VPN plug-ins and GTK3 support

Thu Mar 20 12:10:22 UTC 2025

On 20/03/2025 12:41, thom311 at gmail.com wrote:
[...snip...]
>
> 1) D-Bus Daemon – Required. This is run by NetworkManager to configure
> the network. See the VPN Connection.program entry in nm-openvpn-
> service.name.

I've spotted this one, but not dug into that aspect just yet.  From what
it looks to me, in OpenVPN context, is that it is basically responsible
for kicking off the /usr/sbin/openvpn binary with the proper arguments -
and provide D-Bus API for NetworkManager to stop the tunnel, as well as
getting credentials passing working.

Is this correct?

OpenVPN 3 Linux is doing things very different - compared to the
"classic" OpenVPN.  With OpenVPN 3 Linux, it is now fully D-Bus managed.
It has its own configuration and session management - and unprivileged
users can interact with these services via D-Bus or the various
front-end tools (like the openvpn3 command) and they are restricted to
only the configuration profiles and sessions they own or have been
granted access to.  This way it provides full privilege separation as well.

So this NM-openvpn3 service would basically just be a tiny broker app,
handling the signals the client process/service sends and propagate that
to the NM stack.  At least, that is how far my understanding has come so
far.

> 2) glib-based Plugin (/usr/lib64/NetworkManager/libnm-vpn-plugin-
> openvpn.so) – No GTK/GUI dependency. Provides import/export
> functionality used by nmcli, nm-connection-editor, gnome-control-
> center, and potentially others (but not plasma-nm).

Yeah, I got very basic and hackish PoC working here.  This one is clear.

> 3) GTK3 Plugin (/usr/lib64/NetworkManager/libnm-vpn-plugin-openvpn-
> editor.so) – Previously used by gnome-control-center (now GTK4).
> Currently only used by nm-connection-editor. While it could be used by
> other GTK3 apps, I don’t think it is(??).
>
> 4) GTK4 Plugin (/usr/lib64/NetworkManager/libnm-gtk4-vpn-plugin-
> openvpn-editor.so) – GTK4 version of (3). Used by gnome-control-center
> but likely not by anything else(??).

Gotcha ... so both will be needed eventually, but for basic GNOME
integration, GTK4 is the important one this round.  How are the plugins
related to the GNOME Shell integration where you start the VPNs from the
meny at the top-right corner?

> 5) plasma-nm – Reimplements (2) and (3)/(4) in Qt for KDE integration.
> Ideally, it would use the glib plugin (2), but I believe it
> doesn’t(??).

That's a missing piece I was unaware of.  I'll dig into that after
GTK3/4 is in place.

> 6) Auth Dialog – An executable (any language) spawned by nm-applet,
> gnome-shell, nmcli, and nmtui to request secrets. Likely required.

Yeah, that one looks needed.  OpenVPN 3 Linux will also support
web-based authentication.  Can this auth-dialog trigger opening a URL?

And how is this spawning triggered?  I also see this pulls in GTK, so I
presume there is a related one for plasma-nm as well?

[...]
>
> gnome-shell is GNOME-only, whereas nm-connection-editor remains the
> main GUI for non-GNOME, non-KDE desktops. This justifies GTK3 support.

Absolutely!

> Alternatively, push for the effort to port nm-connection-editor to
> GTK4. Although, I wonder whether GTK3 support can be fully dropped,
> because it also means to stop supporting desktop environments that
> don't want to use GTK4 (does that exist?).

If the majority of Linux distributions ships GTK4 ... why should some
smaller distributions be allowed to hold NetworkManager "hostage" to
have their own use cases covered?  After all, it adds maintenance burden
to NM - so if these distributions really want/need GTK3 support, then
they could do that work themselves.   But that's just my own personal
2cents.

> And then one day there will be GTK5+.

*sigh* .... just more reasons to get rid of GTK3! ;-)

-- 

kind regards,

David Sommerseth
OpenVPN Inc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 928 bytes
Desc: OpenPGP digital signature
URL: <https://lists.freedesktop.org/archives/networkmanager/attachments/20250320/951e9dd3/attachment.sig>