1

While using a VPN connection (Wireguard in this case) on a desktop with NetworkManager, when the system get back online after a hibernation or a suspension, the VPN connection is not restored. (note that OpenVPN and other VPN protocols are affected as well).

There is a feature to enable automatic connection but this is meant for a permanent VPN tunnel; the requirement here is to reconnect any active tunnel after a suspension/hibernation.

How can we automate the restoration of an existing VPN connection after sleep or hibernate operation?

Improve this question
0

2 Answers 2

Reset to default
0

The answer for WireGuard and Openvpn is different. That is, because NetworkManager implements Openvpn as a NetworkManager VPN plugin, while WireGuard is implemented by the daemon directly (natively).

NetworkManager has two mechanisms to automatically connect a profile. One is connection.autoconnect setting and one is connection.secondaries where a secondary profile gets activated when the primary one activated. Currently, native types (like WireGuard, Ethernet and Wi-Fi) only support connection.autoconnet, while VPN plugins currently only implement to be started as secondaries. The reason for that difference is that it's a missing feature.

When the system goes to sleep, NetworkManager disconnects devices first. When returning from sleep, it starts autoconnecting the suitable profiles and devices.

From the question it's not clear why these two mechanisms wouldn't just work. Did your u configure the profiles accordingly, to be autoconnected? What happens on resume? As always, when you want to exactly understand what a daemon does, enable debug logging and check the logs.

You can also write a script to activate a profile, if the automatism that is provided doesn't suit you. But that seems not necessary (without first understanding why it doesn't work automatically).

Improve this answer
2
  • Yes there is indeed an auto connect feature, but it is not meant for reconnecting any active vpn session but to make a connection permanent Commented Jun 23, 2020 at 6:15
  • Is there any update or reference on these explanations? Commented Apr 30, 2023 at 12:27
0

Wireguard is stateless, the VPN connection is meant to be kept after sleep/hibernate operation, but on the Desktop implementation, because NetworkManager get disconnected from everything on sleep/hibernate, we then loose the Wireguard's stateless feature, here is a custom bash scripts setup to get back this feature, this setup also work with other VPN system like OpenVPN, this is explained in a KDE context but can be easily used on an other desktop environment:

Restoring VPN connection after sleep/hibernate (if it was used)

Features:

  • Display current ip
  • Warn on wan ip change
  • Reconnect the VPN if it was used before sleep

Setup:

  1. First under KDE i use the widget Command output and setup the widget to run "sh Ip.Vpn.Watcher.sh" every 15 sec (this will watch and notify for IP changes, display current IP and save current used network to /tmp/used-conn)
  2. Systemd is configured to run a script after sleep/hibernate: suspend-vpn is added to /usr/lib/systemd/system-sleep/
  3. suspend-vpn trigger Wait.Network.And.Restore.VPN.sh

That's it :)

**Ip.Vpn.Watcher.sh**
#!/bin/bash

wget -q http://internet.adress.that.return.myip.in.text/ip.php -O /tmp/ip --force-clobber

ip=$( cat /tmp/ip )
wantedip=$( cat /tmp/ip-old )

if [[ $ip = $wantedip ]]
then
    echo $ip
    nmcli --fields name connection show --active | tail -n +2 | head -n 1 > /tmp/used-conn
else
    if [[ $ip != "" ]]
    then
        echo $ip
        zenity --warning --title="VPN Watcher" --width=250 --text="\nWARNING : Wan IP Changed !"
        nmcli --fields name connection show --active | tail -n +2 | head -n 1 > /tmp/used-conn
        cp -f /tmp/ip /tmp/ip-old
    else
        echo $ip
        zenity --warning --title="VPN Watcher" --width=250 --text="\nWARNING : Wan Connection Gone !"
        cp -f /tmp/ip /tmp/ip-old
    fi
fi

**suspend-vpn**
#!/bin/bash

# $1 values ('pre' or 'post')
# $2 values ('suspend', 'hibernate', or 'hybrid-sleep')
# case "$1/$2" in

case $1 in
    pre)
        # Save connection state
        # Too late for this network is already gone... 
        # Implemented via check ip (plasmoid)
        # nmcli --fields name connection show --active | tail -n +2 | head -n 1 > /tmp/used-conn
    ;;
    post)
        # Restore connection 
        su username -c "export DISPLAY=:0; export XDG_RUNTIME_DIR='/run/user/2000'; /scripts/location/Wait.Network.And.Restore.VPN.sh &"
    ;;
esac

**Wait.Network.And.Restore.VPN.sh**
#!/bin/bash

timer=1
conn=$( cat /tmp/used-conn )

printf "%s" "Waiting For Online State ..."

while ! ping -c 1 -n -w 1 8.8.8.8 &> /dev/null
do
    printf "%c" "."
    sleep 1
    let "timer++"
    
    if [[ ( $timer -ge 300 ) ]] ; then
        printf "\n%s\n"  "Script Timeout"
        exit
    fi
    
done

printf "\n%s\n"  "Network Is Online"

if [[ $conn == VPNCONNECTIONAME* ]] || [[ $conn == VPNCONNECTIONAME2* ]] 
then
    # Need to wait network to be up 
    sleep 5
    nmcli connection up $conn
fi
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.