Lib.rs

Authentication | Network programming
#network-manager #vpn #openvpn #oauth

app nm-openvpn-sso

NetworkManager VPN plugin for OpenVPN with SSO/OAuth authentication

Owned by Joseph R. Quinn.

3 releases (breaking)

0.3.0 Feb 7, 2026
0.2.0 Feb 6, 2026
0.1.0 Feb 5, 2026

#267 in Authentication

MIT license

150KB
3K SLoC

Rust 2.5K SLoC // 0.1% comments Shell 263 SLoC // 0.1% comments C++ 178 SLoC // 0.1% comments Pacman's makepkg 40 SLoC // 0.2% comments

NetworkManager OpenVPN SSO Plugin

A NetworkManager VPN plugin that adds OAuth 2.0 / OIDC Single Sign-On (SSO) support for OpenVPN connections.

CI Release License: MIT

Features

  • Browser-based SSO authentication - Opens your default browser for OAuth/OIDC login
  • Automatic OAuth discovery - Discovers authentication URLs from the OpenVPN server
  • Session token caching - Caches session tokens for connection maintenance
  • Desktop notifications - Shows connection status via system notifications
  • Full NetworkManager integration - Works seamlessly with NetworkManager and network applets

Installation

Arch Linux

# From AUR or download from releases
sudo pacman -U networkmanager-openvpn-sso-*.pkg.tar.zst

Debian / Ubuntu

sudo dpkg -i networkmanager-openvpn-sso_*_amd64.deb
sudo apt-get install -f  # Install any missing dependencies

Fedora / RHEL / CentOS

sudo dnf install networkmanager-openvpn-sso-*.x86_64.rpm

Other Linux Distributions

# Download and extract the tarball
tar -xzf nm-openvpn-sso-service-linux-x86_64.tar.gz

# Run the install script
sudo ./install.sh

Usage

Importing an OpenVPN Configuration

  1. Import your .ovpn file using NetworkManager:
nmcli connection import type openvpn file your-vpn-config.ovpn
  1. Modify the connection to use the SSO plugin:
# Get the connection name
nmcli connection show | grep vpn

# Update to use SSO plugin
nmcli connection modify "your-vpn-name" vpn.service-type org.freedesktop.NetworkManager.openvpn-sso
  1. Connect to the VPN:
nmcli connection up "your-vpn-name"

Your default browser will open for SSO authentication. After successful login, the VPN connection will be established automatically.

Using with Network Manager GUI

GNOME

The VPN connection will appear in your system's network settings and can be activated from there. When connecting, your browser will open for authentication.

KDE Plasma

This project includes a native plasma-nm UI plugin that integrates directly with KDE Plasma's network applet. When installed, you can:

  • Create, configure, and manage OpenVPN SSO connections from Plasma's network settings
  • Import .ovpn files directly through the Plasma UI
  • Connect and disconnect from the system tray network applet

The plugin is built automatically during installation if KDE dependencies are available.

If the plugin is not installed, you can still use:

  1. Command line: nmcli connection up "your-vpn-name"
  2. nm-connection-editor: GTK-based GUI that works on KDE
  3. vpn-sso-connect: Helper script with KDialog integration (installed with this package)

Requirements

  • NetworkManager
  • OpenVPN
  • D-Bus
  • A graphical session (for browser-based authentication)

Building from Source

Prerequisites

# Arch Linux
sudo pacman -S rust cargo dbus openssl pkgconf

# For KDE Plasma integration (optional)
sudo pacman -S extra-cmake-modules qt6-base networkmanager-qt kio ki18n kcoreaddons plasma-nm

# Debian/Ubuntu
sudo apt-get install rustc cargo libdbus-1-dev libssl-dev pkg-config

# Fedora
sudo dnf install rust cargo dbus-devel openssl-devel pkg-config

Build

git clone https://github.com/pegasusheavy/network-manager-openvpn-sso.git
cd network-manager-openvpn-sso
cargo build --release

Install

sudo ./install.sh

Uninstall

sudo ./uninstall.sh

Configuration

The plugin stores session tokens in /var/lib/nm-openvpn-sso/ with restricted permissions. These tokens are used for session maintenance but do not persist across new connection attempts (SSO is required for each new connection).

Troubleshooting

Browser doesn't open

Ensure you have a default browser set and that xdg-open or your browser is accessible. The plugin will try multiple methods to open the browser:

  1. xdg-open (skipped on KDE due to KIO limitations)
  2. Direct browser launch (vivaldi, firefox, chromium, google-chrome)

Connection times out

Check the NetworkManager logs for details:

journalctl -u NetworkManager -f

VPN connects but no network access

Verify that the VPN routes are correctly applied:

ip route | grep tun

KDE Plasma shows "missing support" message

This means the plasma-nm UI plugin is not installed. Rebuild with KDE dependencies available:

# Arch Linux
sudo pacman -S extra-cmake-modules qt6-base networkmanager-qt kio ki18n kcoreaddons plasma-nm
sudo ./install.sh

The VPN still works without the plugin—use nmcli or nm-connection-editor to connect.

How It Works

  1. NetworkManager activates the VPN connection
  2. The plugin starts OpenVPN with management interface enabled
  3. OpenVPN connects to the server and receives an SSO authentication URL
  4. The plugin opens your browser to the authentication URL
  5. After successful authentication, the server provides credentials
  6. The plugin completes the VPN connection and configures networking

License

MIT License - see LICENSE for details.

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Support

Made with ❤️ by Pegasus Heavy Industries LLC

Dependencies

~25–64MB
~1M SLoC