If I try to configure an SSH VPN using nm-connection-editor, nm-connection-editor looks for a GTK3-based plugin. This plugin is not shipped in Fedora, and even if it was shipped it would not load successfully because nm-connection-editor is based on GTK4. Reproducible: Always Steps to Reproduce: 1. Install NetworkManager-ssh, NetworkManager-ssh-gnome, and nm-connection-editor. 2. Ensure that NetworkManager is running. 3. Launch nm-connection-editor. 4. Attempt to create an SSH VPN connection. Actual Results: The SSH VPN tab is blank, with no controls on it. Multiple critical messages are printed to stderr. Expected Results: The SSH VPN should have controls allowing me to configure the VPN. No warnings should be printed to stderr. I’m marking this bug as “urgent” because the plugin doesn’t work at all. I wasn’t able to configure an SSH VPN via nmcli either.
Confirmed that is the problem. Hoping to get to it next weekend. Thanks for reporting that.
FEDORA-2025-a99c8bb5a8 (NetworkManager-ssh-1.2.13-5.fc40) has been submitted as an update to Fedora 40. https://bodhi.fedoraproject.org/updates/FEDORA-2025-a99c8bb5a8
FEDORA-2025-0ff6976a00 (NetworkManager-ssh-1.2.13-5.fc41) has been submitted as an update to Fedora 41. https://bodhi.fedoraproject.org/updates/FEDORA-2025-0ff6976a00
FEDORA-2025-df3794c54a (NetworkManager-ssh-1.2.13-5.fc42) has been submitted as an update to Fedora 42. https://bodhi.fedoraproject.org/updates/FEDORA-2025-df3794c54a
*** Bug 2309894 has been marked as a duplicate of this bug. ***
*** Bug 2316253 has been marked as a duplicate of this bug. ***
FEDORA-2025-df3794c54a has been pushed to the Fedora 42 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-df3794c54a` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-df3794c54a See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-a99c8bb5a8 has been pushed to the Fedora 40 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-a99c8bb5a8` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-a99c8bb5a8 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2025-0ff6976a00 has been pushed to the Fedora 41 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2025-0ff6976a00` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2025-0ff6976a00 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
The downloaded Fedora 41 version gives the setup window. The same for Fedora 42 latest update. From 42 to 41 I get a SELinux error on the client, with setenforce 0 on the client a PAM identity error on the server: pcbeneden audit[9699]: USER_ERR pid=9699 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/libexec/openssh/sshd-session" hostname=192.168.2.14 addr=192.168.2.14 terminal=ssh res=failed' With password-protected root key added with ssh-add, I get as root a tunnel with "ssh -w 0:0 hostname", so ssh config should be in principle OK I have to test it further, it's my lack of knowledge how root vs user access for this tunnel, and the access from NetworkManager components to ssh-agent fit together. Latest result: from F41 to F42 I get a connection into a unconfigured tun100 on the F42 side. After manually bringing tun100 up and adding IP, I am able to ping each other. Reason: ifconfig missing. "net-tools" should be a dependency. (or NetworkManager-ssh should use "ip" instead of ifconfig) So: Works from 41 to 42. Now the other way around....... Current versions: NetworkManager-ssh-1.2.13-5.fc41.x86_64 NetworkManager-ssh-gnome-1.2.13-5.fc41.x86_64 NetworkManager-ssh-1.2.13-5.fc42.x86_64 NetworkManager-ssh-gnome-1.2.13-5.fc42.x86_64
As for all SELinux errors, lets discuss them on: https://bugzilla.redhat.com/show_bug.cgi?id=2316915 - I'd like your advice on how to include the policy in the package. Generally speaking, you'll need root user access on the target machine to establish the tunnel. Otherwise, NetworkManager-ssh runs with the root context when invoked, but tries to guess the known_hosts of the user that invoked it, by looking at the ssh-agent file ownership (if that's the method chosen). As for ifconfig being a dependency, I agree, as it is needed for export. I have a pending PR on github to change ifconfig to use ip instead - which I should tend to shortly. To summarise, lets look at the attached ticket for SELinux, and let this one close, if the dialog appears correctly after the GTK4 fixes :)
FEDORA-2025-0ff6976a00 (NetworkManager-ssh-1.2.13-5.fc41) has been pushed to the Fedora 41 stable repository. If problem still persists, please make note of it in this bug report.
I've one additional comment: I was able to connect fedora 41 to fedora 42, but no way to connect fedora 42 to 41 or 42. Method: as root, "ssh-add" the root key to ssh-agent. I get in F42: nm-ssh-service[3412]: debug1: read_passphrase: can't open /dev/tty: No such device or address It looks like the ssh-agent keys are not accessible and it wants to fetch a password. For sure the nmconnection file contains: [vpn-secrets] ssh-auth-sock=/run/user/1000/keyring/ssh If I trap the ssh command generated by the ssh plugin to create the remote tun, and run it in terminal as root, it works correctly without asking for password.
Works in Fedora42: installed the SELinux policy attached to https://bugzilla.redhat.com/show_bug.cgi?id=2316915 installed an additional SELinux module because SELinux still complained. Once. I entered the FQDN in nm-connection-editor, but used the shortname routinely. That was a fatal mistake. After connecting to FQDN and confirming for knowhosts, it worked. The /dev/tty is probably ssh asking for confirmation to enter into knownhosts.
> The /dev/tty is probably ssh asking for confirmation to enter into knownhosts. That's probably something I should fix upstream.
FEDORA-2025-a99c8bb5a8 (NetworkManager-ssh-1.2.13-5.fc40) has been pushed to the Fedora 40 stable repository. If problem still persists, please make note of it in this bug report.
FEDORA-2025-94e668b303 (NetworkManager-ssh-1.2.14-2.fc42) has been pushed to the Fedora 42 stable repository. If problem still persists, please make note of it in this bug report.