Ubuntu 22.04: Running a script at login - starting VPN

[Zululander]

I have a script call startVPN.sh that I have put in the .profile file. If I run bash .profile, the script runs but it does not run at login.

How do I fix this so that the VPN starts automatically at login?

Script

#!/bin/bash
nmcli con up id OSG

.profile

# the default umask is set in /etc/profile; for setting the umask
# for ssh logins, install and configure the libpam-umask package.
#umask 022

# if running bash
if [ -n "$BASH_VERSION" ]; then
    # include .bashrc if it exists
    if [ -f "$HOME/.bashrc" ]; then
        . "$HOME/.bashrc"
    fi
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/bin" ] ; then
    PATH="$HOME/bin:$PATH"
fi

# set PATH so it includes user's private bin if it exists
if [ -d "$HOME/.local/bin" ] ; then
    PATH="$HOME/.local/bin:$PATH"
fi
~/startVPN.sh

 

[osprey]

Is the network up when the .profile file is read on boot up?
An alternative way to run the script is with a systemd service in which the code can be configured to run the script when the network is up.

 

[CaffeineAddict]

I have a script call startVPN.sh that I have put in the .profile file. If I run bash .profile, the script runs but it does not run at login.

How do I fix this so that the VPN starts automatically at login?

If you're using KDE desktop then there is an elegant solution:

System settings -> startup and shutdown -> autostart -> add -> add login script

You only need to make sure your script is executable, ex. chmod u+x ./script.sh

 

[Zululander]

Thanks both.

I am using GNOME.

I tried the to run it as a service using: /etc/systemd/system/startVPN-OSG.service

[Unit]
Description=Start OSG VPN
After=NetworManager.service

[Service]
Type=oneshot
ExecStart= /usr/local/bin/startVPN.sh
RemainAfterExit=yes

[Install]
WantedBy=user. Target

But when I try start the service I get

Apr 26 08:16:22 jp-01 startVPN.sh[61546]: You need to authenticate to access the Virtual Private Network “OSG”.
Apr 26 08:16:22 jp-01 startVPN.sh[61546]: Warning: password for 'vpn.secrets.password' not given in 'passwd-file' and nmcli cannot ask without '--ask' option.
Apr 26 08:16:22 jp-01 startVPN.sh[61546]: Error: Connection activation failed: No valid secrets

I can't work out how to pass the credentials through nmcli. Also is it possible to store the password file encrypted?

 

[CaffeineAddict]

I have a script call startVPN.sh that I have put in the .profile file. If I run bash .profile, the script runs but it does not run at login.

You might want to learn how .profile script works, that is, why it doesn't work for login...

## File read order

- Login shell
  - Invokes `/etc/profile` (For Bourne shell)
  - `/etc/profile` invokes scripts in `/etc/profile.d/` (For Bourne shell)
  - Then invokes users `~/.bash_profile` (For Bash shell)
  - `~/.bash_profile` invokes users `~/.bashrc`
  - `~/.bashrc` invokes `/etc/bashrc`

- Non login shell
  - Invokes `~/.bashrc`
  - Then `~/.bashrc` invokes `/etc/bashrc`
  - `/etc/bashrc` invokes scripts in `/etc/profile.d/`

Therefore you want to append the following code at the end of your ~/.bashrc file:

source /path/to/script/startVPN.sh

And again make sure the script is executable. ex. chmod u+x ./startVPN.sh
To test this works, log out and log in again.

 

[Zululander]

You might want to learn how .profile script works, that is, why it doesn't work for login...

## File read order

- Login shell
  - Invokes `/etc/profile` (For Bourne shell)
  - `/etc/profile` invokes scripts in `/etc/profile.d/` (For Bourne shell)
  - Then invokes users `~/.bash_profile` (For Bash shell)
  - `~/.bash_profile` invokes users `~/.bashrc`
  - `~/.bashrc` invokes `/etc/bashrc`

- Non login shell
  - Invokes `~/.bashrc`
  - Then `~/.bashrc` invokes `/etc/bashrc`
  - `/etc/bashrc` invokes scripts in `/etc/profile.d/`

Therefore you want to append the following code at the end of your ~/.bashrc file:

source /path/to/script/startVPN.sh

And again make sure the script is executable. ex. chmod u+x ./startVPN.sh
To test this works, log out and log in again.

Thanks for this, I think I am getting confused. Initially I was wanting the script to run when the user logged onto the desktop, hence the .profile file. For testing purpose I tried running .profile from the command-line.

I have added source /path/to/script/startVPN.sh to ~/.bashrc but the VPN did not connect.

# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples


# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac


# don't put duplicate lines or lines starting with space in the history.
# See bash(1) for more options
HISTCONTROL=ignoreboth


# append to the history file, don't overwrite it
shopt -s histappend


# for setting history length see HISTSIZE and HISTFILESIZE in bash(1)
HISTSIZE=1000
HISTFILESIZE=2000


# check the window size after each command and, if necessary,
# update the values of LINES and COLUMNS.
shopt -s checkwinsize


# If set, the pattern "**" used in a pathname expansion context will
# match all files and zero or more directories and subdirectories.
#shopt -s globstar


# make less more friendly for non-text input files, see lesspipe(1)
[ -x /usr/bin/lesspipe ] && eval "$(SHELL=/bin/sh lesspipe)"


# set variable identifying the chroot you work in (used in the prompt below)
if [ -z "${debian_chroot:-}" ] && [ -r /etc/debian_chroot ]; then
debian_chroot=$(cat /etc/debian_chroot)
fi


# set a fancy prompt (non-color, unless we know we "want" color)
case "$TERM" in
xterm-color|*-256color) color_prompt=yes;;
esac


# uncomment for a colored prompt, if the terminal has the capability; turned
# off by default to not distract the user: the focus in a terminal window
# should be on the output of commands, not on the prompt
#force_color_prompt=yes


if [ -n "$force_color_prompt" ]; then
if [ -x /usr/bin/tput ] && tput setaf 1 >&/dev/null; then
 # We have color support; assume it's compliant with Ecma-48
 # (ISO/IEC-6429). (Lack of such support is extremely rare, and such
 # a case would tend to support setf rather than setaf.)
color_prompt=yes
else
color_prompt=
fi
fi


if [ "$color_prompt" = yes ]; then
PS1='${debian_chroot:+($debian_chroot)}\[\033[01;32m\]\u@\h\[\033[00m\]:\[\033[01;34m\]\w\[\033[00m\]\$ '
else
PS1='${debian_chroot:+($debian_chroot)}\u@\h:\w\$ '
fi
unset color_prompt force_color_prompt


# If this is an xterm set the title to user@host:dir
case "$TERM" in
xterm*|rxvt*)
PS1="\[\e]0;${debian_chroot:+($debian_chroot)}\u@\h: \w\a\]$PS1"
;;
*)
;;
esac


# enable color support of ls and also add handy aliases
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto'
 #alias dir='dir --color=auto'
 #alias vdir='vdir --color=auto'


alias grep='grep --color=auto'
alias fgrep='fgrep --color=auto'
alias egrep='egrep --color=auto'
fi

# colored GCC warnings and errors
#export GCC_COLORS='error=01;31:warning=01;35:note=01;36:caret=01;32:locus=01:quote=01'


# some more ls aliases
alias ll='ls -alF'
alias la='ls -A'
alias l='ls -CF'


# Add an "alert" alias for long running commands.  Use like so:
#   sleep 10; alert
alias alert='notify-send --urgency=low -i "$([ $? = 0 ] && echo terminal || echo error)" "$(history|tail -n1|sed -e '\''s/^\s*[0-9]\+\s*//;s/[;&|]\s*alert$//'\'')"'


# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.


if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi


# enable programmable completion features (you don't need to enable
# this, if it's already enabled in /etc/bash.bashrc and /etc/profile
# sources /etc/bash.bashrc).
if ! shopt -oq posix; then
if [ -f /usr/share/bash-completion/bash_completion ]; then
. /usr/share/bash-completion/bash_completion
elif [ -f /etc/bash_completion ]; then
. /etc/bash_completion
fi
fi
source /home/admin/startVPN.sh

 

[CaffeineAddict]

I have added source /path/to/script/startVPN.sh to ~/.bashrc but the VPN did not connect.

Does the VPN connect if you execute the script directly in the terminal?
ex. run /home/admin/startVPN.sh

 

[Zululander]

Initially I got

You need to authenticate to access the Virtual Private Network “OSG”.
Warning: password for 'vpn.secrets.password' not given in 'passwd-file' and nmcli cannot ask without '--ask' option.
Error: Connection activation failed: No valid secrets

So for testing purpose I changed the script to

#!/bin/bash
nmcli --ask con up id OSG

This works so it looks like the issue is that I need to save the password somewhere. I have tried passing it but to no avail.

 

[CaffeineAddict]

nmcli --ask con up id OSG

Problem with that is --ask will ask a user for password (a "secret") but since this is a script a user is not prompted therefore no password is given and it fails.

nmcli --ask con up my-vpn-con

This command activates a VPN connection profile enabling nmcli to interact with the user ('--ask'): this will allow nmcli to prompt for the VPN password on the command line when the password-flags are set to '0x02' ('always ask', see nm-settings(5) ). This is particularly useful for OTP based VPNs, as the user needs to be prompted for the password each time the connection is activated.

nmcli-examples: NetworkManager Reference Manual

developer-old.gnome.org

"secret agent" should exist a program that implements secret agent methods

Therefore the script should look like this:

#!/bin/bash
nmcli con up id OSG

or if that doesn't work then:

#!/bin/bash
nmcli agent secret
nmcli con up id OSG

But before calling any of these script from .bashrc test them by executing it in a terminal directly.

 

[Zululander]

When I run

nmcli agent secret

I get

nmcli successfully registered as a NetworkManager's secret agent.

But I then need to press ctrl-c to get back to the command line.

 

[CaffeineAddict]

But I then need to press ctrl-c to get back to the command line.

I see, and what if you remove this line? (first script)

 

[Zululander]

Right now I am at work so not doing this via the desktop but ssh to the machine (just mentioning incase this is adding complexity).

If I run it without sudo, I get

Error: Connection activation failed: Not authorized to control networking.

When I use sudo, I get

Warning: password for 'vpn.secrets.password' not given in 'passwd-file' and nmcli cannot ask without '--ask' option.
Error: Connection activation failed: No valid secrets
Hint: use 'journalctl -xe NM_CONNECTION=39bbb94f-4423-4a24-93f6-767cb5398014 + NM_DEVICE=eno1' to get more details.

 

[CaffeineAddict]

See link below

Re: trying to use nmcli under cron job question

mail.gnome.org

Basically you need to open up network connections UI under gnome and for your VPN connection store the password globally for all users so that it's saved there.

then nmcli shouldn't need any passwords.

 

[Zululander]

I thought I had done that as if I go into the desktop I can easily activate the VPN by clicking connect. Also If I am logged onto the desktop and then go to the command line, I can run the script.

It sound like the password is not stored globally. I will do some research later on how to check that. Might need to wait until I am home.

 

[Zululander]

Ok, I got the script working. In all the to-ing and fro-ing I had reset permissions and forgot to check if they were still correct.

It runs but I need to run as sudo.

If I don't it returns

Error: Connection activation failed: Not authorized to control networking.

Permissions are

-rwxr-xr-x 1 root root 32 Apr 26 21:26 startVPN.sh

This makes sense as I am not logged on as root. This said, I changed the ownership to the logged on user

-rwxr-xr-x 1 osgadmin osgadmin 32 Apr 26 21:26 startVPN.sh

And go the same error.