Skip to content

pegasusheavy/network-manager-openvpn-sso

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
.github
.github
 
 
data
data
 
 
docs
docs
 
 
plasma-nm-plugin
plasma-nm-plugin
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Cargo.lock
Cargo.lock
 
 
Cargo.toml
Cargo.toml
 
 
LICENSE
LICENSE
 
 
PKGBUILD
PKGBUILD
 
 
README.md
README.md
 
 
install.sh
install.sh
 
 
uninstall.sh
uninstall.sh
 
 

Repository files navigation

NetworkManager OpenVPN SSO Plugin

A NetworkManager VPN plugin that adds OAuth 2.0 / OIDC Single Sign-On (SSO) support for OpenVPN connections.

CI Release License: MIT

Features

  • Browser-based SSO authentication - Opens your default browser for OAuth/OIDC login
  • Automatic OAuth discovery - Discovers authentication URLs from the OpenVPN server
  • Session token caching - Caches session tokens for connection maintenance
  • Desktop notifications - Shows connection status via system notifications
  • Full NetworkManager integration - Works seamlessly with NetworkManager and network applets

Installation

Arch Linux

# From AUR or download from releases
sudo pacman -U networkmanager-openvpn-sso-*.pkg.tar.zst

Debian / Ubuntu

sudo dpkg -i networkmanager-openvpn-sso_*_amd64.deb
sudo apt-get install -f  # Install any missing dependencies

Fedora / RHEL / CentOS

sudo dnf install networkmanager-openvpn-sso-*.x86_64.rpm

Other Linux Distributions

# Download and extract the tarball
tar -xzf nm-openvpn-sso-service-linux-x86_64.tar.gz

# Run the install script
sudo ./install.sh

Usage

Importing an OpenVPN Configuration

  1. Import your .ovpn file using NetworkManager:
nmcli connection import type openvpn file your-vpn-config.ovpn
  1. Modify the connection to use the SSO plugin:
# Get the connection name
nmcli connection show | grep vpn

# Update to use SSO plugin
nmcli connection modify "your-vpn-name" vpn.service-type org.freedesktop.NetworkManager.openvpn-sso
  1. Connect to the VPN:
nmcli connection up "your-vpn-name"

Your default browser will open for SSO authentication. After successful login, the VPN connection will be established automatically.

Using with Network Manager GUI

GNOME

The VPN connection will appear in your system's network settings and can be activated from there. When connecting, your browser will open for authentication.

KDE Plasma

This project includes a native plasma-nm UI plugin that integrates directly with KDE Plasma's network applet. When installed, you can:

  • Create, configure, and manage OpenVPN SSO connections from Plasma's network settings
  • Import .ovpn files directly through the Plasma UI
  • Connect and disconnect from the system tray network applet

The plugin is built automatically during installation if KDE dependencies are available.

If the plugin is not installed, you can still use:

  1. Command line: nmcli connection up "your-vpn-name"
  2. nm-connection-editor: GTK-based GUI that works on KDE
  3. vpn-sso-connect: Helper script with KDialog integration (installed with this package)

Requirements

  • NetworkManager
  • OpenVPN
  • D-Bus
  • A graphical session (for browser-based authentication)

Building from Source

Prerequisites

# Arch Linux
sudo pacman -S rust cargo dbus openssl pkgconf

# For KDE Plasma integration (optional)
sudo pacman -S extra-cmake-modules qt6-base networkmanager-qt kio ki18n kcoreaddons plasma-nm

# Debian/Ubuntu
sudo apt-get install rustc cargo libdbus-1-dev libssl-dev pkg-config

# Fedora
sudo dnf install rust cargo dbus-devel openssl-devel pkg-config

Build

git clone https://github.com/pegasusheavy/network-manager-openvpn-sso.git
cd network-manager-openvpn-sso
cargo build --release

Install

sudo ./install.sh

Uninstall

sudo ./uninstall.sh

Configuration

The plugin stores session tokens in /var/lib/nm-openvpn-sso/ with restricted permissions. These tokens are used for session maintenance but do not persist across new connection attempts (SSO is required for each new connection).

Troubleshooting

Browser doesn't open

Ensure you have a default browser set and that xdg-open or your browser is accessible. The plugin will try multiple methods to open the browser:

  1. xdg-open (skipped on KDE due to KIO limitations)
  2. Direct browser launch (vivaldi, firefox, chromium, google-chrome)

Connection times out

Check the NetworkManager logs for details:

journalctl -u NetworkManager -f

VPN connects but no network access

Verify that the VPN routes are correctly applied:

ip route | grep tun

KDE Plasma shows "missing support" message

This means the plasma-nm UI plugin is not installed. Rebuild with KDE dependencies available:

# Arch Linux
sudo pacman -S extra-cmake-modules qt6-base networkmanager-qt kio ki18n kcoreaddons plasma-nm
sudo ./install.sh

The VPN still works without the plugin—use nmcli or nm-connection-editor to connect.

How It Works

  1. NetworkManager activates the VPN connection
  2. The plugin starts OpenVPN with management interface enabled
  3. OpenVPN connects to the server and receives an SSO authentication URL
  4. The plugin opens your browser to the authentication URL
  5. After successful authentication, the server provides credentials
  6. The plugin completes the VPN connection and configures networking

License

MIT License - see LICENSE for details.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Support

Made with ❤️ by Pegasus Heavy Industries LLC

About

NetworkManager VPN plugin for OpenVPN with OAuth 2.0 / OIDC Single Sign-On support

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 3

v0.3.0 - OAuth SSO with Localhost Callback Latest
Feb 7, 2026
+ 2 releases

Sponsor this project

Packages

 
 
 

Contributors

Languages