Created attachment 174519 [details] Password prompt SUMMARY Adding an automatically activated Wireguard connection with encrypted private key stored in Kwallet causes plasma-nm to prompt for password upon login. STEPS TO REPRODUCE 1. Install/enable NetworkManager, plasma-nm, and KDE Wallet. 2. Set KDE Wallet password to login password to enable automatic unlocking. 3. Add a Wireguard connection in NetworkManager, check "Connect automatically with priority", and select "Store password for this user only (encrypted)". 4. Reboot (oddly enough logout then relogin doesn't trigger this, maybe because NetworkManager doesn't trigger automatic connections more than once?). 5. Login. OBSERVED RESULT See attached password prompt. No matter how you interact with the prompt, including entering the private key, the Wireguard connection will not activate successfully, unlike WiFi connections. Note that if you select the Wireguard connection in plasma-nm manually after this, it will correctly connect with the PK stored in KDE Wallet. EXPECTED RESULT The Wireguard connection should automatically activate using the PK in KDE Wallet without user interaction. SOFTWARE/OS VERSIONS Linux: ArchLinux 6.11.0-zen1-1-zen KDE Plasma Version: libplasma 6.1.5-1 KDE Frameworks Version: plasma-workspace 6.1.90-1 Qt Version: qt6-base 6.7.3-2 plasma-nm Version: 6.1.5-1 ADDITIONAL INFORMATION I dug into the source myself and it seems that the plasma-nm SecretAgent only returns Wireguard secrets if NetworkManager indicates that the connection activation was user requested: https://invent.kde.org/plasma/plasma-nm/-/blob/master/kded/secretagent.cpp?ref_type=heads#L410 For automatic connections, NetworkManager doesn't set that flag bit: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/src/core/nm-policy.c#L1502 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/src/core/nm-active-connection.c#L608 I'm not quite sure why plasma-nm needs that bit to send secrets. Both NM's NMSecretAgentSimple and GNOME's network-manager-applet don't use that bit: https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/main/src/libnmc-base/nm-secret-agent-simple.c https://gitlab.gnome.org/GNOME/network-manager-applet/-/blob/main/src/applet-agent.c The original userRequested check seems to come from 4ecf6a9, but I can't find the context for it: https://invent.kde.org/plasma/plasma-nm/-/commit/4ecf6a9 It's plausible to me that there was an upstream API change in how that bit is set that caused this misalignment between NM and plasma-nm. In any case, I patched (isWireGuard && userRequested) to just isWireguard in my local build and it works to my satisfaction now. It's possible that the (isVpn && userRequested) check below is causing Bug 385395.
Bulk transfer as requested in T17796
*** Bug 504358 has been marked as a duplicate of this bug. ***
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-nm/-/merge_requests/444
Git commit df207514c72098a9ad82a8248a854fe07b6f2b07 by Nate Graham, on behalf of Jeff Chien. Committed on 25/06/2025 at 15:10. Pushed by ngraham into branch 'master'. Allow automatic activation of privately stored Wireguard connections FIXED-IN: 6.4.2 M +1 -1 kded/secretagent.cpp https://invent.kde.org/plasma/plasma-nm/-/commit/df207514c72098a9ad82a8248a854fe07b6f2b07
Git commit be2a3ca9d630c913d1b05c0a031038539110f61b by Nate Graham. Committed on 25/06/2025 at 15:13. Pushed by ngraham into branch 'Plasma/6.4'. Allow automatic activation of privately stored Wireguard connections FIXED-IN: 6.4.2 (cherry picked from commit df207514c72098a9ad82a8248a854fe07b6f2b07) 6831be4b Allow automatic activation of privately stored Wireguard connections. e1a97e04 Merge branch plasma-nm:master into master 2fad9911 Merge branch plasma-nm:master into master Co-authored-by: Jeff Chien <jeffchienmail@gmail.com> M +1 -1 kded/secretagent.cpp https://invent.kde.org/plasma/plasma-nm/-/commit/be2a3ca9d630c913d1b05c0a031038539110f61b