Bug 494264

Summary: Auto-connecting Wireguard with encrypted private key always prompts password on login
Product: [Plasma] plasmashell Reporter: Jeff Chien <jeffchienmail>
Component: Networking in generalAssignee: Plasma Bugs List <plasma-bugs-null>
Status: RESOLVED FIXED    
Severity: normal CC: major-mayer, nate
Priority: NOR    
Version First Reported In: master   
Target Milestone: 1.0   
Platform: Arch Linux   
OS: Linux   
See Also: https://bugs.kde.org/show_bug.cgi?id=502808
Latest Commit: https://invent.kde.org/plasma/plasma-nm/-/commit/be2a3ca9d630c913d1b05c0a031038539110f61b Version Fixed/Implemented In: 6.4.2
Sentry Crash Report:
Attachments: Password prompt

Description Jeff Chien 2024-10-07 21:03:09 UTC 
Created attachment 174519 [details]
Password prompt

SUMMARY

Adding an automatically activated Wireguard connection with encrypted private key stored in Kwallet causes plasma-nm to prompt for password upon login.

STEPS TO REPRODUCE
1. Install/enable NetworkManager, plasma-nm, and KDE Wallet.
2. Set KDE Wallet password to login password to enable automatic unlocking.
3. Add a Wireguard connection in NetworkManager, check "Connect automatically with priority", and select "Store password for this user only (encrypted)".
4. Reboot (oddly enough logout then relogin doesn't trigger this, maybe because NetworkManager doesn't trigger automatic connections more than once?).
5. Login.

OBSERVED RESULT

See attached password prompt. No matter how you interact with the prompt, including entering the private key, the Wireguard connection will not activate successfully, unlike WiFi connections.

Note that if you select the Wireguard connection in plasma-nm manually after this, it will correctly connect with the PK stored in KDE Wallet.

EXPECTED RESULT

The Wireguard connection should automatically activate using the PK in KDE Wallet without user interaction.


SOFTWARE/OS VERSIONS
Linux: ArchLinux 6.11.0-zen1-1-zen
KDE Plasma Version: libplasma 6.1.5-1
KDE Frameworks Version: plasma-workspace 6.1.90-1
Qt Version: qt6-base 6.7.3-2
plasma-nm Version: 6.1.5-1

ADDITIONAL INFORMATION

I dug into the source myself and it seems that the plasma-nm SecretAgent only returns Wireguard secrets if NetworkManager indicates that the connection activation was user requested:
https://invent.kde.org/plasma/plasma-nm/-/blob/master/kded/secretagent.cpp?ref_type=heads#L410

For automatic connections, NetworkManager doesn't set that flag bit:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/src/core/nm-policy.c#L1502
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/src/core/nm-active-connection.c#L608

I'm not quite sure why plasma-nm needs that bit to send secrets. Both NM's NMSecretAgentSimple and GNOME's network-manager-applet don't use that bit:
https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/src/libnmc-base/nm-secret-agent-simple.c
https://gitlab.gnome.org/GNOME/network-manager-applet/-/blob/main/src/applet-agent.c

The original userRequested check seems to come from 4ecf6a9, but I can't find the context for it:
https://invent.kde.org/plasma/plasma-nm/-/commit/4ecf6a9

It's plausible to me that there was an upstream API change in how that bit is set that caused this misalignment between NM and plasma-nm. In any case, I patched (isWireGuard && userRequested) to just isWireguard in my local build and it works to my satisfaction now.

It's possible that the (isVpn && userRequested) check below is causing Bug 385395.
Comment 1 Ben Cooksley 2024-12-23 18:23:44 UTC 
Bulk transfer as requested in T17796
Comment 2 michaelk83 2025-05-17 08:26:40 UTC 
*** Bug 504358 has been marked as a duplicate of this bug. ***
Comment 3 Bug Janitor Service 2025-06-14 02:21:22 UTC 
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-nm/-/merge_requests/444
Comment 4 Nate Graham 2025-06-25 15:10:24 UTC 
Git commit df207514c72098a9ad82a8248a854fe07b6f2b07 by Nate Graham, on behalf of Jeff Chien.
Committed on 25/06/2025 at 15:10.
Pushed by ngraham into branch 'master'.

Allow automatic activation of privately stored Wireguard connections
FIXED-IN: 6.4.2

M  +1    -1    kded/secretagent.cpp

https://invent.kde.org/plasma/plasma-nm/-/commit/df207514c72098a9ad82a8248a854fe07b6f2b07
Comment 5 Nate Graham 2025-06-25 19:27:10 UTC 
Git commit be2a3ca9d630c913d1b05c0a031038539110f61b by Nate Graham.
Committed on 25/06/2025 at 15:13.
Pushed by ngraham into branch 'Plasma/6.4'.

Allow automatic activation of privately stored Wireguard connections
FIXED-IN: 6.4.2


(cherry picked from commit df207514c72098a9ad82a8248a854fe07b6f2b07)

6831be4b Allow automatic activation of privately stored Wireguard connections.
e1a97e04 Merge branch plasma-nm:master into master
2fad9911 Merge branch plasma-nm:master into master

Co-authored-by: Jeff Chien <jeffchienmail@gmail.com>

M  +1    -1    kded/secretagent.cpp

https://invent.kde.org/plasma/plasma-nm/-/commit/be2a3ca9d630c913d1b05c0a031038539110f61b