using... nmcli con modify "myvpn" vpn.secrets "password=myverysecretpassword" See also http://markmail.org/message/bamybmq5shyk6eje For Specifics on using l2tp VPN see https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues ------------------------------------------------------------------------------- Link Aggregation Control (Bond Interfaces) nmcli connection add type bond \ ifname portchannel0 \example.com bond.options "mode=balance-rr,miimon=100" Connection 'bond-portchannel0' (???-uuid-???) successfully added. nmcli connection add type ethernet \ ifname enp1s0 \ master portchannel0 Connection 'bond-slave-enp1s0' (???-uuid-???) successfully added. nmcli connection add type ethernet \ ifname enp7s0 \ master portchannel0 Connection 'bond-slave-enp7s0' (???-uuid-???) successfully added. nmcli connection up bond-slave-enp1s0 nmcli connection up bond-slave-enp7s0 When you activate the first slave interface, the master bond connection also starts. -------------------------------------------------------------------------------