It would be nice if users that don't run NetworkManager could still use the application to download a OpenVPN or WireGuard profile.
Allow downloading profile #614
There was some work regarding this, but I think that it would make a lot of sense if the client also works completely headless. E.g. without OAuth (or headless OAuth)
... or, if the client would be able to switch to OpenVPN 3 automatically, if NetworkManager is not available.
I'm running Debian and Hyprland, previously I used Sway. I don't have NetworkManager installed.
Also, the "Dependencies" section in the docs for linux-app requires installing network-manager-openvpn-gnome under Debian/Ubuntu.
However, there's not such requirement for Fedora or openSUSE.
I assume that is because NetworkManager is always installed under these OSes? And NetworkManager is still a requirement, on every OS?
@sepastian wrote in #614 (comment):
... or, if the client would be able to switch to OpenVPN 3 automatically, if NetworkManager is not available.
I'm running Debian and Hyprland, previously I used Sway. I don't have NetworkManager installed.
How do you want to do that on a client that needs no root?
@sepastian wrote in #614 (comment):
Also, the "Dependencies" section in the docs for linux-app requires installing
network-manager-openvpn-gnomeunder Debian/Ubuntu.However, there's not such requirement for Fedora or openSUSE.
I assume that is because NetworkManager is always installed under these OSes? And NetworkManager is still a requirement, on every OS?
I believe because this is automatically installed on fedora and openSUSE, but maybe the docs need to be changed
@jwijenbergh wrote in #614 (comment):
@sepastian wrote in #614 (comment):
... or, if the client would be able to switch to OpenVPN 3 automatically, if NetworkManager is not available.
I'm running Debian and Hyprland, previously I used Sway. I don't have NetworkManager installed.How do you want to do that on a client that needs no root?
Thanks for the reply. Good point, I wasn't aware that eduvpn doesn't require root privileges.
However, what I'm looking for is a command-line client which does not enforce NetworkManager. Using sudo is not a problem at all.
I'm currently manually downloading the certificate from the eduvpn portal. I then use that certificate with openvpn3 to connect. This is cumbersome, I would like to be able to open and maintain a connection on the command line, without manually downloading a certificate. And without NetworkManager.
Do you have any suggestions how this could be added to the current CLI client in Linux? I.e. using NetworkManager, if available, and falling back to openvpn3+sudo, otherwise?
I would be up for looking into this and, hopefully providing a PR.
currently, as a semi-official alternative you can use
go run codeberg.org/eduVPN/eduvpn-common/cmd/eduvpn-cli@latest -get-institute urlofyourinstitute
To download a configuration
I agree, we can maybe get the official CLI working with sudo/run0/doas. But unfortunately haven't had the time to look into this yet.
Do you have any suggestions how this could be added to the current CLI client in Linux? I.e. using NetworkManager, if available, and falling back to openvpn3+sudo, otherwise?
Indeed that would good, or an option/flag which "method" to use to connect. To be honest, the CLI is also not coded very well, so also a complete rewrite could be good too. Maybe the CLI should be migrated to a go binary
@jwijenbergh wrote in #614 (comment):
currently, as a semi-official alternative you can use
go run codeberg.org/eduVPN/eduvpn-common/cmd/eduvpn-cli@latest -get-institute urlofyourinstituteTo download a configuration
I agree, we can maybe get the official CLI working with sudo/run0/doas. But unfortunately haven't had the time to look into this yet.
@jwijenbergh wrote in #614 (comment):
currently, as a semi-official alternative you can use
go run codeberg.org/eduVPN/eduvpn-common/cmd/eduvpn-cli@latest -get-institute urlofyourinstituteTo download a configuration
I agree, we can maybe get the official CLI working with sudo/run0/doas. But unfortunately haven't had the time to look into this yet.
Awesome, I think that will help a lot of people!
I just tried it, from what I can tell, a connection is established. But then it does not work, i.e. I cannot ssh into a server within the VPN of my university.
$ go run codeberg.org/eduVPN/eduvpn-common/cmd/eduvpn-cli@latest -get-
institute https://eduvpn.uni-passau.de/
go: codeberg.org/eduVPN/eduvpn-common@v0.0.0-20260424140857-5aefab331c97 requires go >= 1.25.0; switching to go1.25.10
time=2026年05月21日T11:35:56.134+02:00 level=DEBUG msg="failed to load configuration" error="open /tmp/eduvpn-common3960373110/state.json: no such file or directory"
time=2026年05月21日T11:35:56.135+02:00 level=DEBUG msg="Client registered" name=org.eduvpn.app.linux version=5.0.2-cli directory=/tmp/eduvpn-common3960373110
time=2026年05月21日T11:35:56.151+02:00 level=DEBUG msg="sending request" method=GET url=https://disco.eduvpn.org/v2/organization_list.json
time=2026年05月21日T11:35:57.457+02:00 level=DEBUG msg="got 'Last-Modified' header" value=2026年05月18日T08:37:16.000Z
time=2026年05月21日T11:35:57.457+02:00 level=DEBUG msg="sending request" method=GET url=https://disco.eduvpn.org/v2/organization_list.json.minisig
time=2026年05月21日T11:35:57.515+02:00 level=DEBUG msg="sending request" method=GET url=https://disco.eduvpn.org/v2/server_list.json
time=2026年05月21日T11:35:57.562+02:00 level=DEBUG msg="got 'Last-Modified' header" value=2026年05月18日T08:37:16.000Z
time=2026年05月21日T11:35:57.562+02:00 level=DEBUG msg="sending request" method=GET url=https://disco.eduvpn.org/v2/server_list.json.minisig
time=2026年05月21日T11:35:57.608+02:00 level=DEBUG msg="client wants to add a server" id=https://eduvpn.uni-passau.de/ type=1
time=2026年05月21日T11:35:57.608+02:00 level=DEBUG msg="FSM transition" old=Main new=AddingServer
time=2026年05月21日T11:35:57.609+02:00 level=DEBUG msg="sending request" method=GET url=https://eduvpn.uni-passau.de/.well-known/vpn-user-portal
time=2026年05月21日T11:35:57.734+02:00 level=DEBUG msg="FSM transition" old=AddingServer new=OAuthStarted
time=2026年05月21日T11:35:57.734+02:00 level=DEBUG msg="OAuth log" log="starting HTTP loopback server"
time=2026年05月21日T11:36:00.893+02:00 level=DEBUG msg="OAuth log" log="got HTTP response for OAuth exchange"
time=2026年05月21日T11:36:00.893+02:00 level=DEBUG msg="OAuth log" log="getting tokens at URL: https://eduvpn.uni-passau.de/vpn-user-portal/oauth/token"
time=2026年05月21日T11:36:00.961+02:00 level=DEBUG msg="not updating client tokens"
time=2026年05月21日T11:36:00.961+02:00 level=DEBUG msg="FSM transition" old=OAuthStarted new=Main
time=2026年05月21日T11:36:00.971+02:00 level=DEBUG msg="client wants to get a VPN config" server_id=https://eduvpn.uni-passau.de/ server_type=1 prefer_tcp=false startup=false
time=2026年05月21日T11:36:00.972+02:00 level=DEBUG msg="FSM transition" old=Main new=GettingConfig
time=2026年05月21日T11:36:00.972+02:00 level=DEBUG msg="not updating client tokens"
time=2026年05月21日T11:36:00.972+02:00 level=DEBUG msg="sending request" method=GET url=https://eduvpn.uni-passau.de/vpn-user-portal/api/v3/info
time=2026年05月21日T11:36:01.030+02:00 level=DEBUG msg="sending request" method=POST url=https://eduvpn.uni-passau.de/vpn-user-portal/api/v3/connect
time=2026年05月21日T11:36:01.176+02:00 level=DEBUG msg="FSM transition" old=GettingConfig new=GotConfig
[Interface]
MTU = 1280
Address = <XXXXX>
DNS = <XXXXX>
PrivateKey = <XXXXX>
[Peer]
PublicKey = <XXXXX>
AllowedIPs = <XXXXX>
PersistentKeepalive = 25
Endpoint = <XXXXX>
time=2026年05月21日T11:36:01.183+02:00 level=DEBUG msg="FSM transition" old=GotConfig new=Deregistered
The very last line says Deregistered. Is this correct?
@jwijenbergh wrote in #614 (comment):
Do you have any suggestions how this could be added to the current CLI client in Linux? I.e. using NetworkManager, if available, and falling back to openvpn3+sudo, otherwise?
Indeed that would good, or an option/flag which "method" to use to connect. To be honest, the CLI is also not coded very well, so also a complete rewrite could be good too. Maybe the CLI should be migrated to a go binary
I don't know the codebase at all. But a rewrite + go binary sounds like the right way go.
@sepastian wrote in #614 (comment):
@jwijenbergh wrote in #614 (comment):
currently, as a semi-official alternative you can use
go run codeberg.org/eduVPN/eduvpn-common/cmd/eduvpn-cli@latest -get-institute urlofyourinstituteTo download a configuration
I agree, we can maybe get the official CLI working with sudo/run0/doas. But unfortunately haven't had the time to look into this yet.
@jwijenbergh wrote in #614 (comment):currently, as a semi-official alternative you can use
go run codeberg.org/eduVPN/eduvpn-common/cmd/eduvpn-cli@latest -get-institute urlofyourinstituteTo download a configuration
I agree, we can maybe get the official CLI working with sudo/run0/doas. But unfortunately haven't had the time to look into this yet.Awesome, I think that will help a lot of people!
I just tried it, from what I can tell, a connection is established. But then it does not work, i.e. I cannot ssh into a server within the VPN of my university.
$ go run codeberg.org/eduVPN/eduvpn-common/cmd/eduvpn-cli@latest -get- institute https://eduvpn.uni-passau.de/ go: codeberg.org/eduVPN/eduvpn-common@v0.0.0-20260424140857-5aefab331c97 requires go >= 1.25.0; switching to go1.25.10 time=2026年05月21日T11:35:56.134+02:00 level=DEBUG msg="failed to load configuration" error="open /tmp/eduvpn-common3960373110/state.json: no such file or directory" time=2026年05月21日T11:35:56.135+02:00 level=DEBUG msg="Client registered" name=org.eduvpn.app.linux version=5.0.2-cli directory=/tmp/eduvpn-common3960373110 time=2026年05月21日T11:35:56.151+02:00 level=DEBUG msg="sending request" method=GET url=https://disco.eduvpn.org/v2/organization_list.json time=2026年05月21日T11:35:57.457+02:00 level=DEBUG msg="got 'Last-Modified' header" value=2026年05月18日T08:37:16.000Z time=2026年05月21日T11:35:57.457+02:00 level=DEBUG msg="sending request" method=GET url=https://disco.eduvpn.org/v2/organization_list.json.minisig time=2026年05月21日T11:35:57.515+02:00 level=DEBUG msg="sending request" method=GET url=https://disco.eduvpn.org/v2/server_list.json time=2026年05月21日T11:35:57.562+02:00 level=DEBUG msg="got 'Last-Modified' header" value=2026年05月18日T08:37:16.000Z time=2026年05月21日T11:35:57.562+02:00 level=DEBUG msg="sending request" method=GET url=https://disco.eduvpn.org/v2/server_list.json.minisig time=2026年05月21日T11:35:57.608+02:00 level=DEBUG msg="client wants to add a server" id=https://eduvpn.uni-passau.de/ type=1 time=2026年05月21日T11:35:57.608+02:00 level=DEBUG msg="FSM transition" old=Main new=AddingServer time=2026年05月21日T11:35:57.609+02:00 level=DEBUG msg="sending request" method=GET url=https://eduvpn.uni-passau.de/.well-known/vpn-user-portal time=2026年05月21日T11:35:57.734+02:00 level=DEBUG msg="FSM transition" old=AddingServer new=OAuthStarted time=2026年05月21日T11:35:57.734+02:00 level=DEBUG msg="OAuth log" log="starting HTTP loopback server" time=2026年05月21日T11:36:00.893+02:00 level=DEBUG msg="OAuth log" log="got HTTP response for OAuth exchange" time=2026年05月21日T11:36:00.893+02:00 level=DEBUG msg="OAuth log" log="getting tokens at URL: https://eduvpn.uni-passau.de/vpn-user-portal/oauth/token" time=2026年05月21日T11:36:00.961+02:00 level=DEBUG msg="not updating client tokens" time=2026年05月21日T11:36:00.961+02:00 level=DEBUG msg="FSM transition" old=OAuthStarted new=Main time=2026年05月21日T11:36:00.971+02:00 level=DEBUG msg="client wants to get a VPN config" server_id=https://eduvpn.uni-passau.de/ server_type=1 prefer_tcp=false startup=false time=2026年05月21日T11:36:00.972+02:00 level=DEBUG msg="FSM transition" old=Main new=GettingConfig time=2026年05月21日T11:36:00.972+02:00 level=DEBUG msg="not updating client tokens" time=2026年05月21日T11:36:00.972+02:00 level=DEBUG msg="sending request" method=GET url=https://eduvpn.uni-passau.de/vpn-user-portal/api/v3/info time=2026年05月21日T11:36:01.030+02:00 level=DEBUG msg="sending request" method=POST url=https://eduvpn.uni-passau.de/vpn-user-portal/api/v3/connect time=2026年05月21日T11:36:01.176+02:00 level=DEBUG msg="FSM transition" old=GettingConfig new=GotConfig [Interface] MTU = 1280 Address = <XXXXX> DNS = <XXXXX> PrivateKey = <XXXXX> [Peer] PublicKey = <XXXXX> AllowedIPs = <XXXXX> PersistentKeepalive = 25 Endpoint = <XXXXX> time=2026年05月21日T11:36:01.183+02:00 level=DEBUG msg="FSM transition" old=GotConfig new=DeregisteredThe very last line says
Deregistered. Is this correct?
Yeah that is fine, that just means the cli exits cleanly, that is fine. How are you using the config? wg-quick?
Does a ping instead of ssh work?
Update 2: It works now. Steps required:
- extract config from the output of the
go ...command, see above - store config under
/etc/wireguard/wg0.conf - I had to alter
AllowedIPs = 0.0.0.0/0 wg-quick up wg0ssh VPN-HOST
Check the status of the VPN with sudo wg, teardown the connection with wg-quick down wg0.
Concerning AllowedIPs: with the original set of IPs, found in the config returned, I wasn't able to reach any hosts. Does setting this to 0.0.0.0/0 impose any risks?
Update: I see, it's printing the config to stdout, together with logging information. Let me try...
My bad @jwijenbergh, I ran the go ... command and expected it to open a VPN connection.
So the command will download the configuration. But where does it get stored then? I can't find it in pwd.
Educated Guess:
The profile is sent to stdout, in between these FSM transition logs:
time=2026年05月22日T11:20:45.494+02:00 level=DEBUG msg="FSM transition" old=GettingConfig new=GotConfig
...
time=2026年05月22日T11:20:45.502+02:00 level=DEBUG msg="FSM transition" old=GotConfig new=Deregistered
@mesch-LRZ wrote in #614 (comment):
Educated Guess:
The profile is sent to stdout, in between these FSM transition logs:
time=2026年05月22日T11:20:45.494+02:00 level=DEBUG msg="FSM transition" old=GettingConfig new=GotConfig
...
time=2026年05月22日T11:20:45.502+02:00 level=DEBUG msg="FSM transition" old=GotConfig new=Deregistered
That's correct. It can be extracted manually, or using grep -v '^time'.
I have created a script which opens a VPN connection, as described above, with just one command and typing your sudo password.
Save the script into your PATH and make it executable.
chmod +x ~/.local/bin/eduvpn_cli.sh
Open an eduVPN connection with
eduvpn_cli.sh
# This will open a browser window and ask for authentication.
# It will then ask for your sudo password to open a wg-quick VPN connection.
This solves the problem described above for me. Thanks for all inputs!
No due date set.
No dependencies set.
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?