Need Assistance Setting Up VPN with NetworkManager - Insufficient privileges

Hello experts,
I’m currently facing an issue while trying to set up a VPN using NetworkManager on my system. When I check the status of NetworkManager with ‘systemctl status NetworkManager’, I encounter the following error:

NetworkManager: <info>  audit: op="connection-add" pid=5571 uid=1000 result="fail" reason="Insufficient privileges"

In an attempt to resolve this issue, I’ve made some changes to the polkit settings. Specifically, I added the following line to /etc/polkit-default-privs.local:

org.freedesktop.NetworkManager.settings.modify.own yes

This did not help, so I removed then tried creating a custom policy in /etc/polkit-1/localauthority/50-local.d/50-networkmanager-custom.pkla with the following content:

[Let foo modify system settings for network]
Identity=unix-user:foo
Action=org.freedesktop.NetworkManager.*
ResultAny=yes
ResultInactive=yes
ResultActive=yes

Despite these changes, I am still encountering the “Insufficient privileges” error when trying to add a connection through NetworkManager.

Any assistance or guidance would be greatly appreciate on how to correctly set up VPN connections with NetworkManager.
Thank you in advance!

A hint on posting computer text.

Do not make large stories by telling “When I check the status of NetworkManager with ‘systemctl status NetworkManager’, I encounter the following error:”. Just copy/paste all lines involved: the prompt/command line, ALL output lines, the next prompt line.

It is the easiest and best way to show others what you saw within it’s context.

Ok, thanks fore response.
For context:
Installed How to use the v3 ProtonVPN Linux CLI

After logging in then attempting to setup fastest connection:

$ protonvpn-cli connect -f
Setting up Proton VPN.

An unknown error has occured. Please ensure that you have internet connectivity.
If the issue persists, please contact support.

Tumbleweed is not Leap, location of this file changed. Read comments in /usr/etc/polkit-default-privs/local.template for explanation how to create local overrides. In any case, you need to run additional command for the changes to become effective. Just editing this file is not enough. Which is also explained in the comments.

Do not use Ubuntu documentation for openSUSE. Ubuntu is using “frozen” version of polkit. openSUSE follows upstream and switched to JavaScript based rules. Read man 8 polkit, it contains multiple examples how to create your custom rules.

Thanks for pointing me in right direction.
I’ve added a rule to /usr/share/polkit-1/rules.d/50-org.freedesktop.NetworkManager.rules
Containing:

polkit.addRule(function(action, subject) {
        if ((action.id == "org.freedesktop.NetworkManager.settings.modify.own") &&
            subject.user == "foo") {
                return polkit.Result.YES;
        }
});

Then ran /sbin/set_polkit_default_privs as described in local.template file + restart NetworkManager. Unfortunately, error persists.

Modification of own connections is allowed by default. Are you sure that is what your application does? I suspect it tries to add system connection.

You need to run this command only after you created/modified /etc/polkit-default-privs/local. The rules should be effective immediately. You could try restarting polkit, but I am pretty sure the action is different.

You could start with allowing everything that begins with org.freedesktop.NetworkManager. and see if it helps.

replaced

action.id == "org.freedesktop.NetworkManager.settings.modify.own"

with

action.id == "org.freedesktop.NetworkManager.")

Then restarted both polkit and NetworkManager, still same error.:

audit: op="connection-add" pid=18443 uid=1000 result="fail" reason="Insufficient privileges"

“Begins with” is not “is equal to”. Manual page has example of checking for it.

if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0) {

Thanks very much! This gets me further!
I now get following output from NetworkManager:

NetworkManager[15955]: <info>  [1698149012.9175] manager: (ipv6leakintrf0): new Dummy device (/org/freedesktop/NetworkManager/Devices/6)
NetworkManager[15955]: <info>  [1698149012.9181] device (ipv6leakintrf0): state change: unmanaged -> unavailable (reason 'managed', sys-iface-state: 'external')
NetworkManager[15955]: <info>  [1698149012.9187] audit: op="connection-add" uuid="xxx" name="pvpn-ipv6leak-protection" pid=23582 uid=1000 result="success"
NetworkManager[15955]: <info>  [1698149012.9189] device (ipv6leakintrf0): state change: unavailable -> disconnected (reason 'none', sys-iface-state: 'managed')
NetworkManager[15955]: <info>  [1698149012.9192] policy: auto-activating connection 'pvpn-ipv6leak-protection' (xxx)
NetworkManager[15955]: <info>  [1698149012.9194] device (ipv6leakintrf0): Activation: starting connection 'pvpn-ipv6leak-protection' (xxx)
NetworkManager[15955]: <info>  [1698149012.9194] device (ipv6leakintrf0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')
NetworkManager[15955]: <info>  [1698149012.9195] device (ipv6leakintrf0): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
NetworkManager[15955]: <info>  [1698149012.9290] audit: op="connection-add" uuid="xxx" name="Proton VPN NL#339" pid=23540 uid=1000 result="success"
NetworkManager[15955]: <info>  [1698149012.9335] vpn[0x55e4f7846be0,xxx,"Proton VPN NL#339"]: starting openvpn
NetworkManager[15955]: <info>  [1698149012.9337] audit: op="connection-activate" uuid="xxx" name="Proton VPN NL#339" pid=23540 uid=1000 result="success"
NetworkManager[15955]: <info>  [1698149012.9401] device (ipv6leakintrf0): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed')
NetworkManager[15955]: <info>  [1698149012.9405] policy: set 'pvpn-ipv6leak-protection' (ipv6leakintrf0) as default for IPv6 routing and DNS
NetworkManager[15955]: <info>  [1698149012.9490] device (ipv6leakintrf0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'managed')
NetworkManager[15955]: <warn>  [1698149012.9526] vpn[0x55e4f7846be0,xxx,"Proton VPN NL#339"]: secrets: failed to request VPN secrets #3: No agents were available for this request.
NetworkManager[15955]: <info>  [1698149013.0024] device (ipv6leakintrf0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'managed')
NetworkManager[15955]: <info>  [1698149013.0027] device (ipv6leakintrf0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'managed')
NetworkManager[15955]: <info>  [1698149013.0041] device (ipv6leakintrf0): Activation: successful, device activated.

I ditched the client several years ago. Didn’t work so well for me on opensuse. I use vpn by downloading the vpn definitions from protonvpn.

If you want to try:

  1. Go Proton VPN
  2. Chose gnu/linux
  3. Chose udp/tcp (in short. if your going to stream content and your computer is a bit weak use udp, otherwise use tcp)
  4. Chose one of three versions of definitions (random in a country, specific in a country, specialized secure vpn). If you don’t care try random.
  5. Download the file

On KDE:

  1. Right click on network symbol in tray and chose last one (think it’s Edit in English)
  2. At the bottom, click on + sign
  3. At the bottom, again, add new connection
  4. Chose your downloaded vpn file. similar to this: ~/Downloads/uk.protonvpn.net.udp.ovpn
  5. Close the window and left click on network symbol
  6. Chose “connect” to your new vpn connection

Bit fast there. Couldn’t edit my post after 15 minutes so here are my changes.

  1. At the bottom click import vpn connection

Thanks for the tips, unfortunately I am using Sway, so don’t have direct access to KDE vpn features.

I just tested this and it worked fine

nmcli connection import type openvpn file ~/Downloads/uk.protonvpn.net.udp.ovpn

change the uk.protonvpn.net.udp.ovpn to your downloaded file.

Hi @aggplanta,
Thanks for the tips!
Having a glance through man 5 nm-settings I could not figure how to store password with vpn.secrets

I ended up opting out of openvpn, going for wireguard instead.