connecting fails due to failure to get secrets

[ExpandingMan]

I have been trying for a couple of weeks now to get ProtonVPN working on my machine. I use the i3 desktop manager, but my setup is pretty close to a vanilla Manjaro install and I am running NetworkManager and gnome-keyring.

I am able to login successfully, but when I try connecting protonvpn-cli will hang. The following line appears in the network_manager.service.log which is copied to the protonvpn log directory:

<error>  vpn-connection[-----]: Failed to request VPN secrets #3: No agents were available for this request.

I have now confirmed quite explicitly that gnome-keyring is working properly in my setup. I am able to fetch the protonvpn credentials with secret-tool and I can see the stored credentials in the seahorse GUI interface to gnome-keyring.

I haven't fully established what is going on, but it seems that while I am able to fetch credentials just fine as my user, for whatever reason NetworkManager cannot. This may be due to a misconfiguration of the NetworkManager polkit, but if this is the case I so far have no clue how it could be fixed.

I have seen a number of vaguely similar threads on the internet such as this one where people seem to have solved similar problems by making gnome-keyring passwords available to all users, though I also do not yet know how this can be done.

Note that protonvpn-cli successfully creates the NetworkManager connection, it just isn't able to actually connect to it because it can't get the credentials. I can successfully finish the aborted process manually by doing, e.g.

nmcli conn up --ask 'ProtonVPN US-NY#1'

(or whatever the name of the connection was that protonvpn-cli created) and manually entering my password. While it means that strictly speaking I am able to connect, obviously this still needs to be fixed.

I will continue investigating. I went through a lengthy discussion with ProtonVPN support but it ultimately went nowhere (seems like maybe there are just too many layers between customer support and developers to solve this issue), but I may open another ticket now that I have more information.

Please let me know if you have any suggestions, I am quite determined to get this working as I really don't want to have to find another VPN provider.

[ExpandingMan]

Been doing some more digging on this, really seems like something is going singularly wrong when it tries to actually enable the connection. Creating and deleting the connections work fine. I am member of both wheel and network groups, and /etc/polkit-1/rules.d/50-org.freedesktop.NetworkManager.rules exists and looks configured correctly. According to the arch linux wiki it should be working.

For a while I was thinking that this is purely a NetworkManager issue, but now I'm starting to wonder if maybe something is mis-configured on the protonvpn side.

[calexandru2018]

@ExpandingMan try doing the following: Once the connection gets added, interrupt the process. In the keyring, check if an entry for the vpn has been added with the username and password. Then from that point:

• if the entry in keyring is present, it means that the connection was can correctly added with all settings. If this is the case then ensure that nm-applet is installed and running (got an understanding that nm-applet is needed for some distros)

• if not then something went wrong when adding the connection

[ExpandingMan]

Yes!!! It needs nm-applet!!

Oh man, that was a saga, and what a simple fix!

Thanks so much. I understand that protonvpn doesn't want to say that it "officially supports" desktop environments other than GNOME or KDE, but I think it would still be really great if we could add some documentation here.

In particular, so far what I know is needed is NetworkManager, dbus, gnome-keyring and for nm-applet to be running. There are probably some details of network manager permissions to be documented here as well. My user is in both the network and wheel groups, think this might break for users who are not, so perhaps that should be documented somewhere.

Anyway thanks!!!

[calexandru2018]

@ExpandingMan As en example, nm-applet is not always needed nor gnome-keyring. Lubuntu for example uses nm-tray but it has some quirks. Also you could use KWallet instead of gnome-keyring but it would require some understanding of some other concepts, although if you install on a full KDE DE it should work flawlessly.

About the rest, the clients are made to work on default desktop configurations, which users are normally already in both network/wheel, also NM polkit rules are also pre-defined. Given the ammount of WM and other configurations, we have to limit ourselves somehow. Also, manual installation via is currently not supported (git cloning, compiling installing) but the community is free to try out.

[ExpandingMan]

Yeah, what you are saying is understandable, but regardless, I definitely think more documentation is in order. I'd have to guess that something like half of your users are not using standard GNOME or KDE setups. It's perfectly reasonable for protonvpn not to officially support every crazy thing that somebody tries, but documentation (and links to documentation) are always nice.

I'll close this issue. At the very least, this stuff will now be discoverable in my dotfiles.

[jtfen86]

KeePassXC can be used for org.freedesktop.secrets storage instead of KWallet or gnome-keyring but you have to leave the program running it doesn't have a background service. I haven't tried this with protonvpn-cli as I just stick with protonvpn-cli-ng since that has always worked for me. That and I use connman not NetworkManager.

https://c3pb.de/blog/keepassxc-secrets-service.html

[monomadic]

thanks for this thread, I also went down the rabbit hole (I use a very basic sway setup) - it should maybe be mentioned on the docs, I'm sure I'm not alone :)

[nonetrix]

I am having the same issue none of the steps here helped I can't even open the GUI app anymore or do anything with the command line program like logout

[lucaslira95]

Yes!!! It needs nm-applet!!

Oh man, that was a saga, and what a simple fix!

Thanks so much. I understand that protonvpn doesn't want to say that it "officially supports" desktop environments other than GNOME or KDE, but I think it would still be really great if we could add some documentation here.

In particular, so far what I know is needed is NetworkManager, dbus, gnome-keyring and for nm-applet to be running. There are probably some details of network manager permissions to be documented here as well. My user is in both the network and wheel groups, think this might break for users who are not, so perhaps that should be documented somewhere.

Anyway thanks!!!

I can't believe this worked, OMG, after hours, this was the fix... :man_facepalming: