diff --git a/.github/workflows/contributors.yml b/.github/workflows/contributors.yml
new file mode 100644
index 00000000..dedb3a2c
--- /dev/null
+++ b/.github/workflows/contributors.yml
@@ -0,0 +1,25 @@
+name: Contributors
+
+on:
+ workflow_dispatch:
+ push:
+ branches:
+ - master
+
+permissions:
+ contents: write
+ pull-requests: write
+
+jobs:
+ contributors:
+ runs-on: ubuntu-latest
+ steps:
+ - name: Update contributors in README
+ uses: akhilmhdh/contributors-readme-action@v2.3.11
+ env:
+ GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ with:
+ readme_path: README.md
+ image_size: 100
+ columns_per_row: 6
+ commit_message: "docs: update contributors in README"
diff --git a/Cargo.lock b/Cargo.lock
index f6e3610d..24c779a2 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -963,7 +963,7 @@ dependencies = [
[[package]]
name = "nmrs"
-version = "2.4.0"
+version = "3.0.0"
dependencies = [
"async-trait",
"base64",
diff --git a/Cargo.toml b/Cargo.toml
index 4c43d014..2c52bf51 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -12,7 +12,6 @@ license = "MIT"
repository = "https://github.com/cachebag/nmrs"
[workspace.lints.rust]
-unsafe_code = "forbid"
# This shouldn't apply to nmrs-gui
# missing_docs = "warn"
unused = { level = "warn", priority = -1 }
@@ -33,7 +32,7 @@ uuid = { version = "1.23.1", features = ["v4", "v5"] }
futures = "0.3.32"
futures-timer = "3.0.3"
base64 = "0.22.1"
-nmrs = { path = "nmrs", version = "2.2" }
+nmrs = { path = "nmrs", version = "3.0" }
gtk = { version = "0.11.2", package = "gtk4" }
glib = "0.22.5"
dirs = "6.0.0"
diff --git a/README.md b/README.md
index a060bdea..7d5e5d9f 100644
--- a/README.md
+++ b/README.md
@@ -43,7 +43,7 @@ async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
// Scan for networks
- let networks = nm.list_networks().await?;
+ let networks = nm.list_networks(None).await?;
for net in networks {
println!(
@@ -70,7 +70,7 @@ async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
// Connect to a network
- nm.connect("MyNetwork", WifiSecurity::WpaPsk {
+ nm.connect("MyNetwork", None, WifiSecurity::WpaPsk {
psk: "password123".into()
}).await?;
@@ -94,7 +94,7 @@ use nmrs::{NetworkManager, WifiSecurity, ConnectionError};
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
- match nm.connect("MyNetwork", WifiSecurity::WpaPsk {
+ match nm.connect("MyNetwork", None, WifiSecurity::WpaPsk {
psk: "wrong_password".into()
}).await {
Ok(_) => println!("Connected successfully"),
@@ -212,12 +212,12 @@ Edit `~/.config/nmrs/style.css` to customize the interface. There are also pre-d
- [x] Active Connection
- [x] Settings
- [x] Settings Connection
-- [ ] Agent Manager
+- [x] Agent Manager
- [ ] Checkpoint
- [ ] DNS Manager
- [ ] PPP
-- [ ] Secret Agent
-- [X] VPN Connection (WireGuard)
+- [x] Secret Agent
+- [x] VPN Connection (WireGuard + plugin VPNs)
- [ ] VPN Plugin
- [ ] Wi-Fi P2P
- [ ] WiMAX NSP
@@ -246,3 +246,34 @@ You may use, copy, modify, and distribute this software under the terms of eithe
See the following files for full license texts:
- [MIT License](./LICENSE-MIT)
- [Apache License 2.0](./LICENSE-APACHE)
+
+## Contributors
+
+Thank you to everyone who has helped build, test, document, and review `nmrs`.
+
+
+
+
diff --git a/docs/src/SUMMARY.md b/docs/src/SUMMARY.md
index 2e44f7df..e0f82f1f 100644
--- a/docs/src/SUMMARY.md
+++ b/docs/src/SUMMARY.md
@@ -16,8 +16,10 @@
- [WPA-PSK Networks](./guide/wifi-wpa-psk.md)
- [WPA-EAP (Enterprise)](./guide/wifi-enterprise.md)
- [Hidden Networks](./guide/wifi-hidden.md)
+ - [Per-Device Wi-Fi Scoping](./guide/wifi-per-device.md)
- [VPN Connections](./guide/vpn.md)
- [WireGuard Setup](./guide/vpn-wireguard.md)
+ - [OpenVPN Setup](./guide/vpn-openvpn.md)
- [VPN Management](./guide/vpn-management.md)
- [Ethernet Management](./guide/ethernet.md)
- [Bluetooth](./guide/bluetooth.md)
@@ -40,6 +42,8 @@
- [WiFi Auto-Connect](./examples/wifi-auto-connect.md)
- [Enterprise WiFi](./examples/enterprise-wifi.md)
- [WireGuard VPN Client](./examples/wireguard-client.md)
+- [OpenVPN Client](./examples/openvpn-client.md)
+- [.ovpn File Import](./examples/ovpn-import.md)
- [Network Monitor Dashboard](./examples/network-monitor.md)
- [Connection Manager](./examples/connection-manager.md)
diff --git a/docs/src/advanced/async-runtimes.md b/docs/src/advanced/async-runtimes.md
index 8f884848..cd2036a0 100644
--- a/docs/src/advanced/async-runtimes.md
+++ b/docs/src/advanced/async-runtimes.md
@@ -12,7 +12,7 @@ use nmrs::NetworkManager;
#[tokio::main]
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
- let networks = nm.list_networks().await?;
+ let networks = nm.list_networks(None).await?;
println!("{} networks found", networks.len());
Ok(())
}
@@ -49,7 +49,7 @@ use nmrs::NetworkManager;
#[async_std::main]
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
- let networks = nm.list_networks().await?;
+ let networks = nm.list_networks(None).await?;
println!("{} networks found", networks.len());
Ok(())
}
@@ -69,7 +69,7 @@ use nmrs::NetworkManager;
fn main() -> nmrs::Result<()> {
smol::block_on(async {
let nm = NetworkManager::new().await?;
- let networks = nm.list_networks().await?;
+ let networks = nm.list_networks(None).await?;
println!("{} networks found", networks.len());
Ok(())
})
@@ -93,7 +93,7 @@ use nmrs::NetworkManager;
glib::MainContext::default().spawn_local(async {
let nm = NetworkManager::new().await.unwrap();
- let networks = nm.list_networks().await.unwrap();
+ let networks = nm.list_networks(None).await.unwrap();
for net in &networks {
println!("{}: {}%", net.ssid, net.strength.unwrap_or(0));
}
diff --git a/docs/src/advanced/dbus.md b/docs/src/advanced/dbus.md
index 5ce8d026..d0ef978a 100644
--- a/docs/src/advanced/dbus.md
+++ b/docs/src/advanced/dbus.md
@@ -65,7 +65,7 @@ nmrs: nm.monitor_network_changes(callback)
When connecting to a network, nmrs builds a settings dictionary and sends it via D-Bus:
```
-nmrs: nm.connect("MyWiFi", WifiSecurity::WpaPsk { psk: "..." })
+nmrs: nm.connect("MyWiFi", None, WifiSecurity::WpaPsk { psk: "..." })
→ Build settings HashMap
→ D-Bus: AddAndActivateConnection(settings, device_path, specific_object)
← D-Bus: Active connection path
diff --git a/docs/src/advanced/logging.md b/docs/src/advanced/logging.md
index 63fad831..d360f38e 100644
--- a/docs/src/advanced/logging.md
+++ b/docs/src/advanced/logging.md
@@ -21,7 +21,7 @@ async fn main() -> nmrs::Result<()> {
env_logger::init();
let nm = NetworkManager::new().await?;
- nm.scan_networks().await?;
+ nm.scan_networks(None).await?;
Ok(())
}
diff --git a/docs/src/advanced/timeouts.md b/docs/src/advanced/timeouts.md
index 03805a41..2a642538 100644
--- a/docs/src/advanced/timeouts.md
+++ b/docs/src/advanced/timeouts.md
@@ -98,7 +98,7 @@ let config = TimeoutConfig::new()
let nm = NetworkManager::with_config(config).await?;
-match nm.connect("SlowNetwork", WifiSecurity::Open).await {
+match nm.connect("SlowNetwork", None, WifiSecurity::Open).await {
Ok(_) => println!("Connected!"),
Err(ConnectionError::Timeout) => {
eprintln!("Connection timed out — try a longer timeout");
diff --git a/docs/src/api/builders.md b/docs/src/api/builders.md
index 9e410cd6..278c747a 100644
--- a/docs/src/api/builders.md
+++ b/docs/src/api/builders.md
@@ -128,17 +128,14 @@ The `build()` method validates all fields and returns `Result nmrs::Result<()> {
let nm = NetworkManager::new().await?;
- nm.connect("MyWiFi", WifiSecurity::Open).await?;
+ nm.connect("MyWiFi", None, WifiSecurity::Open).await?;
Ok(())
}
```
@@ -135,7 +152,7 @@ async fn connect() -> nmrs::Result<()> {
### Specific Error Handling
```rust
-match nm.connect("MyWiFi", security).await {
+match nm.connect("MyWiFi", None, security).await {
Ok(_) => println!("Connected"),
Err(ConnectionError::AuthFailed) => eprintln!("Wrong password"),
Err(ConnectionError::NotFound) => eprintln!("Network not found"),
@@ -151,7 +168,7 @@ use anyhow::{Context, Result};
async fn connect() -> Result<()> {
let nm = NetworkManager::new().await
.context("Failed to connect to NetworkManager")?;
- nm.connect("MyWiFi", WifiSecurity::Open).await
+ nm.connect("MyWiFi", None, WifiSecurity::Open).await
.context("Failed to connect to MyWiFi")?;
Ok(())
}
diff --git a/docs/src/api/models.md b/docs/src/api/models.md
index d7470403..1bca2e16 100644
--- a/docs/src/api/models.md
+++ b/docs/src/api/models.md
@@ -82,6 +82,40 @@ pub struct Network {
}
```
+### AccessPoint
+
+A single AP with per-BSSID details.
+
+```rust
+pub struct AccessPoint {
+ pub ssid: String,
+ pub bssid: String,
+ pub strength: u8,
+ pub frequency_mhz: u32,
+ pub device: String,
+ // ... security flags and device state
+}
+```
+
+### WifiDevice
+
+A Wi-Fi device discovered by `list_wifi_devices()`.
+
+```rust
+pub struct WifiDevice {
+ pub interface: String,
+ pub mac: String,
+ pub state: DeviceState,
+ pub active_ssid: Option,
+}
+```
+
+### WifiScope
+
+Per-interface operations scope returned by `nm.wifi("wlan1")`.
+
+Methods: `interface()`, `scan()`, `list_networks()`, `list_access_points()`, `connect(ssid, creds)`, `connect_to_bssid(ssid, bssid, creds)`, `disconnect()`, `set_enabled(bool)`, `forget(ssid)`
+
### NetworkInfo
Detailed network information from `show_details()`.
@@ -141,13 +175,29 @@ pub enum EapMethod { Peap, Ttls }
pub enum Phase2 { Mschapv2, Pap }
```
+## Radio / Airplane-Mode Models
+
+### RadioState
+
+```rust
+pub struct RadioState {
+ pub enabled: bool, // software toggle
+ pub hardware_enabled: bool, // rfkill state
+}
+```
+
+### AirplaneModeState
+
+Aggregated state across Wi-Fi, WWAN, and Bluetooth radios. Methods: `is_airplane_mode()`.
+
## VPN Models
-### VpnCredentials
+### WireGuardConfig
+
+WireGuard VPN configuration (replaces the deprecated `VpnCredentials`).
```rust
-pub struct VpnCredentials {
- pub vpn_type: VpnType,
+pub struct WireGuardConfig {
pub name: String,
pub gateway: String,
pub private_key: String,
@@ -159,7 +209,67 @@ pub struct VpnCredentials {
}
```
-Constructors: `new(...)`, `builder()`
+Constructor: `new(name, gateway, private_key, address, peers)`
+Builder methods: `.with_dns(vec)`, `.with_mtu(u32)`, `.with_uuid(uuid)`
+
+### OpenVpnConfig
+
+OpenVPN configuration.
+
+```rust
+pub struct OpenVpnConfig {
+ pub name: String,
+ pub remote: String,
+ pub port: u16,
+ pub tcp: bool,
+ pub auth_type: Option,
+ pub ca_cert: Option,
+ pub client_cert: Option,
+ pub client_key: Option,
+ pub username: Option,
+ pub password: Option,
+ pub compression: Option,
+ pub proxy: Option,
+ // ... many more TLS and routing fields
+}
+```
+
+Constructor: `new(name, remote, port, tcp)`
+Builder methods: `.with_auth_type()`, `.with_username()`, `.with_password()`, `.with_ca_cert()`, `.with_client_cert()`, `.with_client_key()`, `.with_dns()`, `.with_mtu()`, `.with_compression()`, `.with_proxy()`, `.with_tls_auth()`, `.with_tls_crypt()`, `.with_redirect_gateway()`, `.with_routes()`, and many more.
+
+### OpenVpnAuthType
+
+```rust
+pub enum OpenVpnAuthType { Password, Tls, PasswordTls, StaticKey }
+```
+
+### OpenVpnCompression
+
+```rust
+pub enum OpenVpnCompression { No, Lzo, Lz4, Lz4V2, Yes }
+```
+
+### OpenVpnProxy
+
+```rust
+pub enum OpenVpnProxy {
+ Http { server, port, username, password, retry },
+ Socks { server, port, retry },
+}
+```
+
+### VpnRoute
+
+```rust
+pub struct VpnRoute {
+ pub dest: String,
+ pub prefix: u32,
+ pub next_hop: Option,
+ pub metric: Option,
+}
+```
+
+Constructor: `new(dest, prefix)`. Builder methods: `.next_hop(gw)`, `.metric(m)`.
### WireGuardPeer
@@ -173,25 +283,107 @@ pub struct WireGuardPeer {
}
```
-### VpnConnection / VpnConnectionInfo
+### VpnType
+
+Protocol-specific metadata decoded from NM settings (data-carrying enum):
+
+```rust
+pub enum VpnType {
+ WireGuard { private_key, peer_public_key, endpoint, allowed_ips, ... },
+ OpenVpn { remote, connection_type, user_name, ca, cert, key, ... },
+ OpenConnect { gateway, user_name, protocol, ... },
+ StrongSwan { address, method, user_name, ... },
+ Pptp { gateway, user_name, ... },
+ L2tp { gateway, user_name, ipsec_enabled, ... },
+ Generic { service_type, data, secrets, ... },
+}
+```
+
+### VpnKind
+
+```rust
+pub enum VpnKind { Plugin, WireGuard }
+```
+
+### VpnConnection
+
+A saved or active VPN connection with rich metadata.
```rust
pub struct VpnConnection {
+ pub uuid: String,
+ pub id: String,
pub name: String,
pub vpn_type: VpnType,
pub state: DeviceState,
pub interface: Option,
+ pub active: bool,
+ pub user_name: Option,
+ pub password_flags: VpnSecretFlags,
+ pub service_type: String,
+ pub kind: VpnKind,
}
+```
+### VpnConnectionInfo
+
+Detailed active VPN information.
+
+```rust
pub struct VpnConnectionInfo {
pub name: String,
- pub vpn_type: VpnType,
+ pub vpn_kind: VpnKind,
pub state: DeviceState,
pub interface: Option,
pub gateway: Option,
pub ip4_address: Option,
pub ip6_address: Option,
pub dns_servers: Vec,
+ pub details: Option,
+}
+```
+
+### VpnDetails
+
+```rust
+pub enum VpnDetails {
+ WireGuard { public_key, endpoint },
+ OpenVpn { remote, port, protocol, cipher, auth, compression },
+}
+```
+
+## Saved Connection Models
+
+### SavedConnection
+
+Full decoded saved profile from `list_saved_connections()`.
+
+Fields: `uuid`, `id`, `connection_type`, `interface_name`, `autoconnect`, `timestamp`, `settings`.
+
+### SavedConnectionBrief
+
+Lightweight: `uuid`, `id`, `connection_type`.
+
+### SettingsPatch
+
+Partial update for `update_saved_connection`.
+
+## Connectivity Models
+
+### ConnectivityState
+
+```rust
+pub enum ConnectivityState { Unknown, None, Portal, Limited, Full }
+```
+
+### ConnectivityReport
+
+```rust
+pub struct ConnectivityReport {
+ pub state: ConnectivityState,
+ pub check_enabled: bool,
+ pub check_uri: Option,
+ pub captive_portal_url: Option,
}
```
diff --git a/docs/src/api/network-manager.md b/docs/src/api/network-manager.md
index 544c3322..cd5d018f 100644
--- a/docs/src/api/network-manager.md
+++ b/docs/src/api/network-manager.md
@@ -25,16 +25,41 @@ let config = nm.timeout_config();
| Method | Returns | Description |
|--------|---------|-------------|
-| `scan_networks()` | `Result<()>` | Trigger active Wi-Fi scan |
-| `list_networks()` | `Result>` | List visible networks |
-| `connect(ssid, security)` | `Result<()>` | Connect to a Wi-Fi network |
-| `disconnect()` | `Result<()>` | Disconnect from current network |
+| `scan_networks(interface)` | `Result<()>` | Trigger active Wi-Fi scan (`None` = all devices) |
+| `list_networks(interface)` | `Result>` | List visible networks (`None` = all devices) |
+| `list_access_points(interface)` | `Result>` | List individual APs by BSSID |
+| `connect(ssid, interface, security)` | `Result<()>` | Connect to a Wi-Fi network |
+| `connect_to_bssid(ssid, bssid, interface, security)` | `Result<()>` | Connect to a specific AP |
+| `disconnect(interface)` | `Result<()>` | Disconnect from current network (`None` = first Wi-Fi device) |
| `current_network()` | `Result>` | Get current Wi-Fi network |
| `current_ssid()` | `Option` | Get current SSID |
| `current_connection_info()` | `Option<(String, Option)>` | Get SSID + frequency |
| `is_connected(ssid)` | `Result` | Check if connected to a specific network |
| `show_details(network)` | `Result` | Get detailed network info |
+## Per-Device Wi-Fi Methods
+
+| Method | Returns | Description |
+|--------|---------|-------------|
+| `list_wifi_devices()` | `Result>` | List all Wi-Fi devices |
+| `wifi_device_by_interface(name)` | `Result` | Look up a Wi-Fi device by name |
+| `wifi(interface)` | `WifiScope` | Build a scope pinned to one interface |
+| `set_wifi_enabled(interface, bool)` | `Result<()>` | Enable/disable one Wi-Fi radio |
+
+## Radio / Airplane-Mode Methods
+
+| Method | Returns | Description |
+|--------|---------|-------------|
+| `wifi_state()` | `Result` | Software + hardware Wi-Fi state |
+| `wwan_state()` | `Result` | Software + hardware WWAN state |
+| `bluetooth_radio_state()` | `Result` | Software + hardware Bluetooth state |
+| `airplane_mode_state()` | `Result` | Aggregated across all radios |
+| `set_wireless_enabled(bool)` | `Result<()>` | Global Wi-Fi software toggle |
+| `set_wwan_enabled(bool)` | `Result<()>` | Global WWAN toggle |
+| `set_bluetooth_radio_enabled(bool)` | `Result<()>` | Toggle all BlueZ adapters |
+| `set_airplane_mode(bool)` | `Result<()>` | Toggle all three radios |
+| `wait_for_wifi_ready()` | `Result<()>` | Wait for Wi-Fi device to become ready |
+
## Ethernet Methods
| Method | Returns | Description |
@@ -45,12 +70,26 @@ let config = nm.timeout_config();
| Method | Returns | Description |
|--------|---------|-------------|
-| `connect_vpn(creds)` | `Result<()>` | Connect to a VPN |
+| `connect_vpn(config)` | `Result<()>` | Connect with a `WireGuardConfig` or `OpenVpnConfig` |
+| `import_ovpn(path, user, pass)` | `Result<()>` | Import `.ovpn` file and connect |
+| `connect_vpn_by_uuid(uuid)` | `Result<()>` | Activate a saved VPN by UUID |
+| `connect_vpn_by_id(id)` | `Result<()>` | Activate a saved VPN by display name |
| `disconnect_vpn(name)` | `Result<()>` | Disconnect a VPN by name |
+| `disconnect_vpn_by_uuid(uuid)` | `Result<()>` | Disconnect a VPN by UUID |
| `list_vpn_connections()` | `Result>` | List all saved VPNs |
+| `active_vpn_connections()` | `Result>` | List only active VPNs |
| `forget_vpn(name)` | `Result<()>` | Delete a saved VPN profile |
| `get_vpn_info(name)` | `Result` | Get active VPN details |
+## Connectivity Methods
+
+| Method | Returns | Description |
+|--------|---------|-------------|
+| `connectivity()` | `Result` | Current NM connectivity state |
+| `check_connectivity()` | `Result` | Force a connectivity re-check |
+| `connectivity_report()` | `Result` | Full report with captive portal URL |
+| `captive_portal_url()` | `Result>` | Captive portal URL if in Portal state |
+
## Bluetooth Methods
| Method | Returns | Description |
@@ -69,21 +108,19 @@ let config = nm.timeout_config();
| `get_device_by_interface(name)` | `Result` | Find device by interface name |
| `is_connecting()` | `Result` | Check if any device is connecting |
-## Wi-Fi Control Methods
-
-| Method | Returns | Description |
-|--------|---------|-------------|
-| `wifi_enabled()` | `Result` | Check if Wi-Fi is enabled |
-| `set_wifi_enabled(bool)` | `Result<()>` | Enable/disable Wi-Fi |
-| `wifi_hardware_enabled()` | `Result` | Check hardware radio state (rfkill) |
-| `wait_for_wifi_ready()` | `Result<()>` | Wait for Wi-Fi device to become ready |
-
## Connection Profile Methods
| Method | Returns | Description |
|--------|---------|-------------|
-| `list_saved_connections()` | `Result>` | List all saved profiles |
-| `has_saved_connection(ssid)` | `Result` | Check if a profile exists |
+| `list_saved_connections()` | `Result>` | Full decode of all saved profiles |
+| `list_saved_connections_brief()` | `Result>` | Lightweight profile listing |
+| `list_saved_connection_ids()` | `Result>` | Just the profile names |
+| `get_saved_connection(uuid)` | `Result` | Load one profile by UUID |
+| `get_saved_connection_raw(uuid)` | `Result>` | Raw `GetSettings` map |
+| `delete_saved_connection(uuid)` | `Result<()>` | Delete a profile by UUID |
+| `update_saved_connection(uuid, patch)` | `Result<()>` | Merge a `SettingsPatch` into a profile |
+| `reload_saved_connections()` | `Result<()>` | Re-read profiles from disk |
+| `has_saved_connection(ssid)` | `Result` | Check if a Wi-Fi profile exists |
| `get_saved_connection_path(ssid)` | `Result>` | Get profile D-Bus path |
| `forget(ssid)` | `Result<()>` | Delete a Wi-Fi profile |
diff --git a/docs/src/api/types.md b/docs/src/api/types.md
index ccccc692..cec8d917 100644
--- a/docs/src/api/types.md
+++ b/docs/src/api/types.md
@@ -31,6 +31,9 @@ All public methods return `nmrs::Result`.
|------|-------------|
| `Network` | A discovered Wi-Fi network (SSID, signal, security flags) |
| `NetworkInfo` | Detailed network information (channel, speed, bars) |
+| `AccessPoint` | A single AP with BSSID, frequency, and security flags |
+| `WifiDevice` | A Wi-Fi device with interface, MAC, state, and active SSID |
+| `WifiScope` | Per-interface operations scope (from `nm.wifi("wlan1")`) |
| `WifiSecurity` | Authentication type: `Open`, `WpaPsk`, `WpaEap` |
| `EapOptions` | Enterprise Wi-Fi (802.1X) configuration |
| `EapOptionsBuilder` | Builder for `EapOptions` |
@@ -46,16 +49,48 @@ All public methods return `nmrs::Result`.
| `DeviceType` | Device kind: `Wifi`, `Ethernet`, `Bluetooth`, `WifiP2P`, `Loopback`, `Other(u32)` |
| `DeviceState` | Operational state: `Disconnected`, `Activated`, `Failed`, etc. |
+## Radio / Airplane-Mode Types
+
+| Type | Description |
+|------|-------------|
+| `RadioState` | Combined software (`enabled`) and hardware (`hardware_enabled`) radio state |
+| `AirplaneModeState` | Aggregated state across Wi-Fi, WWAN, and Bluetooth |
+
## VPN Types
| Type | Description |
|------|-------------|
-| `VpnType` | VPN protocol: `WireGuard` |
-| `VpnCredentials` | Full VPN configuration for connecting |
-| `VpnCredentialsBuilder` | Builder for `VpnCredentials` |
+| `VpnConfig` | Sealed trait for VPN configurations |
+| `VpnConfiguration` | Dispatch enum: `WireGuard(WireGuardConfig)` or `OpenVpn(OpenVpnConfig)` |
+| `WireGuardConfig` | WireGuard VPN configuration |
| `WireGuardPeer` | WireGuard peer configuration |
-| `VpnConnection` | A saved/active VPN connection |
-| `VpnConnectionInfo` | Detailed VPN info (IP, DNS, gateway) |
+| `OpenVpnConfig` | OpenVPN configuration |
+| `OpenVpnAuthType` | OpenVPN auth: `Password`, `Tls`, `PasswordTls`, `StaticKey` |
+| `OpenVpnCompression` | Compression mode: `No`, `Lz4`, `Lz4V2`, `Yes` |
+| `OpenVpnProxy` | Proxy: `Http { ... }`, `Socks { ... }` |
+| `VpnRoute` | Static IPv4 route for split tunneling |
+| `VpnType` | Protocol-specific metadata (data-carrying enum) |
+| `VpnKind` | `Plugin` (OpenVPN, etc.) vs `WireGuard` |
+| `VpnConnection` | A saved/active VPN connection with rich metadata |
+| `VpnConnectionInfo` | Detailed active VPN info (IP, DNS, gateway, protocol details) |
+| `VpnDetails` | Protocol-specific active connection details |
+| `VpnCredentials` | **Deprecated** — use `WireGuardConfig` instead |
+
+## Connectivity Types
+
+| Type | Description |
+|------|-------------|
+| `ConnectivityState` | NM connectivity: `Full`, `Portal`, `Limited`, `None`, `Unknown` |
+| `ConnectivityReport` | Full report with state, check URI, and captive portal URL |
+
+## Saved Connection Types
+
+| Type | Description |
+|------|-------------|
+| `SavedConnection` | Full decoded saved profile |
+| `SavedConnectionBrief` | Lightweight profile (`uuid`, `id`, `type`) |
+| `SettingsSummary` | Decoded settings within a profile |
+| `SettingsPatch` | Partial update for `update_saved_connection` |
## Bluetooth Types
@@ -88,6 +123,7 @@ All public methods return `nmrs::Result`.
| `ConnectionBuilder` | Base connection settings builder |
| `WifiConnectionBuilder` | Wi-Fi connection builder |
| `WireGuardBuilder` | WireGuard VPN builder |
+| `OpenVpnBuilder` | OpenVPN builder (also imports `.ovpn` files) |
| `IpConfig` | IP address with CIDR prefix |
| `Route` | Static route configuration |
| `WifiBand` | Wi-Fi band: `Bg` (2.4 GHz), `A` (5 GHz) |
@@ -99,11 +135,15 @@ nmrs re-exports commonly used types at the crate root for convenience:
```rust
use nmrs::{
- NetworkManager,
+ NetworkManager, WifiScope,
WifiSecurity, EapOptions, EapMethod, Phase2,
- VpnCredentials, VpnType, WireGuardPeer,
+ WireGuardConfig, WireGuardPeer,
+ OpenVpnConfig, OpenVpnAuthType,
+ VpnConfig, VpnConfiguration, VpnType, VpnKind,
TimeoutConfig, ConnectionOptions,
ConnectionError, DeviceType, DeviceState,
+ RadioState, AirplaneModeState,
+ ConnectivityState, ConnectivityReport,
};
```
@@ -111,5 +151,5 @@ Less commonly used types are available through the `models` and `builders` modul
```rust
use nmrs::models::{BluetoothIdentity, BluetoothNetworkRole, BluetoothDevice};
-use nmrs::builders::{ConnectionBuilder, WireGuardBuilder, IpConfig, Route};
+use nmrs::builders::{ConnectionBuilder, WireGuardBuilder, OpenVpnBuilder, IpConfig, Route};
```
diff --git a/docs/src/appendix/faq.md b/docs/src/appendix/faq.md
index 2d205834..fa2196a5 100644
--- a/docs/src/appendix/faq.md
+++ b/docs/src/appendix/faq.md
@@ -56,15 +56,19 @@ When nmrs connects to a network, NetworkManager saves the profile. On subsequent
### Which VPN protocols are supported?
-Currently only WireGuard. OpenVPN support is planned and actively being developed.
+WireGuard and OpenVPN. WireGuard uses NetworkManager's native kernel integration (no plugin needed). OpenVPN requires the `networkmanager-openvpn` plugin.
### Do I need the WireGuard kernel module?
Yes. WireGuard is built into the Linux kernel since version 5.6. On older kernels, install the `wireguard` module. NetworkManager's WireGuard support requires NM 1.16+.
+### Can I import a `.ovpn` file?
+
+Yes. Use `nm.import_ovpn("client.ovpn", Some("user"), Some("pass")).await?` to parse and activate an OpenVPN profile in one call. Inline certificates are extracted and persisted automatically.
+
### Can I import a `.conf` WireGuard file?
-Not directly. You need to extract the values from the config file and pass them to `VpnCredentials`. Direct `.conf` file import is not yet implemented.
+Not directly. Extract the values from the config file and pass them to `WireGuardConfig::new()`.
## GUI
diff --git a/docs/src/appendix/troubleshooting.md b/docs/src/appendix/troubleshooting.md
index 11c0dff5..f21fe048 100644
--- a/docs/src/appendix/troubleshooting.md
+++ b/docs/src/appendix/troubleshooting.md
@@ -33,8 +33,8 @@ busctl list | grep NetworkManager
**Solutions:**
- Verify the SSID is spelled correctly (case-sensitive)
-- Trigger a scan first: `nm.scan_networks().await?`
-- Check if Wi-Fi is enabled: `nm.wifi_enabled().await?`
+- Trigger a scan first: `nm.scan_networks(None).await?`
+- Check if Wi-Fi is enabled: `nm.wifi_state().await?` returns a `RadioState` with `.enabled` and `.hardware_enabled` fields
- Check if the network is in range
- For hidden networks, the network won't appear in scans but should still connect
diff --git a/docs/src/examples/connection-manager.md b/docs/src/examples/connection-manager.md
index c5a0a975..dd475347 100644
--- a/docs/src/examples/connection-manager.md
+++ b/docs/src/examples/connection-manager.md
@@ -56,14 +56,14 @@ async fn main() -> nmrs::Result<()> {
async fn scan(nm: &NetworkManager) {
println!("Scanning...");
- match nm.scan_networks().await {
+ match nm.scan_networks(None).await {
Ok(_) => println!("Scan complete"),
Err(e) => eprintln!("Scan failed: {}", e),
}
}
async fn list_networks(nm: &NetworkManager) {
- match nm.list_networks().await {
+ match nm.list_networks(None).await {
Ok(networks) => {
println!("\n{:<5} {:<30} {:>6} {:>10}",
"#", "SSID", "Signal", "Security");
@@ -98,7 +98,7 @@ async fn connect_wifi(nm: &NetworkManager) {
};
println!("Connecting to '{}'...", ssid);
- match nm.connect(ssid, security).await {
+ match nm.connect(ssid, None, security).await {
Ok(_) => println!("Connected!"),
Err(ConnectionError::AuthFailed) => eprintln!("Wrong password"),
Err(ConnectionError::NotFound) => eprintln!("Network not found"),
@@ -108,7 +108,7 @@ async fn connect_wifi(nm: &NetworkManager) {
}
async fn disconnect(nm: &NetworkManager) {
- match nm.disconnect().await {
+ match nm.disconnect(None).await {
Ok(_) => println!("Disconnected"),
Err(e) => eprintln!("Error: {}", e),
}
@@ -144,8 +144,8 @@ async fn devices(nm: &NetworkManager) {
async fn saved(nm: &NetworkManager) {
match nm.list_saved_connections().await {
Ok(connections) => {
- for name in &connections {
- println!(" {}", name);
+ for conn in &connections {
+ println!(" {} ({})", conn.id, conn.connection_type);
}
}
Err(e) => eprintln!("Error: {}", e),
diff --git a/docs/src/examples/enterprise-wifi.md b/docs/src/examples/enterprise-wifi.md
index b96ce427..e7e6cfb6 100644
--- a/docs/src/examples/enterprise-wifi.md
+++ b/docs/src/examples/enterprise-wifi.md
@@ -48,7 +48,7 @@ async fn main() -> nmrs::Result<()> {
println!("Connecting to enterprise network '{}'...", ssid);
- match nm.connect(&ssid, WifiSecurity::WpaEap { opts: eap }).await {
+ match nm.connect(&ssid, None, WifiSecurity::WpaEap { opts: eap }).await {
Ok(_) => {
println!("Connected!");
diff --git a/docs/src/examples/network-monitor.md b/docs/src/examples/network-monitor.md
index 4f191df8..2493e043 100644
--- a/docs/src/examples/network-monitor.md
+++ b/docs/src/examples/network-monitor.md
@@ -74,8 +74,8 @@ async fn print_status(nm: &NetworkManager) {
}
// Wi-Fi state
- if let Ok(enabled) = nm.wifi_enabled().await {
- println!("Wi-Fi enabled: {}", enabled);
+ if let Ok(state) = nm.wifi_state().await {
+ println!("Wi-Fi enabled: {}", state.enabled);
}
// Devices
@@ -90,7 +90,7 @@ async fn print_status(nm: &NetworkManager) {
}
async fn print_networks(nm: &NetworkManager) {
- if let Ok(networks) = nm.list_networks().await {
+ if let Ok(networks) = nm.list_networks(None).await {
println!("Visible networks ({}):", networks.len());
for net in &networks {
let security = if net.is_eap {
@@ -125,6 +125,7 @@ cargo run --example network_monitor
Connected to: HomeWiFi
Wi-Fi enabled: true
+Wi-Fi hardware enabled: true
Devices:
wlan0 — Wi-Fi [Activated]
@@ -142,6 +143,7 @@ Visible networks (5):
--- Device state changed ---
Connected to: HomeWiFi
Wi-Fi enabled: true
+Wi-Fi hardware enabled: true
Devices:
wlan0 — Wi-Fi [Activated]
diff --git a/docs/src/examples/openvpn-client.md b/docs/src/examples/openvpn-client.md
new file mode 100644
index 00000000..fb629d0b
--- /dev/null
+++ b/docs/src/examples/openvpn-client.md
@@ -0,0 +1,191 @@
+# OpenVPN Client
+
+This example demonstrates a complete OpenVPN client that authenticates with password+TLS, connects, displays VPN details, and cleanly disconnects.
+
+## Features
+
+- Builds OpenVPN config with password+TLS authentication
+- Reads credentials from environment variables
+- Connects and retrieves VPN details
+- Displays IP configuration, DNS, and gateway
+- Cleanly disconnects on completion
+
+## Code
+
+```rust
+use nmrs::{NetworkManager, OpenVpnConfig, OpenVpnAuthType};
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+
+ // Read credentials from environment
+ let remote = std::env::var("OVPN_REMOTE")
+ .unwrap_or_else(|_| "vpn.example.com".into());
+ let port: u16 = std::env::var("OVPN_PORT")
+ .unwrap_or_else(|_| "1194".into())
+ .parse()
+ .expect("OVPN_PORT must be a valid port number");
+ let username = std::env::var("OVPN_USER")
+ .expect("Set OVPN_USER");
+ let password = std::env::var("OVPN_PASS")
+ .expect("Set OVPN_PASS");
+ let ca_path = std::env::var("OVPN_CA")
+ .unwrap_or_else(|_| "/etc/openvpn/ca.crt".into());
+ let cert_path = std::env::var("OVPN_CERT")
+ .unwrap_or_else(|_| "/etc/openvpn/client.crt".into());
+ let key_path = std::env::var("OVPN_KEY")
+ .unwrap_or_else(|_| "/etc/openvpn/client.key".into());
+
+ // Build OpenVPN config (password+TLS)
+ let config = OpenVpnConfig::new("CorpVPN", &remote, port, false)
+ .with_auth_type(OpenVpnAuthType::PasswordTls)
+ .with_username(&username)
+ .with_password(&password)
+ .with_ca_cert(&ca_path)
+ .with_client_cert(&cert_path)
+ .with_client_key(&key_path);
+
+ // Connect
+ println!("Connecting to OpenVPN ({remote}:{port})...");
+ nm.connect_vpn(config).await?;
+ println!("Connected!\n");
+
+ // Show VPN details
+ let info = nm.get_vpn_info("CorpVPN").await?;
+ println!("VPN Connection Details:");
+ println!(" Name: {}", info.name);
+ println!(" Kind: {:?}", info.vpn_kind);
+ println!(" State: {:?}", info.state);
+ println!(" Interface: {:?}", info.interface);
+ println!(" Gateway: {:?}", info.gateway);
+ println!(" IPv4: {:?}", info.ip4_address);
+ println!(" IPv6: {:?}", info.ip6_address);
+ println!(" DNS: {:?}", info.dns_servers);
+
+ if let Some(details) = &info.details {
+ println!(" Details: {:?}", details);
+ }
+
+ // Wait for user input before disconnecting
+ println!("\nPress Enter to disconnect...");
+ let mut input = String::new();
+ std::io::stdin().read_line(&mut input).ok();
+
+ // Disconnect
+ nm.disconnect_vpn("CorpVPN").await?;
+ println!("VPN disconnected");
+
+ Ok(())
+}
+```
+
+## Running
+
+```bash
+OVPN_REMOTE="vpn.example.com" \
+OVPN_PORT="1194" \
+OVPN_USER="alice" \
+OVPN_PASS="hunter2" \
+OVPN_CA="/etc/openvpn/ca.crt" \
+OVPN_CERT="/etc/openvpn/client.crt" \
+OVPN_KEY="/etc/openvpn/client.key" \
+cargo run --example openvpn_client
+```
+
+## Sample Output
+
+```
+Connecting to OpenVPN (vpn.example.com:1194)...
+Connected!
+
+VPN Connection Details:
+ Name: CorpVPN
+ Kind: Plugin
+ State: Activated
+ Interface: Some("tun0")
+ Gateway: Some("vpn.example.com")
+ IPv4: Some("10.8.0.2")
+ IPv6: None
+ DNS: ["10.8.0.1"]
+
+Press Enter to disconnect...
+```
+
+## Error Handling
+
+```rust
+use nmrs::{NetworkManager, OpenVpnConfig, OpenVpnAuthType, ConnectionError};
+
+async fn connect_with_retry(nm: &NetworkManager) -> nmrs::Result<()> {
+ let config = OpenVpnConfig::new("CorpVPN", "vpn.example.com", 1194, false)
+ .with_auth_type(OpenVpnAuthType::PasswordTls)
+ .with_username("alice")
+ .with_password("hunter2")
+ .with_ca_cert("/etc/openvpn/ca.crt")
+ .with_client_cert("/etc/openvpn/client.crt")
+ .with_client_key("/etc/openvpn/client.key");
+
+ match nm.connect_vpn(config).await {
+ Ok(_) => {
+ println!("VPN connected");
+ Ok(())
+ }
+ Err(ConnectionError::AuthFailed) => {
+ eprintln!("Authentication failed — check username/password and certificates");
+ Err(ConnectionError::AuthFailed)
+ }
+ Err(ConnectionError::Timeout) => {
+ eprintln!("Connection timed out — check server address and port");
+ Err(ConnectionError::Timeout)
+ }
+ Err(ConnectionError::VpnFailed) => {
+ eprintln!("VPN activation failed — verify OpenVPN plugin is installed");
+ Err(ConnectionError::VpnFailed)
+ }
+ Err(e) => {
+ eprintln!("Unexpected error: {e}");
+ Err(e)
+ }
+ }
+}
+```
+
+## TLS-Only Variation
+
+For certificate-only authentication (no username/password):
+
+```rust
+use nmrs::{OpenVpnConfig, OpenVpnAuthType};
+
+let config = OpenVpnConfig::new("TlsOnlyVPN", "vpn.example.com", 1194, false)
+ .with_auth_type(OpenVpnAuthType::Tls)
+ .with_ca_cert("/etc/openvpn/ca.crt")
+ .with_client_cert("/etc/openvpn/client.crt")
+ .with_client_key("/etc/openvpn/client.key");
+
+nm.connect_vpn(config).await?;
+```
+
+## Password-Only Variation
+
+For username/password authentication without client certificates:
+
+```rust
+use nmrs::{OpenVpnConfig, OpenVpnAuthType};
+
+let config = OpenVpnConfig::new("PassVPN", "vpn.example.com", 1194, false)
+ .with_auth_type(OpenVpnAuthType::Password)
+ .with_username("alice")
+ .with_password("hunter2")
+ .with_ca_cert("/etc/openvpn/ca.crt");
+
+nm.connect_vpn(config).await?;
+```
+
+## Next Steps
+
+- [`.ovpn` File Import](./ovpn-import.md) — import existing OpenVPN configurations
+- [VPN Connections Guide](../guide/vpn.md) — comprehensive VPN overview
+- [OpenVPN Setup](../guide/vpn-openvpn.md) — detailed OpenVPN configuration
+- [WireGuard VPN Client](./wireguard-client.md) — WireGuard example
diff --git a/docs/src/examples/ovpn-import.md b/docs/src/examples/ovpn-import.md
new file mode 100644
index 00000000..442ea73c
--- /dev/null
+++ b/docs/src/examples/ovpn-import.md
@@ -0,0 +1,179 @@
+# .ovpn File Import
+
+This example shows how to import an existing `.ovpn` configuration file into NetworkManager using nmrs.
+
+## Features
+
+- Import `.ovpn` files with a single method call
+- Builder approach for more control over the import
+- Automatic handling of inline certificates
+- Error handling for parse failures
+
+## One-Liner Import
+
+The simplest way to import an `.ovpn` file:
+
+```rust
+use nmrs::NetworkManager;
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+
+ // Import with credentials
+ nm.import_ovpn("client.ovpn", Some("alice"), Some("hunter2")).await?;
+ println!("VPN imported and connected!");
+
+ Ok(())
+}
+```
+
+If the `.ovpn` file uses certificate-only authentication, pass `None` for username and password:
+
+```rust
+nm.import_ovpn("client.ovpn", None, None).await?;
+```
+
+## Builder Approach
+
+For more control over the import process, use `OpenVpnBuilder`:
+
+```rust
+use nmrs::{NetworkManager, OpenVpnBuilder};
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+
+ let config = OpenVpnBuilder::from_ovpn_file("client.ovpn")?
+ .username("alice")
+ .password("hunter2")
+ .build()?;
+
+ nm.connect_vpn(config).await?;
+ println!("VPN connected!");
+
+ Ok(())
+}
+```
+
+The builder extracts remote, port, protocol, certificates, and other settings from the `.ovpn` file automatically.
+
+## Inline Certificates
+
+Many `.ovpn` files embed certificates directly rather than referencing external files:
+
+```
+
+-----BEGIN CERTIFICATE-----
+MIIBxTCCAWugAwIBAgIJAJ...
+-----END CERTIFICATE-----
+
+
+
+-----BEGIN CERTIFICATE-----
+MIICCzCCAZGgAwIBAgIRAP...
+-----END CERTIFICATE-----
+
+
+
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w...
+-----END PRIVATE KEY-----
+
+```
+
+`from_ovpn_file` handles these automatically — inline certificates are extracted and written to temporary files that NetworkManager can reference. No extra steps needed:
+
+```rust
+let config = OpenVpnBuilder::from_ovpn_file("inline-certs.ovpn")?
+ .username("alice")
+ .password("hunter2")
+ .build()?;
+```
+
+## Error Handling
+
+Handle parse failures and missing fields gracefully:
+
+```rust
+use nmrs::{OpenVpnBuilder, ConnectionError};
+
+fn import_config(path: &str) -> nmrs::Result<()> {
+ let config = match OpenVpnBuilder::from_ovpn_file(path) {
+ Ok(builder) => builder.build()?,
+ Err(ConnectionError::InvalidConfig(msg)) => {
+ eprintln!("Failed to parse {path}: {msg}");
+ return Err(ConnectionError::InvalidConfig(msg));
+ }
+ Err(ConnectionError::NotFound) => {
+ eprintln!("File not found: {path}");
+ return Err(ConnectionError::NotFound);
+ }
+ Err(e) => {
+ eprintln!("Import error: {e}");
+ return Err(e);
+ }
+ };
+
+ println!("Successfully parsed configuration");
+ Ok(())
+}
+```
+
+Common parse errors:
+
+| Error | Cause |
+|-------|-------|
+| `InvalidConfig` | Missing `remote` directive, malformed options, or invalid certificate data |
+| `NotFound` | The `.ovpn` file does not exist at the given path |
+| `AuthFailed` | Credentials required but not provided |
+
+## Complete Example
+
+```rust
+use nmrs::{NetworkManager, OpenVpnBuilder};
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+
+ let ovpn_path = std::env::args()
+ .nth(1)
+ .unwrap_or_else(|| "client.ovpn".into());
+
+ let username = std::env::var("OVPN_USER").ok();
+ let password = std::env::var("OVPN_PASS").ok();
+
+ println!("Importing {ovpn_path}...");
+
+ // Builder approach for maximum control
+ let mut builder = OpenVpnBuilder::from_ovpn_file(&ovpn_path)?;
+
+ if let Some(user) = &username {
+ builder = builder.username(user);
+ }
+ if let Some(pass) = &password {
+ builder = builder.password(pass);
+ }
+
+ let config = builder.build()?;
+ nm.connect_vpn(config).await?;
+
+ println!("Connected! Checking VPN info...");
+ let vpns = nm.list_vpn_connections().await?;
+ for vpn in &vpns {
+ if vpn.active {
+ println!(" Active: {} ({:?})", vpn.name, vpn.vpn_type);
+ }
+ }
+
+ Ok(())
+}
+```
+
+## Next Steps
+
+- [OpenVPN Client Example](./openvpn-client.md) — build OpenVPN config from scratch
+- [VPN Connections Guide](../guide/vpn.md) — comprehensive VPN overview
+- [OpenVPN Setup](../guide/vpn-openvpn.md) — detailed OpenVPN configuration
diff --git a/docs/src/examples/wifi-auto-connect.md b/docs/src/examples/wifi-auto-connect.md
index b5b15b3a..991a3c52 100644
--- a/docs/src/examples/wifi-auto-connect.md
+++ b/docs/src/examples/wifi-auto-connect.md
@@ -54,8 +54,8 @@ async fn main() -> nmrs::Result<()> {
// Scan and list visible networks
println!("Scanning for networks...");
- nm.scan_networks().await?;
- let visible = nm.list_networks().await?;
+ nm.scan_networks(None).await?;
+ let visible = nm.list_networks(None).await?;
let visible_ssids: HashMap<&str, &nmrs::Network> = visible
.iter()
@@ -71,7 +71,7 @@ async fn main() -> nmrs::Result<()> {
net.strength.unwrap_or(0),
);
- match nm.connect(&pref.ssid, pref.security.clone()).await {
+ match nm.connect(&pref.ssid, None, pref.security.clone()).await {
Ok(_) => {
println!("Connected to '{}'!", pref.ssid);
return Ok(());
diff --git a/docs/src/examples/wifi-scanner.md b/docs/src/examples/wifi-scanner.md
index f95d7a68..4860528e 100644
--- a/docs/src/examples/wifi-scanner.md
+++ b/docs/src/examples/wifi-scanner.md
@@ -31,7 +31,7 @@ async fn main() -> nmrs::Result<()> {
print!("\x1B[2J\x1B[1;1H");
// Get networks
- let mut networks = nm.list_networks().await?;
+ let mut networks = nm.list_networks(None).await?;
// Sort by signal strength (strongest first)
networks.sort_by(|a, b| {
@@ -199,7 +199,7 @@ if let Ok(choice) = input.trim().parse::() {
// Get password if needed
match &selected.security {
nmrs::WifiSecurity::Open => {
- nm.connect(&selected.ssid, nmrs::WifiSecurity::Open).await?;
+ nm.connect(&selected.ssid, None, nmrs::WifiSecurity::Open).await?;
println!("Connected to {}", selected.ssid);
}
_ => {
@@ -208,7 +208,7 @@ if let Ok(choice) = input.trim().parse::() {
let mut password = String::new();
io::stdin().read_line(&mut password)?;
- nm.connect(&selected.ssid, nmrs::WifiSecurity::WpaPsk {
+ nm.connect(&selected.ssid, None, nmrs::WifiSecurity::WpaPsk {
psk: password.trim().to_string()
}).await?;
println!("Connected to {}", selected.ssid);
diff --git a/docs/src/examples/wireguard-client.md b/docs/src/examples/wireguard-client.md
index 97427a5d..3bfb8d8a 100644
--- a/docs/src/examples/wireguard-client.md
+++ b/docs/src/examples/wireguard-client.md
@@ -4,7 +4,7 @@ This example demonstrates a complete WireGuard VPN client that connects, display
## Features
-- Builds VPN credentials with the builder pattern
+- Builds VPN configuration with `WireGuardConfig`
- Connects and retrieves VPN details
- Displays IP configuration and DNS
- Cleanly disconnects on completion
@@ -12,7 +12,7 @@ This example demonstrates a complete WireGuard VPN client that connects, display
## Code
```rust
-use nmrs::{NetworkManager, VpnCredentials, WireGuardPeer};
+use nmrs::{NetworkManager, WireGuardConfig, WireGuardPeer};
#[tokio::main]
async fn main() -> nmrs::Result<()> {
@@ -38,37 +38,30 @@ async fn main() -> nmrs::Result<()> {
)
.with_persistent_keepalive(25);
- // Build credentials
- let creds = VpnCredentials::builder()
- .name("ExampleVPN")
- .wireguard()
- .gateway(
- std::env::var("WG_ENDPOINT")
- .unwrap_or_else(|_| "vpn.example.com:51820".into()),
- )
- .private_key(
- std::env::var("WG_PRIVATE_KEY")
- .expect("Set WG_PRIVATE_KEY"),
- )
- .address(
- std::env::var("WG_ADDRESS")
- .unwrap_or_else(|_| "10.0.0.2/24".into()),
- )
- .add_peer(peer)
- .with_dns(vec!["1.1.1.1".into(), "8.8.8.8".into()])
- .with_mtu(1420)
- .build();
+ // Build configuration
+ let config = WireGuardConfig::new(
+ "ExampleVPN",
+ std::env::var("WG_ENDPOINT")
+ .unwrap_or_else(|_| "vpn.example.com:51820".into()),
+ std::env::var("WG_PRIVATE_KEY")
+ .expect("Set WG_PRIVATE_KEY"),
+ std::env::var("WG_ADDRESS")
+ .unwrap_or_else(|_| "10.0.0.2/24".into()),
+ vec![peer],
+ )
+ .with_dns(vec!["1.1.1.1".into(), "8.8.8.8".into()])
+ .with_mtu(1420);
// Connect
println!("Connecting to VPN...");
- nm.connect_vpn(creds).await?;
+ nm.connect_vpn(config).await?;
println!("Connected!\n");
// Show VPN details
let info = nm.get_vpn_info("ExampleVPN").await?;
println!("VPN Connection Details:");
println!(" Name: {}", info.name);
- println!(" Type: {:?}", info.vpn_type);
+ println!(" Kind: {:?}", info.vpn_kind);
println!(" State: {:?}", info.state);
println!(" Interface: {:?}", info.interface);
println!(" Gateway: {:?}", info.gateway);
@@ -110,7 +103,7 @@ Connected!
VPN Connection Details:
Name: ExampleVPN
- Type: WireGuard
+ Kind: WireGuard
State: Activated
Interface: Some("wg-examplevpn")
Gateway: Some("vpn.example.com")
@@ -153,13 +146,11 @@ let peer2 = WireGuardPeer::new(
vec!["10.2.0.0/16".into()],
);
-let creds = VpnCredentials::builder()
- .name("MultiPeerVPN")
- .wireguard()
- .gateway("us-east.vpn.example.com:51820")
- .private_key("client_private_key")
- .address("10.0.0.2/24")
- .add_peer(peer1)
- .add_peer(peer2)
- .build();
+let config = WireGuardConfig::new(
+ "MultiPeerVPN",
+ "us-east.vpn.example.com:51820",
+ "client_private_key",
+ "10.0.0.2/24",
+ vec![peer1, peer2],
+);
```
diff --git a/docs/src/getting-started/quick-start.md b/docs/src/getting-started/quick-start.md
index 42ad4188..accf4db6 100644
--- a/docs/src/getting-started/quick-start.md
+++ b/docs/src/getting-started/quick-start.md
@@ -30,7 +30,7 @@ async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
// List all available networks
- let networks = nm.list_networks().await?;
+ let networks = nm.list_networks(None).await?;
// Print network information
for network in networks {
@@ -72,7 +72,7 @@ async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
// Connect to a WPA-PSK protected network
- nm.connect("MyHomeNetwork", WifiSecurity::WpaPsk {
+ nm.connect("MyHomeNetwork", None, WifiSecurity::WpaPsk {
psk: "your_password_here".into()
}).await?;
@@ -98,7 +98,7 @@ use nmrs::{NetworkManager, WifiSecurity, ConnectionError};
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
- match nm.connect("MyNetwork", WifiSecurity::WpaPsk {
+ match nm.connect("MyNetwork", None, WifiSecurity::WpaPsk {
psk: "password123".into()
}).await {
Ok(_) => println!("✓ Connected successfully"),
@@ -158,7 +158,7 @@ use nmrs::NetworkManager;
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
- let profiles = nm.list_connections().await?;
+ let profiles = nm.list_saved_connection_ids().await?;
println!("Saved connections:");
for profile in profiles {
@@ -207,7 +207,7 @@ async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
println!("Scanning for networks...\n");
- let networks = nm.list_networks().await?;
+ let networks = nm.list_networks(None).await?;
// Display networks with numbering
for (i, net) in networks.iter().enumerate() {
@@ -252,7 +252,7 @@ async fn main() -> nmrs::Result<()> {
// Connect
println!("Connecting to {}...", selected.ssid);
- nm.connect(&selected.ssid, security).await?;
+ nm.connect(&selected.ssid, None, security).await?;
println!("✓ Connected successfully!");
diff --git a/docs/src/guide/devices.md b/docs/src/guide/devices.md
index da1a736d..6e8564bc 100644
--- a/docs/src/guide/devices.md
+++ b/docs/src/guide/devices.md
@@ -132,25 +132,24 @@ let bluetooth = nm.list_bluetooth_devices().await?;
## Wi-Fi Radio Control
-Enable or disable the Wi-Fi radio globally:
+Check and control the Wi-Fi radio globally:
```rust
let nm = NetworkManager::new().await?;
-// Check current state
-let enabled = nm.wifi_enabled().await?;
-println!("Wi-Fi enabled: {}", enabled);
+// Check current state (software + hardware)
+let state = nm.wifi_state().await?;
+println!("Wi-Fi enabled: {}", state.enabled);
+println!("Wi-Fi hardware enabled: {}", state.hardware_enabled);
-// Check hardware switch (rfkill)
-let hw_enabled = nm.wifi_hardware_enabled().await?;
-println!("Wi-Fi hardware enabled: {}", hw_enabled);
-
-// Toggle Wi-Fi
-nm.set_wifi_enabled(false).await?; // Disable
-nm.set_wifi_enabled(true).await?; // Enable
+// Global toggle
+nm.set_wireless_enabled(false).await?; // Disable
+nm.set_wireless_enabled(true).await?; // Enable
```
-> **Note:** `wifi_hardware_enabled()` reflects the rfkill state. If the hardware switch is off, enabling Wi-Fi via software will have no effect.
+> **Note:** `wifi_state().hardware_enabled` reflects the rfkill state. If the hardware switch is off, enabling Wi-Fi via software will have no effect.
+
+For per-device Wi-Fi enable/disable, see [Per-Device Scoping](./wifi-per-device.md).
## Waiting for Wi-Fi Ready
@@ -159,11 +158,11 @@ After enabling Wi-Fi, the device may take a moment to become ready:
```rust
let nm = NetworkManager::new().await?;
-nm.set_wifi_enabled(true).await?;
+nm.set_wireless_enabled(true).await?;
nm.wait_for_wifi_ready().await?;
// Now safe to scan and connect
-nm.scan_networks().await?;
+nm.scan_networks(None).await?;
```
## Finding a Device by Interface Name
diff --git a/docs/src/guide/error-handling.md b/docs/src/guide/error-handling.md
index a199d367..48e3fab5 100644
--- a/docs/src/guide/error-handling.md
+++ b/docs/src/guide/error-handling.md
@@ -23,6 +23,9 @@ All public API methods return `nmrs::Result`.
| `MissingPassword` | Empty password provided |
| `NoWifiDevice` | No Wi-Fi adapter found |
| `WifiNotReady` | Wi-Fi device not ready in time |
+| `WifiInterfaceNotFound` | Specified Wi-Fi interface doesn't exist |
+| `NotAWifiDevice` | Interface exists but isn't Wi-Fi |
+| `HardwareRadioKilled` | Hardware kill switch is on |
| `NoWiredDevice` | No Ethernet adapter found |
| `DhcpFailed` | Failed to obtain an IP address via DHCP |
| `Timeout` | Operation timed out waiting for activation |
@@ -41,6 +44,8 @@ All public API methods return `nmrs::Result`.
|---------|-------------|
| `NoVpnConnection` | VPN not found or not active |
| `VpnFailed(String)` | VPN connection failed with details |
+| `VpnIdAmbiguous` | Multiple VPNs share the same name |
+| `IncompleteBuilder` | VPN builder missing required fields |
| `InvalidPrivateKey(String)` | Bad WireGuard private key |
| `InvalidPublicKey(String)` | Bad WireGuard public key |
| `InvalidAddress(String)` | Bad IP address or CIDR notation |
@@ -79,7 +84,7 @@ use nmrs::{NetworkManager, WifiSecurity};
#[tokio::main]
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
- nm.connect("MyWiFi", WifiSecurity::Open).await?;
+ nm.connect("MyWiFi", None, WifiSecurity::Open).await?;
Ok(())
}
```
@@ -93,7 +98,7 @@ use nmrs::{NetworkManager, WifiSecurity, ConnectionError};
let nm = NetworkManager::new().await?;
-match nm.connect("MyWiFi", WifiSecurity::WpaPsk {
+match nm.connect("MyWiFi", None, WifiSecurity::WpaPsk {
psk: "password".into(),
}).await {
Ok(_) => println!("Connected!"),
@@ -126,7 +131,7 @@ use nmrs::{NetworkManager, WifiSecurity, ConnectionError};
let nm = NetworkManager::new().await?;
for attempt in 1..=3 {
- match nm.connect("MyWiFi", WifiSecurity::WpaPsk {
+ match nm.connect("MyWiFi", None, WifiSecurity::WpaPsk {
psk: "password".into(),
}).await {
Ok(_) => {
@@ -168,11 +173,18 @@ use nmrs::NetworkManager;
async fn connect() -> Result<()> {
let nm = NetworkManager::new().await?;
- nm.connect("MyWiFi", nmrs::WifiSecurity::Open).await?;
+ nm.connect("MyWiFi", None, nmrs::WifiSecurity::Open).await?;
Ok(())
}
```
+### Radio / Airplane-mode Errors
+
+| Variant | Description |
+|---------|-------------|
+| `HardwareRadioKilled` | Hardware kill switch is on; Wi-Fi cannot be enabled until the switch is toggled |
+| `BluezUnavailable` | Bluetooth D-Bus service (BlueZ) is not running or unreachable |
+
## Non-Exhaustive
`ConnectionError` is marked `#[non_exhaustive]`, which means new variants may be added in future versions without a breaking change. Always include a wildcard arm in match expressions:
diff --git a/docs/src/guide/monitoring.md b/docs/src/guide/monitoring.md
index 1347420a..d85bc325 100644
--- a/docs/src/guide/monitoring.md
+++ b/docs/src/guide/monitoring.md
@@ -144,7 +144,7 @@ async fn main() -> nmrs::Result<()> {
loop {
notify.notified().await;
- let networks = nm.list_networks().await?;
+ let networks = nm.list_networks(None).await?;
println!("Updated: {} networks visible", networks.len());
}
}
diff --git a/docs/src/guide/profiles.md b/docs/src/guide/profiles.md
index 1c879e67..cf608920 100644
--- a/docs/src/guide/profiles.md
+++ b/docs/src/guide/profiles.md
@@ -12,15 +12,15 @@ async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
let connections = nm.list_saved_connections().await?;
- for name in &connections {
- println!(" {}", name);
+ for conn in &connections {
+ println!(" {} ({})", conn.id, conn.connection_type);
}
Ok(())
}
```
-`list_saved_connections()` returns the names of all saved connection profiles across all connection types — Wi-Fi, Ethernet, VPN, and Bluetooth.
+`list_saved_connections()` returns full `SavedConnection` objects for all saved connection profiles across all connection types — Wi-Fi, Ethernet, VPN, and Bluetooth. Each `SavedConnection` includes the profile `id` (name), `connection_type`, and other metadata.
## Checking for a Saved Connection
@@ -46,12 +46,12 @@ When you call `connect()` with an SSID that has a saved profile, nmrs activates
let nm = NetworkManager::new().await?;
// First connection — credentials are required and saved
-nm.connect("HomeWiFi", WifiSecurity::WpaPsk {
+nm.connect("HomeWiFi", None, WifiSecurity::WpaPsk {
psk: "password".into(),
}).await?;
// Later reconnection — saved profile is used, security parameter is ignored
-nm.connect("HomeWiFi", WifiSecurity::Open).await?;
+nm.connect("HomeWiFi", None, WifiSecurity::Open).await?;
```
## Forgetting (Deleting) Connections
diff --git a/docs/src/guide/vpn-management.md b/docs/src/guide/vpn-management.md
index 3e9c30e2..36f8d6a0 100644
--- a/docs/src/guide/vpn-management.md
+++ b/docs/src/guide/vpn-management.md
@@ -1,6 +1,6 @@
# VPN Management
-Once you've set up a WireGuard VPN connection, nmrs provides methods to list, inspect, disconnect, and remove VPN profiles.
+Once you've set up a WireGuard or OpenVPN connection, nmrs provides methods to list, inspect, connect, disconnect, and remove VPN profiles.
## Listing VPN Connections
@@ -13,13 +13,14 @@ async fn main() -> nmrs::Result<()> {
let vpns = nm.list_vpn_connections().await?;
for vpn in &vpns {
- println!("{}: {:?} [{:?}]",
+ println!("{}: {:?} [{:?}] (active: {})",
vpn.name,
vpn.vpn_type,
vpn.state,
+ vpn.active,
);
if let Some(iface) = &vpn.interface {
- println!(" Interface: {}", iface);
+ println!(" Interface: {iface}");
}
}
@@ -31,10 +32,26 @@ async fn main() -> nmrs::Result<()> {
| Field | Type | Description |
|-------|------|-------------|
+| `uuid` | `String` | Connection UUID |
+| `id` | `String` | Connection name (alias for `name`) |
| `name` | `String` | Connection profile name |
-| `vpn_type` | `VpnType` | VPN protocol (currently `WireGuard`) |
+| `vpn_type` | `VpnType` | VPN protocol — a data-carrying enum with `WireGuard`, `OpenVpn`, and other variants |
| `state` | `DeviceState` | Current state (`Activated`, `Disconnected`, etc.) |
-| `interface` | `Option` | Network interface when active (e.g., `wg0`) |
+| `interface` | `Option` | Network interface when active (e.g., `wg0`, `tun0`) |
+| `active` | `bool` | Whether the connection is currently active |
+| `kind` | `VpnKind` | `VpnKind::Plugin` (OpenVPN) or `VpnKind::WireGuard` |
+
+## Active VPN Connections
+
+Get only currently active VPN connections:
+
+```rust
+let active = nm.active_vpn_connections().await?;
+
+for vpn in &active {
+ println!("Active: {} ({:?}) on {:?}", vpn.name, vpn.vpn_type, vpn.interface);
+}
+```
## Getting VPN Details
@@ -46,13 +63,17 @@ let nm = NetworkManager::new().await?;
let info = nm.get_vpn_info("MyVPN").await?;
println!("Name: {}", info.name);
-println!("Type: {:?}", info.vpn_type);
+println!("Kind: {:?}", info.vpn_kind);
println!("State: {:?}", info.state);
println!("Interface: {:?}", info.interface);
println!("Gateway: {:?}", info.gateway);
println!("IPv4: {:?}", info.ip4_address);
println!("IPv6: {:?}", info.ip6_address);
println!("DNS: {:?}", info.dns_servers);
+
+if let Some(details) = &info.details {
+ println!("Details: {:?}", details);
+}
```
The `VpnConnectionInfo` struct provides:
@@ -60,22 +81,42 @@ The `VpnConnectionInfo` struct provides:
| Field | Type | Description |
|-------|------|-------------|
| `name` | `String` | Connection name |
-| `vpn_type` | `VpnType` | VPN protocol |
+| `vpn_kind` | `VpnKind` | `VpnKind::Plugin` or `VpnKind::WireGuard` |
| `state` | `DeviceState` | Current state |
| `interface` | `Option` | Interface name |
| `gateway` | `Option` | VPN gateway address |
| `ip4_address` | `Option` | Assigned IPv4 address |
| `ip6_address` | `Option` | Assigned IPv6 address |
| `dns_servers` | `Vec` | Active DNS servers |
+| `details` | `Option` | Additional VPN-specific details |
> **Note:** `get_vpn_info()` returns `ConnectionError::NoVpnConnection` if the VPN is not currently active.
+## Connecting to a Saved VPN
+
+Reconnect to an existing VPN profile by name or UUID without rebuilding the config:
+
+```rust
+let nm = NetworkManager::new().await?;
+
+// By profile name
+nm.connect_vpn_by_id("MyVPN").await?;
+
+// By UUID
+nm.connect_vpn_by_uuid("a1b2c3d4-e5f6-7890-abcd-ef1234567890").await?;
+```
+
## Disconnecting a VPN
```rust
let nm = NetworkManager::new().await?;
+// By name
nm.disconnect_vpn("MyVPN").await?;
+
+// By UUID
+nm.disconnect_vpn_by_uuid("a1b2c3d4-e5f6-7890-abcd-ef1234567890").await?;
+
println!("VPN disconnected");
```
@@ -97,7 +138,7 @@ println!("VPN profile deleted");
## Complete Example
```rust
-use nmrs::{NetworkManager, VpnCredentials, WireGuardPeer};
+use nmrs::{NetworkManager, WireGuardConfig, WireGuardPeer};
#[tokio::main]
async fn main() -> nmrs::Result<()> {
@@ -106,27 +147,26 @@ async fn main() -> nmrs::Result<()> {
// List existing VPNs
println!("Saved VPN connections:");
for vpn in nm.list_vpn_connections().await? {
- println!(" {} ({:?}) - {:?}", vpn.name, vpn.vpn_type, vpn.state);
+ println!(" {} ({:?}) - {:?} [active: {}]",
+ vpn.name, vpn.vpn_type, vpn.state, vpn.active);
}
- // Connect
+ // Connect a new WireGuard VPN
let peer = WireGuardPeer::new(
"SERVER_PUBLIC_KEY",
"vpn.example.com:51820",
vec!["0.0.0.0/0".into()],
).with_persistent_keepalive(25);
- let creds = VpnCredentials::builder()
- .name("ExampleVPN")
- .wireguard()
- .gateway("vpn.example.com:51820")
- .private_key("CLIENT_PRIVATE_KEY")
- .address("10.0.0.2/24")
- .add_peer(peer)
- .with_dns(vec!["1.1.1.1".into()])
- .build();
+ let config = WireGuardConfig::new(
+ "ExampleVPN",
+ "vpn.example.com:51820",
+ "CLIENT_PRIVATE_KEY",
+ "10.0.0.2/24",
+ vec![peer],
+ ).with_dns(vec!["1.1.1.1".into()]);
- nm.connect_vpn(creds).await?;
+ nm.connect_vpn(config).await?;
// Show details
let info = nm.get_vpn_info("ExampleVPN").await?;
@@ -153,9 +193,12 @@ async fn main() -> nmrs::Result<()> {
| `InvalidPrivateKey` | `connect_vpn` | Bad WireGuard key |
| `InvalidAddress` | `connect_vpn` | Bad IP/CIDR |
| `InvalidGateway` | `connect_vpn` | Bad endpoint format |
+| `AuthFailed` | `connect_vpn` | OpenVPN authentication failed |
+| `InvalidConfig` | `connect_vpn` | OpenVPN configuration error (missing certs, bad options) |
## Next Steps
-- [WireGuard Setup](./vpn-wireguard.md) – credential configuration details
-- [Error Handling](./error-handling.md) – comprehensive error reference
-- [Real-Time Monitoring](./monitoring.md) – monitor VPN state changes
+- [WireGuard Setup](./vpn-wireguard.md) — credential configuration details
+- [OpenVPN Setup](./vpn-openvpn.md) — OpenVPN configuration details
+- [Error Handling](./error-handling.md) — comprehensive error reference
+- [Real-Time Monitoring](./monitoring.md) — monitor VPN state changes
diff --git a/docs/src/guide/vpn-openvpn.md b/docs/src/guide/vpn-openvpn.md
new file mode 100644
index 00000000..ed1d5412
--- /dev/null
+++ b/docs/src/guide/vpn-openvpn.md
@@ -0,0 +1,377 @@
+# OpenVPN Setup
+
+[OpenVPN](https://openvpn.net/) is a widely-deployed, battle-tested VPN protocol that uses TLS for key exchange and supports a variety of authentication methods. nmrs provides full OpenVPN support through the NetworkManager OpenVPN plugin, letting you create, import, and manage OpenVPN connections programmatically.
+
+## Prerequisites
+
+- NetworkManager 1.2+
+- The OpenVPN plugin for NetworkManager:
+ - Fedora / RHEL: `NetworkManager-openvpn`
+ - Debian / Ubuntu: `network-manager-openvpn`
+ - Arch Linux: `networkmanager-openvpn`
+- OpenVPN certificates and/or credentials from your VPN provider
+
+## Quick Start
+
+Connect to an OpenVPN server using password + TLS certificate authentication:
+
+```rust
+use nmrs::{NetworkManager, OpenVpnConfig, OpenVpnAuthType};
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+
+ let config = OpenVpnConfig::new("CorpVPN", "vpn.example.com", 1194, false)
+ .with_auth_type(OpenVpnAuthType::PasswordTls)
+ .with_ca_cert("/etc/openvpn/ca.crt")
+ .with_client_cert("/etc/openvpn/client.crt")
+ .with_client_key("/etc/openvpn/client.key")
+ .with_username("alice")
+ .with_password("hunter2")
+ .with_dns(vec!["1.1.1.1".into()]);
+
+ nm.connect_vpn(config).await?;
+
+ println!("VPN connected!");
+ Ok(())
+}
+```
+
+## Authentication Types
+
+OpenVPN supports four authentication modes, selected with `OpenVpnAuthType`:
+
+| Variant | Description | Required Fields |
+|---------|-------------|-----------------|
+| `Password` | Username/password only | `username` |
+| `Tls` | TLS certificate only | `ca_cert`, `client_cert`, `client_key` |
+| `PasswordTls` | Password + TLS certificates | `username`, `ca_cert`, `client_cert`, `client_key` |
+| `StaticKey` | Pre-shared static key | (static key file via TLS auth) |
+
+### Password Authentication
+
+```rust
+use nmrs::{OpenVpnConfig, OpenVpnAuthType};
+
+let config = OpenVpnConfig::new("SimpleVPN", "vpn.example.com", 1194, false)
+ .with_auth_type(OpenVpnAuthType::Password)
+ .with_username("alice")
+ .with_password("secret")
+ .with_ca_cert("/etc/openvpn/ca.crt");
+```
+
+### TLS Certificate Authentication
+
+```rust
+use nmrs::{OpenVpnConfig, OpenVpnAuthType};
+
+let config = OpenVpnConfig::new("CertVPN", "vpn.example.com", 1194, false)
+ .with_auth_type(OpenVpnAuthType::Tls)
+ .with_ca_cert("/etc/openvpn/ca.crt")
+ .with_client_cert("/etc/openvpn/client.crt")
+ .with_client_key("/etc/openvpn/client.key");
+```
+
+If the client key is encrypted:
+
+```rust
+let config = config.with_key_password("keyfile-passphrase");
+```
+
+### Password + TLS Authentication
+
+The most common configuration for corporate VPNs — the server verifies both your certificate and your credentials:
+
+```rust
+use nmrs::{OpenVpnConfig, OpenVpnAuthType};
+
+let config = OpenVpnConfig::new("CorpVPN", "vpn.example.com", 443, true)
+ .with_auth_type(OpenVpnAuthType::PasswordTls)
+ .with_ca_cert("/etc/openvpn/ca.crt")
+ .with_client_cert("/etc/openvpn/client.crt")
+ .with_client_key("/etc/openvpn/client.key")
+ .with_username("alice")
+ .with_password("secret");
+```
+
+## Configuration Reference
+
+| Field | Builder Method | Required | Description |
+|-------|---------------|----------|-------------|
+| `name` | constructor | Yes | Connection profile name |
+| `remote` | constructor | Yes | Server hostname or IP |
+| `port` | constructor | Yes | Server port (typically 1194 or 443) |
+| `tcp` | constructor | Yes | `true` for TCP, `false` for UDP |
+| `auth_type` | `with_auth_type` | No | Authentication mode (see above) |
+| `ca_cert` | `with_ca_cert` | No* | Path to CA certificate |
+| `client_cert` | `with_client_cert` | No* | Path to client certificate |
+| `client_key` | `with_client_key` | No* | Path to client private key |
+| `key_password` | `with_key_password` | No | Password for encrypted key file |
+| `username` | `with_username` | No* | Username for password auth |
+| `password` | `with_password` | No | Password for password auth |
+| `cipher` | `with_cipher` | No | Data channel cipher (e.g. `"AES-256-GCM"`) |
+| `auth` | `with_auth` | No | HMAC digest algorithm (e.g. `"SHA256"`) |
+| `dns` | `with_dns` | No | DNS servers while connected |
+| `mtu` | `with_mtu` | No | MTU size |
+| `uuid` | `with_uuid` | No | Custom UUID (auto-generated if omitted) |
+| `compression` | `with_compression` | No | Compression mode (see below) |
+| `proxy` | `with_proxy` | No | Proxy configuration |
+| `redirect_gateway` | `with_redirect_gateway` | No | Full tunnel (`false` by default) |
+| `routes` | `with_routes` | No | Split tunnel routes |
+
+\* Required depending on the chosen `auth_type`.
+
+## Importing .ovpn Files
+
+If you already have an `.ovpn` configuration file, you can import it directly.
+
+### High-Level Import
+
+The simplest approach — import and connect in one call:
+
+```rust
+use nmrs::NetworkManager;
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+
+ nm.import_ovpn("corp.ovpn", Some("alice"), Some("secret")).await?;
+
+ println!("Connected via imported .ovpn profile");
+ Ok(())
+}
+```
+
+`import_ovpn` parses the file, creates a NetworkManager connection profile, and activates it. The connection name defaults to the filename stem (e.g., `corp` from `corp.ovpn`).
+
+### Builder-Based Import
+
+For more control, use `OpenVpnBuilder::from_ovpn_file` to parse the file into a builder, then customise before connecting:
+
+```rust
+use nmrs::builders::OpenVpnBuilder;
+use nmrs::NetworkManager;
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+
+ let config = OpenVpnBuilder::from_ovpn_file("corp.ovpn")?
+ .username("alice")
+ .dns(vec!["1.1.1.1".into()])
+ .mtu(1400)
+ .remote_cert_tls("server")
+ .build()?;
+
+ nm.connect_vpn(config).await?;
+
+ Ok(())
+}
+```
+
+You can also parse from a string with `OpenVpnBuilder::from_ovpn_str(content, name)` if the configuration is fetched from a remote source.
+
+## TLS Hardening
+
+OpenVPN's TLS layer can be hardened with several options. These are independent of the authentication type and can be combined.
+
+### TLS Auth
+
+Adds an HMAC firewall to the control channel, providing DoS protection. Both sides must share the same static key and agree on direction:
+
+```rust
+let config = config
+ .with_tls_auth("/etc/openvpn/ta.key", Some(1));
+```
+
+### TLS-Crypt
+
+Encrypts **and** authenticates the entire control channel with a pre-shared key — stronger than `tls-auth` because the TLS handshake itself is hidden:
+
+```rust
+let config = config
+ .with_tls_crypt("/etc/openvpn/tls-crypt.key");
+```
+
+### TLS-Crypt-v2
+
+Per-client key wrapping, allowing the server to issue unique keys to each client while retaining the benefits of TLS-Crypt:
+
+```rust
+let config = config
+ .with_tls_crypt_v2("/etc/openvpn/client-tls-crypt-v2.key");
+```
+
+> **Note:** `tls-auth`, `tls-crypt`, and `tls-crypt-v2` are mutually exclusive. Use only one.
+
+### Certificate Verification
+
+Verify the server's certificate identity to prevent man-in-the-middle attacks:
+
+```rust
+use nmrs::OpenVpnConfig;
+
+let config = OpenVpnConfig::new("SecureVPN", "vpn.example.com", 1194, false)
+ .with_auth_type(nmrs::OpenVpnAuthType::Tls)
+ .with_ca_cert("/etc/openvpn/ca.crt")
+ .with_client_cert("/etc/openvpn/client.crt")
+ .with_client_key("/etc/openvpn/client.key")
+ .with_remote_cert_tls("server")
+ .with_verify_x509_name("vpn.example.com", "name");
+```
+
+| Method | Purpose |
+|--------|---------|
+| `with_remote_cert_tls("server")` | Require the remote cert to have server (TLS Web Server) usage |
+| `with_verify_x509_name(name, type)` | Verify the CN or subject of the server certificate |
+| `with_tls_version_min("1.2")` | Enforce minimum TLS version |
+| `with_tls_version_max("1.3")` | Cap the maximum TLS version |
+| `with_tls_cipher(suite)` | Restrict control-channel cipher suites |
+
+## Split Tunneling
+
+By default, `redirect_gateway` is `false` — only traffic matching explicit routes goes through the VPN.
+
+### Full Tunnel
+
+Route all traffic through the VPN:
+
+```rust
+let config = config.with_redirect_gateway(true);
+```
+
+### Split Tunnel with Routes
+
+Route only specific networks through the VPN using `VpnRoute`:
+
+```rust
+use nmrs::{OpenVpnConfig, OpenVpnAuthType, VpnRoute};
+
+let config = OpenVpnConfig::new("OfficeVPN", "vpn.example.com", 1194, false)
+ .with_auth_type(OpenVpnAuthType::Tls)
+ .with_ca_cert("/etc/openvpn/ca.crt")
+ .with_client_cert("/etc/openvpn/client.crt")
+ .with_client_key("/etc/openvpn/client.key")
+ .with_routes(vec![
+ VpnRoute::new("10.0.0.0", 8),
+ VpnRoute::new("192.168.1.0", 24).next_hop("10.0.0.1").metric(100),
+ ]);
+```
+
+| `VpnRoute` Method | Description |
+|--------------------|-------------|
+| `VpnRoute::new(dest, prefix)` | Destination network and CIDR prefix length |
+| `.next_hop(gateway)` | Optional gateway for the route |
+| `.metric(m)` | Optional route metric (lower = higher priority) |
+
+## Compression
+
+OpenVPN supports several compression algorithms, but **compression is disabled by default for security reasons**.
+
+```rust
+use nmrs::OpenVpnCompression;
+
+let config = config.with_compression(OpenVpnCompression::No);
+```
+
+| Variant | Description |
+|---------|-------------|
+| `No` | Disabled (recommended default) |
+| `Lzo` | LZO compression (deprecated) |
+| `Lz4` | LZ4 compression |
+| `Lz4V2` | LZ4 v2 compression |
+| `Yes` | Adaptive compression |
+
+> **Security Warning:** Enabling compression on an OpenVPN tunnel that carries TLS traffic (HTTPS, etc.) exposes the connection to the [VORACLE attack](https://openvpn.net/security-advisory/the-voracle-attack-vulnerability/). An attacker who can observe encrypted VPN traffic and induce the victim to visit attacker-controlled content can recover plaintext via compression oracle side-channels. **Leave compression disabled unless you have a specific need and understand the risk.**
+
+## Proxy Support
+
+Route OpenVPN traffic through an HTTP or SOCKS proxy:
+
+### HTTP Proxy
+
+```rust
+use nmrs::OpenVpnProxy;
+
+let config = config.with_proxy(OpenVpnProxy::Http {
+ server: "proxy.example.com".into(),
+ port: 8080,
+ username: Some("proxyuser".into()),
+ password: Some("proxypass".into()),
+ retry: true,
+});
+```
+
+### SOCKS Proxy
+
+```rust
+use nmrs::OpenVpnProxy;
+
+let config = config.with_proxy(OpenVpnProxy::Socks {
+ server: "socks.example.com".into(),
+ port: 1080,
+ retry: false,
+});
+```
+
+When using a proxy, TCP mode (`tcp: true` in the constructor) is typically required.
+
+## Error Handling
+
+Handle OpenVPN-specific errors:
+
+```rust
+use nmrs::{ConnectionError, NetworkManager, OpenVpnConfig, OpenVpnAuthType};
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+
+ let config = OpenVpnConfig::new("CorpVPN", "vpn.example.com", 1194, false)
+ .with_auth_type(OpenVpnAuthType::PasswordTls)
+ .with_ca_cert("/etc/openvpn/ca.crt")
+ .with_client_cert("/etc/openvpn/client.crt")
+ .with_client_key("/etc/openvpn/client.key")
+ .with_username("alice")
+ .with_password("secret");
+
+ match nm.connect_vpn(config).await {
+ Ok(()) => println!("VPN connected"),
+
+ Err(ConnectionError::VpnFailed(msg)) => {
+ eprintln!("OpenVPN activation failed: {msg}");
+ }
+
+ Err(ConnectionError::AuthFailed) => {
+ eprintln!("Authentication failed — check username/password and certificates");
+ }
+
+ Err(ConnectionError::Timeout) => {
+ eprintln!("Connection timed out — verify server address and port");
+ }
+
+ Err(ConnectionError::InvalidGateway(msg)) => {
+ eprintln!("Bad server address: {msg}");
+ }
+
+ Err(e) => eprintln!("Unexpected error: {e}"),
+ }
+
+ Ok(())
+}
+```
+
+| Error | Cause |
+|-------|-------|
+| `VpnFailed` | Plugin missing, config rejected, or activation failed |
+| `AuthFailed` | Bad username/password or certificate rejected |
+| `Timeout` | Server unreachable or handshake timed out |
+| `InvalidGateway` | Empty or invalid remote address |
+
+## Next Steps
+
+- [VPN Connections](./vpn.md) – VPN overview and general operations
+- [VPN Management](./vpn-management.md) – list, disconnect, and remove VPN profiles
+- [Error Handling](./error-handling.md) – comprehensive error reference
diff --git a/docs/src/guide/vpn-wireguard.md b/docs/src/guide/vpn-wireguard.md
index debf758f..0ef0bd19 100644
--- a/docs/src/guide/vpn-wireguard.md
+++ b/docs/src/guide/vpn-wireguard.md
@@ -11,7 +11,7 @@
## Quick Start
```rust
-use nmrs::{NetworkManager, VpnCredentials, VpnType, WireGuardPeer};
+use nmrs::{NetworkManager, WireGuardConfig, WireGuardPeer};
#[tokio::main]
async fn main() -> nmrs::Result<()> {
@@ -23,8 +23,7 @@ async fn main() -> nmrs::Result<()> {
vec!["0.0.0.0/0".into()],
).with_persistent_keepalive(25);
- let creds = VpnCredentials::new(
- VpnType::WireGuard,
+ let config = WireGuardConfig::new(
"MyVPN",
"vpn.example.com:51820",
"CLIENT_PRIVATE_KEY_BASE64",
@@ -32,7 +31,7 @@ async fn main() -> nmrs::Result<()> {
vec![peer],
).with_dns(vec!["1.1.1.1".into()]);
- nm.connect_vpn(creds).await?;
+ nm.connect_vpn(config).await?;
println!("VPN connected!");
Ok(())
@@ -51,11 +50,10 @@ async fn main() -> nmrs::Result<()> {
| **DNS** | DNS servers to use while the VPN is active |
| **Persistent Keepalive** | Seconds between keepalive packets (helps with NAT traversal) |
-## VpnCredentials Fields
+## WireGuardConfig Fields
| Field | Required | Description |
|-------|----------|-------------|
-| `vpn_type` | Yes | Must be `VpnType::WireGuard` |
| `name` | Yes | Connection profile name |
| `gateway` | Yes | Server endpoint (`host:port`) |
| `private_key` | Yes | Client private key (base64) |
@@ -65,12 +63,10 @@ async fn main() -> nmrs::Result<()> {
| `mtu` | No | MTU size (typical: 1420) |
| `uuid` | No | Custom UUID (auto-generated if omitted) |
-## Building Credentials
-
-### Direct Constructor
+## Building Configuration
```rust
-use nmrs::{VpnCredentials, VpnType, WireGuardPeer};
+use nmrs::{WireGuardConfig, WireGuardPeer};
let peer = WireGuardPeer::new(
"HIgo9xNzJMWLKAShlKl6/bUT1VI9Q0SDBXGtLXkPFXc=",
@@ -79,8 +75,7 @@ let peer = WireGuardPeer::new(
).with_persistent_keepalive(25)
.with_preshared_key("OPTIONAL_PSK_BASE64");
-let creds = VpnCredentials::new(
- VpnType::WireGuard,
+let config = WireGuardConfig::new(
"HomeVPN",
"vpn.example.com:51820",
"YBk6X3pP8KjKz7+HFWzVHNqL3qTZq8hX9VxFQJ4zVmM=",
@@ -90,31 +85,6 @@ let creds = VpnCredentials::new(
.with_mtu(1420);
```
-### Builder Pattern
-
-The builder pattern avoids positional parameter confusion:
-
-```rust
-use nmrs::{VpnCredentials, WireGuardPeer};
-
-let peer = WireGuardPeer::new(
- "HIgo9xNzJMWLKAShlKl6/bUT1VI9Q0SDBXGtLXkPFXc=",
- "vpn.example.com:51820",
- vec!["0.0.0.0/0".into()],
-).with_persistent_keepalive(25);
-
-let creds = VpnCredentials::builder()
- .name("HomeVPN")
- .wireguard()
- .gateway("vpn.example.com:51820")
- .private_key("YBk6X3pP8KjKz7+HFWzVHNqL3qTZq8hX9VxFQJ4zVmM=")
- .address("10.0.0.2/24")
- .add_peer(peer)
- .with_dns(vec!["1.1.1.1".into()])
- .with_mtu(1420)
- .build();
-```
-
## WireGuardPeer Configuration
| Field | Required | Description |
@@ -183,5 +153,6 @@ Invalid parameters produce specific error variants:
## Next Steps
- [VPN Management](./vpn-management.md) – list, disconnect, and remove VPN connections
+- [OpenVPN Setup](./vpn-openvpn.md) – set up OpenVPN connections
- [Custom Timeouts](../advanced/timeouts.md) – adjust VPN connection timeouts
- [Error Handling](./error-handling.md) – handle VPN-specific errors
diff --git a/docs/src/guide/vpn.md b/docs/src/guide/vpn.md
index 1edcedae..96a382d9 100644
--- a/docs/src/guide/vpn.md
+++ b/docs/src/guide/vpn.md
@@ -1,188 +1,115 @@
# VPN Connections
-nmrs provides full support for WireGuard VPN connections through NetworkManager. This guide covers everything you need to know about managing VPNs with nmrs.
+nmrs provides full support for WireGuard and OpenVPN connections through NetworkManager. This guide covers everything you need to know about managing VPNs with nmrs.
## Overview
VPN support includes:
-- **WireGuard** - Modern, fast, secure VPN protocol
-- **Profile Management** - Save and reuse VPN configurations
-- **Connection Control** - Connect, disconnect, monitor VPN status
-- **Multiple Peers** - Support for multiple WireGuard peers
-- **Custom DNS** - Override DNS servers for VPN connections
-- **MTU Configuration** - Optimize packet sizes
+- **WireGuard** — Modern, fast, secure VPN protocol (native NetworkManager integration)
+- **OpenVPN** — Widely deployed VPN protocol (via NetworkManager OpenVPN plugin)
+- **`.ovpn` Import** — Import existing OpenVPN configuration files
+- **Profile Management** — Save and reuse VPN configurations
+- **Connection Control** — Connect, disconnect, monitor VPN status
+- **Multiple Peers** — Support for multiple WireGuard peers
+- **Custom DNS** — Override DNS servers for VPN connections
+- **MTU Configuration** — Optimize packet sizes
-## Quick Start
-
-Basic WireGuard VPN connection:
+## WireGuard Quick Start
```rust
-use nmrs::{NetworkManager, VpnCredentials, VpnType, WireGuardPeer};
+use nmrs::{NetworkManager, WireGuardConfig, WireGuardPeer};
#[tokio::main]
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
-
- // Create a WireGuard peer
+
let peer = WireGuardPeer::new(
- "server_public_key_here",
+ "server_public_key",
"vpn.example.com:51820",
- vec!["0.0.0.0/0".into()], // Route all traffic through VPN
+ vec!["0.0.0.0/0".into()],
).with_persistent_keepalive(25);
-
- // Create VPN credentials
- let creds = VpnCredentials::new(
- VpnType::WireGuard,
+
+ let config = WireGuardConfig::new(
"MyVPN",
"vpn.example.com:51820",
- "your_private_key_here",
- "10.0.0.2/24", // Your VPN IP
+ "your_private_key",
+ "10.0.0.2/24",
vec![peer],
).with_dns(vec!["1.1.1.1".into()]);
-
- // Connect
- nm.connect_vpn(creds).await?;
- println!("Connected to VPN!");
-
- Ok(())
-}
-```
-
-## VPN Credentials
-The `VpnCredentials` struct contains all necessary VPN configuration:
+ nm.connect_vpn(config).await?;
+ println!("Connected to WireGuard VPN!");
-```rust
-pub struct VpnCredentials {
- pub vpn_type: VpnType,
- pub name: String,
- pub gateway: String,
- pub private_key: String,
- pub address: String,
- pub peers: Vec,
- pub dns: Option>,
- pub mtu: Option,
- pub uuid: Option,
+ Ok(())
}
```
-### Creating Credentials
+## OpenVPN Quick Start
```rust
-use nmrs::{VpnCredentials, VpnType, WireGuardPeer};
+use nmrs::{NetworkManager, OpenVpnConfig, OpenVpnAuthType};
-let peer = WireGuardPeer::new(
- "base64_public_key",
- "vpn.example.com:51820",
- vec!["0.0.0.0/0".into()],
-);
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
-let creds = VpnCredentials::new(
- VpnType::WireGuard,
- "WorkVPN", // Connection name
- "vpn.example.com:51820", // Gateway
- "base64_private_key", // Your private key
- "10.0.0.2/24", // Your VPN IP address
- vec![peer], // WireGuard peers
-);
-```
+ let config = OpenVpnConfig::new("CorpVPN", "vpn.example.com", 1194, false)
+ .with_auth_type(OpenVpnAuthType::PasswordTls)
+ .with_username("user")
+ .with_password("secret")
+ .with_ca_cert("/etc/openvpn/ca.crt")
+ .with_client_cert("/etc/openvpn/client.crt")
+ .with_client_key("/etc/openvpn/client.key");
-### With Custom DNS
+ nm.connect_vpn(config).await?;
+ println!("Connected to OpenVPN!");
-```rust
-let creds = VpnCredentials::new(
- VpnType::WireGuard,
- "MyVPN",
- "vpn.example.com:51820",
- "private_key",
- "10.0.0.2/24",
- vec![peer],
-).with_dns(vec![
- "1.1.1.1".into(),
- "8.8.8.8".into(),
-]);
-```
-
-### With Custom MTU
-
-```rust
-let creds = creds.with_mtu(1420); // Standard WireGuard MTU
+ Ok(())
+}
```
-## WireGuard Peers
+## `.ovpn` File Import
-Each WireGuard connection can have multiple peers:
+Import an existing OpenVPN configuration file directly:
```rust
-pub struct WireGuardPeer {
- pub public_key: String,
- pub gateway: String,
- pub allowed_ips: Vec,
- pub preshared_key: Option,
- pub persistent_keepalive: Option,
-}
+nm.import_ovpn("client.ovpn", Some("user"), Some("secret")).await?;
```
-### Creating Peers
+For certificate-only configs that don't require credentials:
```rust
-use nmrs::WireGuardPeer;
-
-// Basic peer
-let peer = WireGuardPeer::new(
- "peer_public_key",
- "vpn.example.com:51820",
- vec!["0.0.0.0/0".into()],
-);
+nm.import_ovpn("client.ovpn", None, None).await?;
+```
-// Peer with keepalive
-let peer = WireGuardPeer::new(
- "peer_public_key",
- "vpn.example.com:51820",
- vec!["0.0.0.0/0".into()],
-).with_persistent_keepalive(25);
+See the [`.ovpn` Import Example](../examples/ovpn-import.md) for builder-based import and inline certificate handling.
-// Peer with preshared key
-let peer = peer.with_preshared_key("base64_preshared_key");
-```
+## VPN Operations
-### Multiple Peers
+### Connect
```rust
-let peer1 = WireGuardPeer::new(
- "peer1_public_key",
- "vpn1.example.com:51820",
- vec!["10.0.0.0/8".into()],
-);
+// WireGuard
+nm.connect_vpn(wireguard_config).await?;
-let peer2 = WireGuardPeer::new(
- "peer2_public_key",
- "vpn2.example.com:51820",
- vec!["192.168.0.0/16".into()],
-);
-
-let creds = VpnCredentials::new(
- VpnType::WireGuard,
- "MultiPeerVPN",
- "vpn1.example.com:51820",
- "private_key",
- "10.0.0.2/24",
- vec![peer1, peer2], // Multiple peers
-);
+// OpenVPN
+nm.connect_vpn(openvpn_config).await?;
```
-## VPN Operations
+### Connect by Name or UUID
-### Connect to VPN
+Reconnect to a saved VPN profile without rebuilding the config:
```rust
-nm.connect_vpn(creds).await?;
+nm.connect_vpn_by_id("MyVPN").await?;
+nm.connect_vpn_by_uuid("a1b2c3d4-e5f6-...").await?;
```
-### Disconnect from VPN
+### Disconnect
```rust
nm.disconnect_vpn("MyVPN").await?;
+nm.disconnect_vpn_by_uuid("a1b2c3d4-e5f6-...").await?;
```
### List VPN Connections
@@ -190,10 +117,36 @@ nm.disconnect_vpn("MyVPN").await?;
```rust
let vpns = nm.list_vpn_connections().await?;
-for vpn in vpns {
- println!("Name: {}", vpn.name);
- println!("Type: {:?}", vpn.vpn_type);
- println!("State: {:?}", vpn.state);
+for vpn in &vpns {
+ println!("{} ({:?}) — active: {}", vpn.name, vpn.vpn_type, vpn.active);
+ if let Some(iface) = &vpn.interface {
+ println!(" Interface: {iface}");
+ }
+}
+```
+
+`list_vpn_connections()` returns `Vec` with fields:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `uuid` | `String` | Connection UUID |
+| `id` | `String` | Connection name (alias for `name`) |
+| `name` | `String` | Connection profile name |
+| `vpn_type` | `VpnType` | VPN protocol (`WireGuard`, `OpenVpn`, etc.) |
+| `state` | `DeviceState` | Current state (`Activated`, `Disconnected`, etc.) |
+| `interface` | `Option` | Network interface when active |
+| `active` | `bool` | Whether the connection is currently active |
+| `kind` | `VpnKind` | `VpnKind::Plugin` (OpenVPN) or `VpnKind::WireGuard` |
+
+### Active VPN Connections
+
+Get only currently active VPN connections:
+
+```rust
+let active = nm.active_vpn_connections().await?;
+
+for vpn in &active {
+ println!("Active: {} ({:?})", vpn.name, vpn.vpn_type);
}
```
@@ -202,45 +155,39 @@ for vpn in vpns {
```rust
let info = nm.get_vpn_info("MyVPN").await?;
-println!("VPN State: {:?}", info.state);
-if let Some(ip) = info.ip4_address {
- println!("VPN IP: {}", ip);
-}
-if let Some(device) = info.device {
- println!("Device: {}", device);
+println!("Name: {}", info.name);
+println!("Kind: {:?}", info.vpn_kind);
+println!("State: {:?}", info.state);
+println!("Interface: {:?}", info.interface);
+println!("Gateway: {:?}", info.gateway);
+println!("IPv4: {:?}", info.ip4_address);
+println!("IPv6: {:?}", info.ip6_address);
+println!("DNS: {:?}", info.dns_servers);
+
+if let Some(details) = &info.details {
+ println!("Details: {:?}", details);
}
```
-### Check if VPN is Active
+### Remove a VPN Profile
```rust
-let vpns = nm.list_vpn_connections().await?;
-let active = vpns.iter().any(|v| {
- matches!(v.state, nmrs::models::ActiveConnectionState::Activated)
-});
-
-if active {
- println!("VPN is active");
-} else {
- println!("VPN is not active");
-}
+nm.forget_vpn("MyVPN").await?;
```
## Routing Configuration
-### Route All Traffic
-
-Send all traffic through the VPN:
+### Route All Traffic (WireGuard)
```rust
let peer = WireGuardPeer::new(
"public_key",
"vpn.example.com:51820",
- vec!["0.0.0.0/0".into()], // All IPv4
+ vec!["0.0.0.0/0".into()],
);
```
-### Split Tunnel
+### Split Tunnel (WireGuard)
Route only specific networks through VPN:
@@ -249,8 +196,8 @@ let peer = WireGuardPeer::new(
"public_key",
"vpn.example.com:51820",
vec![
- "10.0.0.0/8".into(), // Private network
- "192.168.0.0/16".into(), // Another private network
+ "10.0.0.0/8".into(),
+ "192.168.0.0/16".into(),
],
);
```
@@ -262,90 +209,87 @@ let peer = WireGuardPeer::new(
"public_key",
"vpn.example.com:51820",
vec![
- "0.0.0.0/0".into(), // All IPv4
- "::/0".into(), // All IPv6
+ "0.0.0.0/0".into(),
+ "::/0".into(),
],
);
```
## Error Handling
-Handle VPN-specific errors:
-
```rust
use nmrs::ConnectionError;
-match nm.connect_vpn(creds).await {
+match nm.connect_vpn(config).await {
Ok(_) => println!("VPN connected"),
-
+
Err(ConnectionError::AuthFailed) => {
- eprintln!("VPN authentication failed - check keys");
+ eprintln!("Authentication failed — check keys or credentials");
}
-
+
Err(ConnectionError::Timeout) => {
- eprintln!("VPN connection timed out - check gateway");
+ eprintln!("Connection timed out — check gateway address");
+ }
+
+ Err(ConnectionError::VpnFailed) => {
+ eprintln!("VPN activation failed — check plugin or config");
}
-
+
Err(ConnectionError::NotFound) => {
eprintln!("VPN gateway not reachable");
}
-
- Err(e) => eprintln!("VPN error: {}", e),
+
+ Err(e) => eprintln!("VPN error: {e}"),
}
```
## Complete Example
-Here's a complete VPN client:
-
```rust
-use nmrs::{NetworkManager, VpnCredentials, VpnType, WireGuardPeer};
+use nmrs::{NetworkManager, WireGuardConfig, WireGuardPeer};
#[tokio::main]
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
-
+
// Check if already connected
- let vpns = nm.list_vpn_connections().await?;
- if let Some(active_vpn) = vpns.iter().find(|v| {
- matches!(v.state, nmrs::models::ActiveConnectionState::Activated)
- }) {
- println!("Already connected to: {}", active_vpn.name);
+ let active = nm.active_vpn_connections().await?;
+ if let Some(vpn) = active.first() {
+ println!("Already connected to: {}", vpn.name);
return Ok(());
}
-
+
// Create WireGuard configuration
let peer = WireGuardPeer::new(
std::env::var("WG_PUBLIC_KEY")?,
std::env::var("WG_ENDPOINT")?,
vec!["0.0.0.0/0".into()],
).with_persistent_keepalive(25);
-
- let creds = VpnCredentials::new(
- VpnType::WireGuard,
+
+ let config = WireGuardConfig::new(
"AutoVPN",
- std::env::var("WG_ENDPOINT")?,
- std::env::var("WG_PRIVATE_KEY")?,
- std::env::var("WG_ADDRESS")?,
+ &std::env::var("WG_ENDPOINT")?,
+ &std::env::var("WG_PRIVATE_KEY")?,
+ &std::env::var("WG_ADDRESS")?,
vec![peer],
).with_dns(vec!["1.1.1.1".into(), "8.8.8.8".into()]);
-
+
// Connect
println!("Connecting to VPN...");
- nm.connect_vpn(creds).await?;
-
+ nm.connect_vpn(config).await?;
+
// Verify connection
let info = nm.get_vpn_info("AutoVPN").await?;
println!("Connected! VPN IP: {:?}", info.ip4_address);
-
+
// Keep connection alive
println!("Press Ctrl+C to disconnect...");
tokio::signal::ctrl_c().await?;
-
+
// Disconnect
nm.disconnect_vpn("AutoVPN").await?;
println!("Disconnected from VPN");
-
+
Ok(())
}
```
@@ -354,38 +298,40 @@ async fn main() -> nmrs::Result<()> {
For more advanced VPN usage, see:
-- [WireGuard Setup](./vpn-wireguard.md) - Detailed WireGuard guide
-- [VPN Management](./vpn-management.md) - Managing VPN profiles
-- [Examples](../examples/wireguard-client.md) - Complete VPN client example
+- [WireGuard Setup](./vpn-wireguard.md) — Detailed WireGuard configuration
+- [OpenVPN Setup](./vpn-openvpn.md) — Detailed OpenVPN configuration
+- [VPN Management](./vpn-management.md) — Managing VPN profiles
+- [WireGuard Client Example](../examples/wireguard-client.md) — Complete WireGuard example
+- [OpenVPN Client Example](../examples/openvpn-client.md) — Complete OpenVPN example
+- [`.ovpn` Import Example](../examples/ovpn-import.md) — Import `.ovpn` files
## Security Best Practices
-1. **Never hardcode keys** - Use environment variables or secure storage
-2. **Rotate keys regularly** - Update WireGuard keys periodically
-3. **Use preshared keys** - Add extra layer of security with PSK
-4. **Verify endpoints** - Ensure gateway addresses are correct
-5. **Monitor connection** - Check VPN status regularly
+1. **Never hardcode keys or passwords** — Use environment variables or secure storage
+2. **Rotate keys regularly** — Update WireGuard keys periodically
+3. **Use preshared keys** — Add extra layer of security with PSK (WireGuard)
+4. **Protect certificates** — Store OpenVPN certs with restrictive file permissions (`chmod 600`)
+5. **Use TLS authentication** — Prefer `PasswordTls` or `Tls` over `Password` alone for OpenVPN
+6. **Verify endpoints** — Ensure gateway addresses are correct
+7. **Monitor connection** — Check VPN status regularly
## Troubleshooting
### VPN Won't Connect
```rust
-// Check if WireGuard is available
-// NetworkManager should handle this automatically
-
-// Verify your credentials are correct
-println!("Gateway: {}", creds.gateway);
-println!("Address: {}", creds.address);
-// Don't print private keys!
+let vpns = nm.list_vpn_connections().await?;
+for vpn in &vpns {
+ println!("{}: {:?} (active: {})", vpn.name, vpn.state, vpn.active);
+}
```
-### Connection Drops
+### Connection Drops (WireGuard)
Use persistent keepalive:
```rust
-let peer = peer.with_persistent_keepalive(25); // Send keepalive every 25s
+let peer = peer.with_persistent_keepalive(25);
```
### DNS Not Working
@@ -393,14 +339,31 @@ let peer = peer.with_persistent_keepalive(25); // Send keepalive every 25s
Explicitly set DNS servers:
```rust
-let creds = creds.with_dns(vec![
+let config = config.with_dns(vec![
"1.1.1.1".into(),
"8.8.8.8".into(),
]);
```
+### OpenVPN Plugin Not Found
+
+Ensure the NetworkManager OpenVPN plugin is installed:
+
+```bash
+# Arch Linux
+sudo pacman -S networkmanager-openvpn
+
+# Debian/Ubuntu
+sudo apt install network-manager-openvpn
+
+# Fedora
+sudo dnf install NetworkManager-openvpn
+```
+
## Next Steps
- [WireGuard Setup Guide](./vpn-wireguard.md)
+- [OpenVPN Setup Guide](./vpn-openvpn.md)
- [VPN Management](./vpn-management.md)
-- [Complete VPN Client Example](../examples/wireguard-client.md)
+- [OpenVPN Client Example](../examples/openvpn-client.md)
+- [WireGuard Client Example](../examples/wireguard-client.md)
diff --git a/docs/src/guide/wifi-connecting.md b/docs/src/guide/wifi-connecting.md
index 28cf90b3..cc85c90b 100644
--- a/docs/src/guide/wifi-connecting.md
+++ b/docs/src/guide/wifi-connecting.md
@@ -14,10 +14,10 @@ async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
// Open network (no password)
- nm.connect("CafeWiFi", WifiSecurity::Open).await?;
+ nm.connect("CafeWiFi", None, WifiSecurity::Open).await?;
// WPA-PSK network (password)
- nm.connect("HomeWiFi", WifiSecurity::WpaPsk {
+ nm.connect("HomeWiFi", None, WifiSecurity::WpaPsk {
psk: "my_password".into(),
}).await?;
@@ -83,7 +83,7 @@ if nm.is_connecting().await? {
return Ok(());
}
-nm.connect("HomeWiFi", WifiSecurity::WpaPsk {
+nm.connect("HomeWiFi", None, WifiSecurity::WpaPsk {
psk: "password".into(),
}).await?;
```
@@ -94,7 +94,7 @@ nm.connect("HomeWiFi", WifiSecurity::WpaPsk {
let nm = NetworkManager::new().await?;
// Disconnect from the current Wi-Fi network
-nm.disconnect().await?;
+nm.disconnect(None).await?;
```
`disconnect()` deactivates the current wireless connection and waits for the device to reach the `Disconnected` state. If no connection is active, it returns `Ok(())`.
@@ -112,7 +112,7 @@ if nm.has_saved_connection("HomeWiFi").await? {
}
// Connect using saved profile (WifiSecurity value is ignored if profile exists)
-nm.connect("HomeWiFi", WifiSecurity::Open).await?;
+nm.connect("HomeWiFi", None, WifiSecurity::Open).await?;
```
See [Connection Profiles](./profiles.md) for more on managing saved connections.
@@ -126,7 +126,7 @@ use nmrs::{NetworkManager, WifiSecurity, ConnectionError};
let nm = NetworkManager::new().await?;
-match nm.connect("MyNetwork", WifiSecurity::WpaPsk {
+match nm.connect("MyNetwork", None, WifiSecurity::WpaPsk {
psk: "password".into(),
}).await {
Ok(_) => println!("Connected!"),
diff --git a/docs/src/guide/wifi-enterprise.md b/docs/src/guide/wifi-enterprise.md
index 58dd7574..c47f7200 100644
--- a/docs/src/guide/wifi-enterprise.md
+++ b/docs/src/guide/wifi-enterprise.md
@@ -15,7 +15,7 @@ async fn main() -> nmrs::Result<()> {
.with_method(EapMethod::Peap)
.with_phase2(Phase2::Mschapv2);
- nm.connect("CorpWiFi", WifiSecurity::WpaEap { opts: eap }).await?;
+ nm.connect("CorpWiFi", None, WifiSecurity::WpaEap { opts: eap }).await?;
println!("Connected to enterprise WiFi!");
Ok(())
@@ -165,7 +165,7 @@ async fn main() -> nmrs::Result<()> {
.system_ca_certs(true)
.build();
- nm.connect("CorpNetwork", WifiSecurity::WpaEap {
+ nm.connect("CorpNetwork", None, WifiSecurity::WpaEap {
opts: eap,
}).await?;
diff --git a/docs/src/guide/wifi-hidden.md b/docs/src/guide/wifi-hidden.md
index 2af2ec87..1daa263b 100644
--- a/docs/src/guide/wifi-hidden.md
+++ b/docs/src/guide/wifi-hidden.md
@@ -14,10 +14,10 @@ async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
// Hidden open network
- nm.connect("HiddenCafe", WifiSecurity::Open).await?;
+ nm.connect("HiddenCafe", None, WifiSecurity::Open).await?;
// Hidden WPA-PSK network
- nm.connect("SecretLab", WifiSecurity::WpaPsk {
+ nm.connect("SecretLab", None, WifiSecurity::WpaPsk {
psk: "lab_password".into(),
}).await?;
@@ -49,7 +49,7 @@ let eap = EapOptions::new("user@company.com", "password")
.with_phase2(Phase2::Mschapv2)
.with_system_ca_certs(true);
-nm.connect("HiddenCorpNet", WifiSecurity::WpaEap {
+nm.connect("HiddenCorpNet", None, WifiSecurity::WpaEap {
opts: eap,
}).await?;
```
diff --git a/docs/src/guide/wifi-per-device.md b/docs/src/guide/wifi-per-device.md
new file mode 100644
index 00000000..b76316de
--- /dev/null
+++ b/docs/src/guide/wifi-per-device.md
@@ -0,0 +1,220 @@
+# Per-Device Wi-Fi Scoping
+
+Many machines have more than one Wi-Fi radio — a built-in card plus a USB dongle, a laptop in a dock with a secondary adapter, or an IoT gateway with dual radios on different bands. By default, nmrs routes every Wi-Fi operation through whichever device NetworkManager returns first. That works on single-radio systems, but on multi-radio setups you need to control *which* adapter scans, connects, or gets disabled.
+
+nmrs 3.0 introduces per-device scoping so you can target a specific interface by name.
+
+## Listing Wi-Fi Devices
+
+Start by discovering the available radios:
+
+```rust
+use nmrs::NetworkManager;
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+
+ let devices = nm.list_wifi_devices().await?;
+ for dev in &devices {
+ println!("{} ({})", dev.interface, dev.mac);
+ println!(" State: {:?}", dev.state);
+ if let Some(ssid) = &dev.active_ssid {
+ println!(" Connected to: {}", ssid);
+ }
+ }
+
+ Ok(())
+}
+```
+
+Each `WifiDevice` contains:
+
+| Field | Type | Description |
+|-------|------|-------------|
+| `interface` | `String` | Interface name (`wlan0`, `wlp2s0`, …) |
+| `mac` | `String` | Hardware MAC address |
+| `state` | `DeviceState` | Current operational state |
+| `active_ssid` | `Option` | SSID of the active connection, if any |
+
+You can also look up a single device directly:
+
+```rust
+let dev = nm.wifi_device_by_interface("wlan1").await?;
+println!("{} is {:?}", dev.interface, dev.state);
+```
+
+## The WifiScope Pattern
+
+The most ergonomic way to work with a specific radio is `WifiScope`. Call `nm.wifi("wlan1")` to get a scope pinned to that interface, then chain operations without repeating the interface name:
+
+```rust
+use nmrs::{NetworkManager, WifiSecurity};
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+
+ let scope = nm.wifi("wlan1");
+
+ scope.scan().await?;
+ let networks = scope.list_networks().await?;
+ for net in &networks {
+ println!("{} ({}%)", net.ssid, net.strength.unwrap_or(0));
+ }
+
+ scope.connect("HomeWiFi", WifiSecurity::WpaPsk {
+ psk: "hunter2".into(),
+ }).await?;
+
+ Ok(())
+}
+```
+
+`WifiScope` delegates to `NetworkManager` under the hood but locks every call to a single interface. The available methods are:
+
+| Method | Description |
+|--------|-------------|
+| `scope.interface()` | Returns the interface name this scope is pinned to |
+| `scope.scan()` | Trigger a scan on this device |
+| `scope.list_networks()` | List networks visible to this device |
+| `scope.list_access_points()` | List raw access points (including duplicates per BSSID) |
+| `scope.connect(ssid, creds)` | Connect through this device |
+| `scope.connect_to_bssid(ssid, bssid, creds)` | Connect to a specific BSSID through this device |
+| `scope.disconnect()` | Disconnect this device |
+| `scope.set_enabled(bool)` | Enable or disable this device |
+| `scope.forget(ssid)` | Remove a saved connection from this device |
+
+Because the interface is already captured, none of these methods take an interface parameter.
+
+### BSSID targeting
+
+When the same SSID is broadcast by multiple access points, use `connect_to_bssid` to force a specific one:
+
+```rust
+let scope = nm.wifi("wlan0");
+
+let aps = scope.list_access_points().await?;
+if let Some(best) = aps.iter().max_by_key(|ap| ap.strength.unwrap_or(0)) {
+ scope.connect_to_bssid(
+ &best.ssid,
+ &best.hwaddress.as_deref().unwrap_or_default(),
+ WifiSecurity::WpaPsk { psk: "password".into() },
+ ).await?;
+}
+```
+
+## Per-Interface vs Global Operations
+
+nmrs distinguishes between operations that target one device and operations that affect the entire Wi-Fi subsystem.
+
+| Operation | Per-device | Global |
+|-----------|-----------|--------|
+| Enable/disable radio | `nm.set_wifi_enabled("wlan1", true)` | `nm.set_wireless_enabled(false)` |
+| Scan | `nm.scan_networks(Some("wlan1"))` | `nm.scan_networks(None)` (scans all) |
+| List networks | `nm.list_networks(Some("wlan1"))` | `nm.list_networks(None)` (merges all) |
+| Connect | `nm.connect("ssid", Some("wlan1"), creds)` | `nm.connect("ssid", None, creds)` |
+| Disconnect | `nm.disconnect(Some("wlan1"))` | `nm.disconnect(None)` (all devices) |
+
+When you pass `None`, nmrs falls back to the original behavior: pick the first Wi-Fi device for single-device operations, or aggregate across all devices for scans and listings.
+
+## Per-Device Enable/Disable
+
+There are two distinct toggles:
+
+- **`set_wireless_enabled(bool)`** flips NetworkManager's global `WirelessEnabled` property. This affects *every* Wi-Fi radio on the system — equivalent to airplane-mode for Wi-Fi.
+- **`set_wifi_enabled(interface, bool)`** targets a single radio. It sets `Autoconnect = false` and disconnects the device (to disable) or re-enables autoconnect (to enable). The rest of the system's Wi-Fi radios are unaffected.
+
+```rust
+let nm = NetworkManager::new().await?;
+
+// Disable only the USB dongle
+nm.set_wifi_enabled("wlan1", false).await?;
+
+// The built-in radio stays online
+let dev = nm.wifi_device_by_interface("wlan0").await?;
+assert_ne!(dev.state, nmrs::DeviceState::Unavailable);
+```
+
+Using `WifiScope`:
+
+```rust
+let scope = nm.wifi("wlan1");
+scope.set_enabled(false).await?;
+```
+
+> **Note:** `set_wifi_enabled` is *not* the same as the global `set_wireless_enabled`. The global toggle controls the NM-level `WirelessEnabled` property (equivalent to `nmcli radio wifi off`), while per-device disable works through the device's autoconnect and disconnect mechanism.
+
+## Direct Method Approach
+
+If you don't want a `WifiScope`, every Wi-Fi method on `NetworkManager` accepts an optional interface name. Pass `None` for single-radio behavior or `Some("wlan1")` to target a device:
+
+```rust
+use nmrs::{NetworkManager, WifiSecurity};
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+
+ // Scan on a specific interface
+ nm.scan_networks(Some("wlan1")).await?;
+
+ // List networks from a specific interface
+ let networks = nm.list_networks(Some("wlan1")).await?;
+
+ // Connect through a specific interface
+ nm.connect("OfficeWiFi", Some("wlan1"), WifiSecurity::WpaPsk {
+ psk: "secret".into(),
+ }).await?;
+
+ // Disconnect a specific interface
+ nm.disconnect(Some("wlan1")).await?;
+
+ // Or use None to get the default (first device) behavior
+ nm.scan_networks(None).await?;
+ nm.connect("HomeWiFi", None, WifiSecurity::Open).await?;
+
+ Ok(())
+}
+```
+
+## Error Handling
+
+Two error variants are specific to per-device scoping:
+
+```rust
+use nmrs::ConnectionError;
+
+let nm = NetworkManager::new().await?;
+
+match nm.wifi_device_by_interface("wlan99").await {
+ Ok(dev) => println!("Found: {}", dev.interface),
+ Err(ConnectionError::WifiInterfaceNotFound { interface }) => {
+ eprintln!("No Wi-Fi device named '{}'", interface);
+ }
+ Err(e) => eprintln!("Unexpected error: {}", e),
+}
+```
+
+| Variant | Meaning |
+|---------|---------|
+| `WifiInterfaceNotFound { interface }` | No network device with that name exists |
+| `NotAWifiDevice { interface }` | The interface exists but is not a Wi-Fi device (e.g., `eth0`) |
+
+`NotAWifiDevice` fires when you pass a valid interface name that belongs to an Ethernet or Bluetooth adapter:
+
+```rust
+match nm.wifi_device_by_interface("eth0").await {
+ Err(ConnectionError::NotAWifiDevice { interface }) => {
+ eprintln!("'{}' is not a Wi-Fi interface", interface);
+ }
+ _ => {}
+}
+```
+
+## Next Steps
+
+- [WiFi Management](./wifi.md) — general Wi-Fi operations (scanning, security types, connection options)
+- [Device Management](./devices.md) — listing and inspecting all device types
+- [Real-Time Monitoring](./monitoring.md) — subscribe to device state changes
+- [Error Handling](./error-handling.md) — full error variant reference
diff --git a/docs/src/guide/wifi-scanning.md b/docs/src/guide/wifi-scanning.md
index 1fc1cddb..f67d1a07 100644
--- a/docs/src/guide/wifi-scanning.md
+++ b/docs/src/guide/wifi-scanning.md
@@ -14,7 +14,7 @@ async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
// Trigger an active scan on all wireless devices
- nm.scan_networks().await?;
+ nm.scan_networks(None).await?;
Ok(())
}
@@ -33,7 +33,7 @@ use nmrs::NetworkManager;
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
- let networks = nm.list_networks().await?;
+ let networks = nm.list_networks(None).await?;
for net in &networks {
println!("{:30} {}%", net.ssid, net.strength.unwrap_or(0));
}
@@ -70,7 +70,7 @@ use nmrs::NetworkManager;
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
- let networks = nm.list_networks().await?;
+ let networks = nm.list_networks(None).await?;
if let Some(network) = networks.first() {
let info = nm.show_details(network).await?;
@@ -108,8 +108,8 @@ use nmrs::NetworkManager;
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
- nm.scan_networks().await?;
- let networks = nm.list_networks().await?;
+ nm.scan_networks(None).await?;
+ let networks = nm.list_networks(None).await?;
for net in &networks {
let security = if net.is_eap {
diff --git a/docs/src/guide/wifi-wpa-psk.md b/docs/src/guide/wifi-wpa-psk.md
index 2d37062d..829ff1dc 100644
--- a/docs/src/guide/wifi-wpa-psk.md
+++ b/docs/src/guide/wifi-wpa-psk.md
@@ -11,7 +11,7 @@ use nmrs::{NetworkManager, WifiSecurity};
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
- nm.connect("HomeWiFi", WifiSecurity::WpaPsk {
+ nm.connect("HomeWiFi", None, WifiSecurity::WpaPsk {
psk: "my_secure_password".into(),
}).await?;
@@ -42,7 +42,7 @@ async fn main() -> nmrs::Result<()> {
let password = std::env::var("WIFI_PASSWORD")
.expect("Set WIFI_PASSWORD environment variable");
- nm.connect("HomeWiFi", WifiSecurity::WpaPsk {
+ nm.connect("HomeWiFi", None, WifiSecurity::WpaPsk {
psk: password,
}).await?;
@@ -60,7 +60,7 @@ let nm = NetworkManager::new().await?;
if nm.has_saved_connection("HomeWiFi").await? {
// Saved profile exists; password is stored in it.
// The WifiSecurity value is ignored when a saved profile exists.
- nm.connect("HomeWiFi", WifiSecurity::Open).await?;
+ nm.connect("HomeWiFi", None, WifiSecurity::Open).await?;
}
```
@@ -81,7 +81,7 @@ use nmrs::{NetworkManager, WifiSecurity, ConnectionError};
let nm = NetworkManager::new().await?;
-match nm.connect("HomeWiFi", WifiSecurity::WpaPsk {
+match nm.connect("HomeWiFi", None, WifiSecurity::WpaPsk {
psk: "password".into(),
}).await {
Ok(_) => println!("Connected!"),
diff --git a/docs/src/guide/wifi.md b/docs/src/guide/wifi.md
index cb1a7b77..8593d66e 100644
--- a/docs/src/guide/wifi.md
+++ b/docs/src/guide/wifi.md
@@ -23,10 +23,10 @@ async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
// Scan for networks
- let networks = nm.list_networks().await?;
+ let networks = nm.list_networks(None).await?;
// Connect to WPA-PSK network
- nm.connect("MyWiFi", WifiSecurity::WpaPsk {
+ nm.connect("MyWiFi", None, WifiSecurity::WpaPsk {
psk: "password".into()
}).await?;
@@ -36,7 +36,7 @@ async fn main() -> nmrs::Result<()> {
}
// Disconnect
- nm.disconnect().await?;
+ nm.disconnect(None).await?;
Ok(())
}
@@ -51,7 +51,7 @@ nmrs supports all major WiFi security protocols:
No authentication required:
```rust
-nm.connect("FreeWiFi", WifiSecurity::Open).await?;
+nm.connect("FreeWiFi", None, WifiSecurity::Open).await?;
```
### WPA-PSK (Personal)
@@ -59,7 +59,7 @@ nm.connect("FreeWiFi", WifiSecurity::Open).await?;
Password-based authentication:
```rust
-nm.connect("HomeWiFi", WifiSecurity::WpaPsk {
+nm.connect("HomeWiFi", None, WifiSecurity::WpaPsk {
psk: "your_password".into()
}).await?;
```
@@ -76,7 +76,7 @@ let eap_opts = EapOptions::new("user@company.com", "password")
.with_phase2(Phase2::Mschapv2)
.with_domain_suffix_match("company.com");
-nm.connect("CorpWiFi", WifiSecurity::WpaEap {
+nm.connect("CorpWiFi", None, WifiSecurity::WpaEap {
opts: eap_opts
}).await?;
```
@@ -98,7 +98,7 @@ pub struct Network {
Example usage:
```rust
-let networks = nm.list_networks().await?;
+let networks = nm.list_networks(None).await?;
for net in networks {
println!("SSID: {}", net.ssid);
@@ -144,14 +144,15 @@ Enable or disable WiFi hardware:
```rust
// Disable WiFi (airplane mode)
-nm.set_wifi_enabled(false).await?;
+nm.set_wireless_enabled(false).await?;
// Enable WiFi
-nm.set_wifi_enabled(true).await?;
+nm.set_wireless_enabled(true).await?;
// Check WiFi status
-let enabled = nm.is_wifi_enabled().await?;
-println!("WiFi is {}", if enabled { "enabled" } else { "disabled" });
+let state = nm.wifi_state().await?;
+println!("WiFi is {}", if state.enabled { "enabled" } else { "disabled" });
+println!("Hardware switch is {}", if state.hardware_enabled { "on" } else { "off" });
```
## Network Scanning
@@ -160,13 +161,13 @@ Trigger a fresh scan:
```rust
// Request a scan (may take a few seconds)
-nm.request_scan().await?;
+nm.scan_networks(None).await?;
// Wait a moment for scan to complete
tokio::time::sleep(tokio::time::Duration::from_secs(2)).await;
// Get updated results
-let networks = nm.list_networks().await?;
+let networks = nm.list_networks(None).await?;
```
## Detecting Connection State
@@ -182,11 +183,9 @@ if let Some(ssid) = nm.current_ssid().await {
}
// Get detailed network info
-if let Some(info) = nm.current_network_info().await? {
- println!("SSID: {}", info.ssid);
- println!("IP: {:?}", info.ip4_address);
- println!("Gateway: {:?}", info.gateway);
- println!("DNS: {:?}", info.dns);
+if let Some(network) = nm.current_network().await? {
+ println!("SSID: {}", network.ssid);
+ println!("Signal: {}%", network.strength.unwrap_or(0));
}
```
@@ -197,7 +196,7 @@ WiFi operations can fail for various reasons. Handle them gracefully:
```rust
use nmrs::ConnectionError;
-match nm.connect("Network", WifiSecurity::WpaPsk {
+match nm.connect("Network", None, WifiSecurity::WpaPsk {
psk: "pass".into()
}).await {
Ok(_) => println!("Connected!"),
@@ -255,6 +254,7 @@ nm.monitor_device_changes(|| {
- [WPA-EAP (Enterprise)](./wifi-enterprise.md) - Enterprise WiFi
- [Hidden Networks](./wifi-hidden.md) - Connecting to hidden SSIDs
- [Error Handling](./error-handling.md) - Comprehensive error guide
+- [Per-Device Scoping](./wifi-per-device.md) - Multi-radio, per-interface operations
## Best Practices
@@ -263,14 +263,14 @@ nm.monitor_device_changes(|| {
```rust
// Good - reuse the same instance
let nm = NetworkManager::new().await?;
-nm.list_networks().await?;
-nm.connect("WiFi", WifiSecurity::Open).await?;
+nm.list_networks(None).await?;
+nm.connect("WiFi", None, WifiSecurity::Open).await?;
// Avoid - creating multiple instances
let nm1 = NetworkManager::new().await?;
-nm1.list_networks().await?;
+nm1.list_networks(None).await?;
let nm2 = NetworkManager::new().await?; // Unnecessary
-nm2.connect("WiFi", WifiSecurity::Open).await?;
+nm2.connect("WiFi", None, WifiSecurity::Open).await?;
```
### 2. Handle Signal Strength
@@ -290,7 +290,7 @@ if let Some(strength) = network.strength {
use tokio::time::{timeout, Duration};
// Wrap operations in timeouts
-match timeout(Duration::from_secs(30), nm.connect("WiFi", security)).await {
+match timeout(Duration::from_secs(30), nm.connect("WiFi", None, security)).await {
Ok(Ok(_)) => println!("Connected"),
Ok(Err(e)) => eprintln!("Connection failed: {}", e),
Err(_) => eprintln!("Operation timed out"),
diff --git a/docs/src/introduction.md b/docs/src/introduction.md
index a35e43b3..500393b6 100644
--- a/docs/src/introduction.md
+++ b/docs/src/introduction.md
@@ -7,7 +7,7 @@ Welcome to the **nmrs** documentation! This guide will help you understand and u
**nmrs** is a high-level, async Rust API for [NetworkManager](https://networkmanager.dev/) over [D-Bus](https://dbus.freedesktop.org/doc/dbus-specification.html). It provides:
- **Simple WiFi Management** - Scan, connect, and manage wireless networks
-- **VPN Support** - Full WireGuard VPN integration
+- **VPN Support** - WireGuard and OpenVPN VPN support
- **Ethernet Control** - Manage wired network connections
- **Bluetooth** - Connect to Bluetooth network devices
- **Real-Time Monitoring** - Event-driven network state updates
@@ -52,13 +52,13 @@ async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
// Scan for networks
- let networks = nm.list_networks().await?;
+ let networks = nm.list_networks(None).await?;
for net in networks {
println!("{} - {}%", net.ssid, net.strength.unwrap_or(0));
}
// Connect to a network
- nm.connect("MyWiFi", WifiSecurity::WpaPsk {
+ nm.connect("MyWiFi", None, WifiSecurity::WpaPsk {
psk: "password123".into()
}).await?;
diff --git a/nmrs-gui/src/ui/connect.rs b/nmrs-gui/src/ui/connect.rs
index b932771a..bf365312 100644
--- a/nmrs-gui/src/ui/connect.rs
+++ b/nmrs-gui/src/ui/connect.rs
@@ -205,7 +205,7 @@ fn draw_connect_modal(
};
debug!("Calling nm.connect() for '{ssid}'");
- match nm.connect(&ssid, creds).await {
+ match nm.connect(&ssid, None, creds).await {
Ok(_) => {
debug!("nm.connect() succeeded!");
status.set_text("✓ Connected!");
diff --git a/nmrs-gui/src/ui/header.rs b/nmrs-gui/src/ui/header.rs
index a5144f9f..e830779e 100644
--- a/nmrs-gui/src/ui/header.rs
+++ b/nmrs-gui/src/ui/header.rs
@@ -180,7 +180,7 @@ pub fn build_header(
ctx.stack.set_visible_child_name("loading");
clear_children(&list_container);
- match ctx.nm.wifi_enabled().await {
+ match ctx.nm.wifi_state().await.map(|s| s.enabled) {
Ok(enabled) => {
wifi_switch.set_active(enabled);
if enabled {
@@ -207,7 +207,7 @@ pub fn build_header(
glib::MainContext::default().spawn_local(async move {
clear_children(&list_container);
- if let Err(err) = ctx.nm.set_wifi_enabled(sw.is_active()).await {
+ if let Err(err) = ctx.nm.set_wireless_enabled(sw.is_active()).await {
ctx.status.set_text(&format!("Error setting Wi-Fi: {err}"));
return;
}
@@ -310,7 +310,7 @@ pub async fn refresh_networks(
wireless_header.set_margin_start(12);
list_container.append(&wireless_header);
- if let Err(err) = ctx.nm.scan_networks().await {
+ if let Err(err) = ctx.nm.scan_networks(None).await {
ctx.status.set_text(&format!("Scan failed: {err}"));
is_scanning.set(false);
return;
@@ -318,7 +318,7 @@ pub async fn refresh_networks(
let mut last_len = 0;
for _ in 0..5 {
- let nets = ctx.nm.list_networks().await.unwrap_or_default();
+ let nets = ctx.nm.list_networks(None).await.unwrap_or_default();
if nets.len() == last_len && last_len > 0 {
break;
}
@@ -326,7 +326,7 @@ pub async fn refresh_networks(
glib::timeout_future_seconds(1).await;
}
- match ctx.nm.list_networks().await {
+ match ctx.nm.list_networks(None).await {
Ok(mut nets) => {
let current_conn = ctx.nm.current_connection_info().await;
let (current_ssid, current_band) = if let Some((ssid, freq)) = current_conn {
@@ -460,7 +460,7 @@ pub async fn refresh_networks_no_scan(
wireless_header.set_margin_start(12);
list_container.append(&wireless_header);
- match ctx.nm.list_networks().await {
+ match ctx.nm.list_networks(None).await {
Ok(mut nets) => {
let current_conn = ctx.nm.current_connection_info().await;
let (current_ssid, current_band) = if let Some((ssid, freq)) = current_conn {
diff --git a/nmrs-gui/src/ui/networks.rs b/nmrs-gui/src/ui/networks.rs
index 8de7f5a3..072e3f2a 100644
--- a/nmrs-gui/src/ui/networks.rs
+++ b/nmrs-gui/src/ui/networks.rs
@@ -132,7 +132,7 @@ impl NetworkRowController {
status_c.set_text(&format!("Connecting to {}...", ssid_c));
window_c.set_sensitive(false);
let creds = WifiSecurity::WpaPsk { psk: "".into() };
- match nm_c.connect(&ssid_c, creds).await {
+ match nm_c.connect(&ssid_c, None, creds).await {
Ok(_) => {
status_c.set_text("");
on_success_c();
@@ -153,7 +153,7 @@ impl NetworkRowController {
status_c.set_text(&format!("Connecting to {}...", ssid_c));
window_c.set_sensitive(false);
let creds = WifiSecurity::Open;
- match nm_c.connect(&ssid_c, creds).await {
+ match nm_c.connect(&ssid_c, None, creds).await {
Ok(_) => {
status_c.set_text("");
on_success_c();
diff --git a/nmrs/CHANGELOG.md b/nmrs/CHANGELOG.md
index 630e0169..5f5d2cad 100644
--- a/nmrs/CHANGELOG.md
+++ b/nmrs/CHANGELOG.md
@@ -3,21 +3,40 @@
All notable changes to the `nmrs` crate will be documented in this file.
## [Unreleased]
+
+## [3.0.0] - 2026-04-24
### Added
-- `nmrs::agent` module: NetworkManager secret agent for credential prompting over D-Bus (`SecretAgent`, `SecretAgentBuilder`, `SecretAgentHandle`, `SecretRequest`, `SecretResponder`, `SecretSetting`, `SecretAgentFlags`, `SecretAgentCapabilities`, `CancelReason`, `SecretStoreEvent`)
-- `VpnConfig` trait and `WireGuardConfig`; `NetworkManager::connect_vpn` accepts `VpnConfig` implementors; `VpnCredentials` deprecated with compatibility bridges ([#303](https://github.com/cachebag/nmrs/pull/303))
+- `ConnectionError::IncompleteBuilder` for builders missing required fields ([#350](https://github.com/cachebag/nmrs/issues/350))
+- `nmrs::agent` module: NetworkManager secret agent for credential prompting over D-Bus (`SecretAgent`, `SecretAgentBuilder`, `SecretAgentHandle`, `SecretRequest`, `SecretResponder`, `SecretSetting`, `SecretAgentFlags`, `SecretAgentCapabilities`, `CancelReason`, `SecretStoreEvent`) ([#370](https://github.com/cachebag/nmrs/pull/370))
+- `AccessPoint` model preserving per-AP BSSID, frequency, security flags, and device state; `list_access_points(interface)` for full AP enumeration ([#373](https://github.com/cachebag/nmrs/pull/373))
+- Airplane-mode surface: `RadioState`, `AirplaneModeState`, `wifi_state()`, `wwan_state()`, `bluetooth_radio_state()`, `airplane_mode_state()`, `set_wireless_enabled()`, `set_wwan_enabled()`, `set_bluetooth_radio_enabled()`, `set_airplane_mode()` ([#372](https://github.com/cachebag/nmrs/pull/372))
+- Kernel rfkill awareness: hardware kill switch state via `/sys/class/rfkill` ([#372](https://github.com/cachebag/nmrs/pull/372))
+- `HardwareRadioKilled` and `BluezUnavailable` error variants ([#372](https://github.com/cachebag/nmrs/pull/372))
+- Per-Wi-Fi-device scoping: `WifiDevice` model, `list_wifi_devices()`, `wifi_device_by_interface()`, `WifiScope` builder via `nm.wifi("wlan1")`, `set_wifi_enabled(interface, bool)` for per-radio enable/disable ([#375](https://github.com/cachebag/nmrs/pull/375))
+- `WifiInterfaceNotFound` and `NotAWifiDevice` error variants ([#375](https://github.com/cachebag/nmrs/pull/375))
+- Saved profile enumeration: `SavedConnection`, `SavedConnectionBrief`, `SettingsSummary`, `SettingsPatch`, `WifiSecuritySummary`, `WifiKeyMgmt`, `VpnSecretFlags`; `list_saved_connections()`, `list_saved_connections_brief()`, `list_saved_connection_ids()`, `get_saved_connection()`, `get_saved_connection_raw()`, `delete_saved_connection()`, `update_saved_connection()`, `reload_saved_connections()`; D-Bus proxies `NMSettingsProxy` / `NMSettingsConnectionProxy`; example `saved_list` ([#376](https://github.com/cachebag/nmrs/pull/376))
+- Connectivity state surface: `ConnectivityState`, `ConnectivityReport`, `connectivity()`, `check_connectivity()`, `connectivity_report()`, `captive_portal_url()`; `ConnectivityCheckDisabled` error variant ([#377](https://github.com/cachebag/nmrs/pull/377))
+- Generic VPN support: `VpnType` now carries protocol-specific metadata for OpenVPN, OpenConnect, strongSwan, PPTP, L2TP, and a `Generic` catch-all; `VpnKind` (Plugin vs WireGuard); `VpnConnection` enriched with `uuid`, `active`, `user_name`, `password_flags`, `service_type`; `connect_vpn_by_uuid()`, `connect_vpn_by_id()`, `disconnect_vpn_by_uuid()`, `active_vpn_connections()` ([#378](https://github.com/cachebag/nmrs/pull/378))
### Changed
+- `VpnCredentialsBuilder::build()` and `EapOptionsBuilder::build()` return `Result` (no panics on missing fields); `VpnCredentialsBuilder` may return `ConnectionError::InvalidPeers` when no peers are set ([#350](https://github.com/cachebag/nmrs/issues/350))
+- `VpnType` is now a data-carrying enum; the old tag enum is renamed to `VpnKind`. `VpnConfig::vpn_type()` renamed to `vpn_kind()`. `VpnConnectionInfo.vpn_type` renamed to `vpn_kind`. ([#378](https://github.com/cachebag/nmrs/pull/378))
+- `list_saved_connections()` now returns `Vec` (full decode + summaries). Use `list_saved_connection_ids()` for the previous `Vec` behavior (connection `id` names only). ([#376](https://github.com/cachebag/nmrs/pull/376))
+- `connect`, `connect_to_bssid`, `disconnect`, `scan_networks`, and `list_networks` now take an `interface: Option<&str>` parameter. Pass `None` to preserve previous behavior, or `Some("wlan1")` to scope to a specific Wi-Fi interface. For an ergonomic per-interface API, use `nm.wifi("wlan1")` to obtain a `WifiScope`. ([#375](https://github.com/cachebag/nmrs/pull/375))
+- `set_wifi_enabled` now requires an `interface: &str` argument and toggles only that radio (via `Device.Autoconnect` + `Device.Disconnect()`). For the global wireless killswitch use `set_wireless_enabled(bool)`. ([#375](https://github.com/cachebag/nmrs/pull/375))
+- `VpnConfig` trait and `WireGuardConfig`; `NetworkManager::connect_vpn` accepts `VpnConfig` implementors; `VpnCredentials` deprecated with compatibility bridges ([#303](https://github.com/cachebag/nmrs/pull/303))
- Introduce `VpnConfig` trait and refactor `connect_vpn` signature ([#303](https://github.com/cachebag/nmrs/pull/303))
- OpenVPN connection settings model expansion ([#309](https://github.com/cachebag/nmrs/pull/309))
- Multi-VPN plumbing: `detect_vpn_type()`, `VpnType::OpenVpn`, and shared detection across connect, disconnect, and list VPN flows ([#311](https://github.com/cachebag/nmrs/pull/311))
-- `.ovpn` profile lexer and parser for translating OpenVPN configs toward NetworkManager ([#314](https://github.com/cachebag/nmrs/pull/314))
+- `.ovpn` profile lexer/parser and auth-user-pass inference for translating OpenVPN configs toward NetworkManager ([#314](https://github.com/cachebag/nmrs/pull/314), [#340](https://github.com/cachebag/nmrs/pull/340))
- Unit tests and parser refactors for `.ovpn` parsing ([#316](https://github.com/cachebag/nmrs/pull/316))
-- OpenVPN builder: compression, proxy, and `build_openvpn_connection()` ([#315](https://github.com/cachebag/nmrs/pull/315))
+- OpenVPN builder, validation, compression, proxy, routing, resilience, TLS hardening, import, cert-store, and `VpnDetails` support ([#315](https://github.com/cachebag/nmrs/pull/315), [#323](https://github.com/cachebag/nmrs/pull/323), [#326](https://github.com/cachebag/nmrs/pull/326), [#345](https://github.com/cachebag/nmrs/pull/345), [#346](https://github.com/cachebag/nmrs/pull/346), [#347](https://github.com/cachebag/nmrs/pull/347), [#348](https://github.com/cachebag/nmrs/pull/348), [#349](https://github.com/cachebag/nmrs/pull/349))
- `VpnConfiguration` to dispatch WireGuard vs OpenVPN; `connect_vpn` wired to the OpenVPN builder ([#322](https://github.com/cachebag/nmrs/pull/322))
- Support for specifying Bluetooth adapter in `BluetoothIdentity` ([#267](https://github.com/cachebag/nmrs/pull/267))
### Fixed
+- Wi-Fi `ensure_disconnected` no longer deactivates every active connection (VPN, wired, other radios); only the target Wi-Fi device is torn down. VPN disconnect, Wi-Fi/Bluetooth `Device::Disconnect` D-Bus failures propagate instead of being swallowed ([#351](https://github.com/cachebag/nmrs/issues/351))
+- OpenVPN settings decoding now uses D-Bus `Dict` values for `vpn.data` / `vpn.secrets` and extracts gateways from `vpn.data` correctly ([#337](https://github.com/cachebag/nmrs/pull/337), [#344](https://github.com/cachebag/nmrs/pull/344))
- Line-accurate source locations for `.ovpn` directives and blocks ([#318](https://github.com/cachebag/nmrs/pull/318))
- `key_direction` when nested under `tls_auth` and as a standalone directive ([#320](https://github.com/cachebag/nmrs/pull/320))
@@ -212,7 +231,8 @@ All notable changes to the `nmrs` crate will be documented in this file.
[2.2.0]: https://github.com/cachebag/nmrs/compare/nmrs-v1.2.0...nmrs-v2.2.0
[2.3.0]: https://github.com/cachebag/nmrs/compare/nmrs-v2.2.0...nmrs-v2.3.0
[2.4.0]: https://github.com/cachebag/nmrs/compare/nmrs-v1.2.0...nmrs-v2.4.0
-[Unreleased]: https://github.com/cachebag/nmrs/compare/nmrs-v2.4.0...HEAD
+[3.0.0]: https://github.com/cachebag/nmrs/compare/nmrs-v1.2.0...nmrs-v3.0.0
+[Unreleased]: https://github.com/cachebag/nmrs/compare/nmrs-v3.0.0...HEAD
[1.1.0]: https://github.com/cachebag/nmrs/compare/nmrs-v1.0.1...nmrs-v1.1.0
[1.0.1]: https://github.com/cachebag/nmrs/compare/nmrs-v1.0.0...nmrs-v1.0.1
[1.0.0]: https://github.com/cachebag/nmrs/compare/v0.5.0-beta...nmrs-v1.0.0
@@ -221,4 +241,4 @@ All notable changes to the `nmrs` crate will be documented in this file.
[0.3.0-beta]: https://github.com/cachebag/nmrs/compare/v0.2.0-beta...v0.3.0-beta
[0.2.0-beta]: https://github.com/cachebag/nmrs/compare/v0.1.1-beta...v0.2.0-beta
[0.1.1-beta]: https://github.com/cachebag/nmrs/compare/v0.1.0-beta...v0.1.1-beta
-[0.1.0-beta]: https://github.com/cachebag/nmrs/releases/tag/v0.1.0-beta
+[0.1.0-beta]: https://github.com/cachebag/nmrs/releases/tag/v0.1.0-beta
\ No newline at end of file
diff --git a/nmrs/Cargo.toml b/nmrs/Cargo.toml
index aca499d4..39dabfc1 100644
--- a/nmrs/Cargo.toml
+++ b/nmrs/Cargo.toml
@@ -1,6 +1,6 @@
[package]
name = "nmrs"
-version = "2.4.0"
+version = "3.0.0"
authors = ["Akrm Al-Hakimi "]
edition.workspace = true
rust-version = "1.94.0"
@@ -47,3 +47,27 @@ path = "examples/vpn_connect.rs"
[[example]]
name = "secret_agent"
path = "examples/secret_agent.rs"
+
+[[example]]
+name = "airplane_mode"
+path = "examples/airplane_mode.rs"
+
+[[example]]
+name = "ap_list"
+path = "examples/ap_list.rs"
+
+[[example]]
+name = "multi_wifi"
+path = "examples/multi_wifi.rs"
+
+[[example]]
+name = "saved_list"
+path = "examples/saved_list.rs"
+
+[[example]]
+name = "connectivity"
+path = "examples/connectivity.rs"
+
+[[example]]
+name = "vpn_list"
+path = "examples/vpn_list.rs"
diff --git a/nmrs/README.md b/nmrs/README.md
index 9e4da015..52e2761f 100644
--- a/nmrs/README.md
+++ b/nmrs/README.md
@@ -13,12 +13,15 @@ Rust bindings for NetworkManager via D-Bus.
## Features
- **WiFi Management**: Connect to WPA-PSK, WPA-EAP, and open networks
-- **VPN Support**: WireGuard VPN connections with full configuration
+- **VPN Support**: WireGuard, OpenVPN, OpenConnect, strongSwan, PPTP, L2TP, and generic plugin VPNs with rich enumeration and UUID-based activation
- **Ethernet**: Wired network connection management
-- **Network Discovery**: Scan and list available access points with signal strength
-- **Profile Management**: Create, query, and delete saved connection profiles
+- **Network Discovery**: Scan and list available access points with per-BSSID detail and security capabilities
+- **Per-Interface Scoping**: Target specific Wi-Fi radios on multi-NIC systems via `nm.wifi("wlan1")` or `Option<&str>` interface arguments
+- **Profile Management**: List saved profiles with decoded summaries (`list_saved_connections`), raw settings, UUID-based delete/update, plus create/query/delete helpers
- **Real-Time Monitoring**: Signal-based network and device state change notifications
- **Secret Agent**: Respond to NetworkManager credential prompts via an async stream API
+- **Airplane Mode**: Toggle Wi-Fi, WWAN, and Bluetooth radios with rfkill hardware awareness
+- **Connectivity**: Query NM's connectivity state, force re-checks, and detect captive-portal URLs
- **Typed Errors**: Structured error types with specific failure reasons
- **Fully Async**: Built on `zbus` with async/await throughout
@@ -26,7 +29,7 @@ Rust bindings for NetworkManager via D-Bus.
```toml
[dependencies]
-nmrs = "2.0.0"
+nmrs = "3.0.0"
```
or
```bash
@@ -46,16 +49,21 @@ use nmrs::{NetworkManager, WifiSecurity};
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
- // List networks
- let networks = nm.list_networks().await?;
+ // List networks (None = all Wi-Fi devices, or pass Some("wlan1") to scope)
+ let networks = nm.list_networks(None).await?;
for net in &networks {
println!("{} - Signal: {}%", net.ssid, net.strength.unwrap_or(0));
}
-
- // Connect to WPA-PSK network
- nm.connect("MyNetwork", WifiSecurity::WpaPsk {
+
+ // Connect to a WPA-PSK network on the first Wi-Fi device
+ nm.connect("MyNetwork", None, WifiSecurity::WpaPsk {
psk: "password".into()
}).await?;
+
+ // Or scope every operation to a specific radio
+ let wlan1 = nm.wifi("wlan1");
+ wlan1.scan().await?;
+ wlan1.connect("Guest", WifiSecurity::Open).await?;
// Check current connection
if let Some(ssid) = nm.current_ssid().await {
@@ -69,32 +77,28 @@ async fn main() -> nmrs::Result<()> {
### WireGuard VPN
```rust
-use nmrs::{NetworkManager, VpnCredentials, VpnType, WireGuardPeer};
+use nmrs::{NetworkManager, WireGuardConfig, WireGuardPeer};
#[tokio::main]
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
- let creds = VpnCredentials {
- vpn_type: VpnType::WireGuard,
- name: "WorkVPN".into(),
- gateway: "vpn.example.com:51820".into(),
- private_key: "your_private_key_here".into(),
- address: "10.0.0.2/24".into(),
- peers: vec![WireGuardPeer {
- public_key: "server_public_key".into(),
- gateway: "vpn.example.com:51820".into(),
- allowed_ips: vec!["0.0.0.0/0".into()],
- preshared_key: None,
- persistent_keepalive: Some(25),
- }],
- dns: Some(vec!["1.1.1.1".into()]),
- mtu: None,
- uuid: None,
- };
+ let peer = WireGuardPeer::new(
+ "server_public_key",
+ "vpn.example.com:51820",
+ vec!["0.0.0.0/0".into()],
+ ).with_persistent_keepalive(25);
+
+ let config = WireGuardConfig::new(
+ "WorkVPN",
+ "vpn.example.com:51820",
+ "your_private_key_here",
+ "10.0.0.2/24",
+ vec![peer],
+ ).with_dns(vec!["1.1.1.1".into()]);
// Connect to VPN
- nm.connect_vpn(creds).await?;
+ nm.connect_vpn(config).await?;
// Get connection details
let info = nm.get_vpn_info("WorkVPN").await?;
@@ -116,7 +120,7 @@ use nmrs::{NetworkManager, WifiSecurity, EapOptions, EapMethod, Phase2};
async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
- nm.connect("CorpNetwork", WifiSecurity::WpaEap {
+ nm.connect("CorpNetwork", None, WifiSecurity::WpaEap {
opts: EapOptions {
identity: "user@company.com".into(),
password: "password".into(),
@@ -150,9 +154,9 @@ async fn main() -> nmrs::Result<()> {
println!("{}: {} ({})", device.interface, device.device_type, device.state);
}
- // Control WiFi radio
- nm.set_wifi_enabled(false).await?;
- nm.set_wifi_enabled(true).await?;
+ // Control the global Wi-Fi radio
+ nm.set_wireless_enabled(false).await?;
+ nm.set_wireless_enabled(true).await?;
Ok(())
}
@@ -213,7 +217,7 @@ All operations return `Result` with specific variants:
```rust
use nmrs::{NetworkManager, WifiSecurity, ConnectionError};
-match nm.connect("MyNetwork", WifiSecurity::WpaPsk {
+match nm.connect("MyNetwork", None, WifiSecurity::WpaPsk {
psk: "wrong".into()
}).await {
Ok(_) => println!("Connected"),
diff --git a/nmrs/examples/airplane_mode.rs b/nmrs/examples/airplane_mode.rs
new file mode 100644
index 00000000..be855130
--- /dev/null
+++ b/nmrs/examples/airplane_mode.rs
@@ -0,0 +1,18 @@
+use nmrs::NetworkManager;
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+
+ println!("before: {:#?}", nm.airplane_mode_state().await?);
+
+ nm.set_airplane_mode(true).await?;
+ tokio::time::sleep(std::time::Duration::from_secs(2)).await;
+
+ println!("during: {:#?}", nm.airplane_mode_state().await?);
+
+ nm.set_airplane_mode(false).await?;
+ println!("after: {:#?}", nm.airplane_mode_state().await?);
+
+ Ok(())
+}
diff --git a/nmrs/examples/ap_list.rs b/nmrs/examples/ap_list.rs
new file mode 100644
index 00000000..d3fa835c
--- /dev/null
+++ b/nmrs/examples/ap_list.rs
@@ -0,0 +1,22 @@
+use nmrs::NetworkManager;
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+ let mut aps = nm.list_access_points(None).await?;
+ aps.sort_by_key(|ap| std::cmp::Reverse(ap.strength));
+
+ for ap in &aps {
+ let active = if ap.is_active { "*" } else { " " };
+ println!(
+ "{active} {:>3}% {:<24} {} {} MHz {:?}",
+ ap.strength,
+ ap.ssid,
+ ap.bssid,
+ ap.frequency_mhz,
+ ap.security.preferred_connect_type()
+ );
+ }
+
+ Ok(())
+}
diff --git a/nmrs/examples/connectivity.rs b/nmrs/examples/connectivity.rs
new file mode 100644
index 00000000..788209ed
--- /dev/null
+++ b/nmrs/examples/connectivity.rs
@@ -0,0 +1,20 @@
+use nmrs::NetworkManager;
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+ let report = nm.connectivity_report().await?;
+
+ println!("state: {:?}", report.state);
+ println!("check enabled: {}", report.check_enabled);
+ println!("check uri: {:?}", report.check_uri);
+ println!("captive portal: {:?}", report.captive_portal_url);
+
+ if report.state == nmrs::ConnectivityState::Portal
+ && let Some(url) = report.captive_portal_url
+ {
+ println!("-> open {url} in your browser to authenticate");
+ }
+
+ Ok(())
+}
diff --git a/nmrs/examples/custom_timeouts.rs b/nmrs/examples/custom_timeouts.rs
index ae0e0512..90a52377 100644
--- a/nmrs/examples/custom_timeouts.rs
+++ b/nmrs/examples/custom_timeouts.rs
@@ -29,6 +29,7 @@ async fn main() -> nmrs::Result<()> {
println!("\nConnecting to network...");
nm.connect(
"MyNetwork",
+ None,
WifiSecurity::WpaPsk {
psk: std::env::var("WIFI_PASSWORD").unwrap_or_else(|_| "password".to_string()),
},
diff --git a/nmrs/examples/multi_wifi.rs b/nmrs/examples/multi_wifi.rs
new file mode 100644
index 00000000..f82d7b42
--- /dev/null
+++ b/nmrs/examples/multi_wifi.rs
@@ -0,0 +1,59 @@
+//! Per-Wi-Fi-device enumeration and scoped operations.
+//!
+//! Lists every Wi-Fi interface NetworkManager manages, then triggers a
+//! scan and prints the visible SSIDs on each radio independently.
+//! Useful on laptops with USB Wi-Fi dongles or docks with a second adapter.
+//!
+//! Run with: `cargo run --example multi_wifi`
+
+use nmrs::NetworkManager;
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+
+ let radios = nm.list_wifi_devices().await?;
+ if radios.is_empty() {
+ println!("No Wi-Fi devices found.");
+ return Ok(());
+ }
+
+ println!("Found {} Wi-Fi radio(s):", radios.len());
+ for r in &radios {
+ println!(
+ " {:<10} {} state={:?} active={}{}",
+ r.interface,
+ r.hw_address,
+ r.state,
+ r.is_active,
+ r.active_ssid
+ .as_ref()
+ .map(|s| format!(" ssid={s}"))
+ .unwrap_or_default(),
+ );
+ }
+
+ for r in &radios {
+ let scope = nm.wifi(&r.interface);
+ println!("\n[{}] scanning...", r.interface);
+
+ if let Err(e) = scope.scan().await {
+ eprintln!("[{}] scan failed: {e}", r.interface);
+ continue;
+ }
+ // Give NM a moment to populate scan results.
+ tokio::time::sleep(std::time::Duration::from_secs(2)).await;
+
+ let nets = scope.list_networks().await?;
+ for n in nets {
+ println!(
+ " {:>3}% {:<32} ({} BSSIDs)",
+ n.strength.unwrap_or(0),
+ n.ssid,
+ n.bssids.len(),
+ );
+ }
+ }
+
+ Ok(())
+}
diff --git a/nmrs/examples/saved_list.rs b/nmrs/examples/saved_list.rs
new file mode 100644
index 00000000..20d0e55a
--- /dev/null
+++ b/nmrs/examples/saved_list.rs
@@ -0,0 +1,74 @@
+//! List all saved NetworkManager connection profiles with decoded summaries.
+//!
+//! Run: `cargo run --example saved_list`
+//!
+//! Secrets (Wi-Fi PSK, VPN passwords, etc.) are not shown — only non-secret
+//! settings returned by `GetSettings`.
+
+use nmrs::{NetworkManager, SettingsSummary};
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+
+ let mut profiles = nm.list_saved_connections().await?;
+ profiles.sort_by(|a, b| a.id.cmp(&b.id));
+
+ for c in profiles {
+ print!("{:<32} {:<22} {}", c.id, c.connection_type, c.uuid);
+ if !c.autoconnect {
+ print!(" [manual]");
+ }
+ if c.unsaved {
+ print!(" [unsaved]");
+ }
+ println!();
+
+ match &c.summary {
+ SettingsSummary::Wifi {
+ ssid,
+ security,
+ hidden,
+ ..
+ } => {
+ println!(" ssid={ssid:?} hidden={hidden} security={security:?}");
+ }
+ SettingsSummary::Vpn {
+ service_type,
+ user_name,
+ data_keys,
+ ..
+ } => {
+ println!(" vpn={service_type} user={user_name:?} data_keys={data_keys:?}");
+ }
+ SettingsSummary::WireGuard {
+ peer_count,
+ first_peer_endpoint,
+ listen_port,
+ ..
+ } => {
+ println!(
+ " wireguard listen={listen_port:?} peers={peer_count} endpoint={first_peer_endpoint:?}"
+ );
+ }
+ SettingsSummary::Ethernet { mac_address, .. } => {
+ println!(" ethernet mac={mac_address:?}");
+ }
+ SettingsSummary::Gsm { apn, .. } => {
+ println!(" gsm apn={apn:?}");
+ }
+ SettingsSummary::Bluetooth { bdaddr, bt_type } => {
+ println!(" bluetooth {bdaddr} type={bt_type}");
+ }
+ SettingsSummary::Cdma { number, .. } => {
+ println!(" cdma number={number:?}");
+ }
+ SettingsSummary::Other { sections } => {
+ println!(" other sections={sections:?}");
+ }
+ _ => println!(" (additional summary variant)"),
+ }
+ }
+
+ Ok(())
+}
diff --git a/nmrs/examples/vpn_connect.rs b/nmrs/examples/vpn_connect.rs
index 28fbb64a..dedc030b 100644
--- a/nmrs/examples/vpn_connect.rs
+++ b/nmrs/examples/vpn_connect.rs
@@ -1,8 +1,8 @@
/// Connect to a WireGuard VPN using NetworkManager and print the assigned IP address.
///
-/// This example demonstrates using the builder pattern for creating VPN credentials,
-/// which provides a more ergonomic and readable API compared to the traditional constructor.
-use nmrs::{NetworkManager, VpnCredentials, WireGuardPeer};
+/// This example demonstrates creating a `WireGuardConfig`,
+/// the preferred API for configuring VPN connections.
+use nmrs::{NetworkManager, WireGuardConfig, WireGuardPeer};
#[tokio::main]
async fn main() -> nmrs::Result<()> {
@@ -16,16 +16,14 @@ async fn main() -> nmrs::Result<()> {
)
.with_persistent_keepalive(25);
- // Use the builder pattern for a more readable configuration
- let creds = VpnCredentials::builder()
- .name("ExampleVPN")
- .wireguard()
- .gateway("vpn.example.com:51820")
- .private_key(std::env::var("WG_PRIVATE_KEY").expect("Set WG_PRIVATE_KEY env var"))
- .address("10.0.0.2/24")
- .add_peer(peer)
- .with_dns(vec!["1.1.1.1".into()])
- .build();
+ let creds = WireGuardConfig::new(
+ "ExampleVPN",
+ "vpn.example.com:51820",
+ std::env::var("WG_PRIVATE_KEY").expect("Set WG_PRIVATE_KEY env var"),
+ "10.0.0.2/24",
+ vec![peer],
+ )
+ .with_dns(vec!["1.1.1.1".into()]);
println!("Connecting to VPN...");
nm.connect_vpn(creds).await?;
diff --git a/nmrs/examples/vpn_list.rs b/nmrs/examples/vpn_list.rs
new file mode 100644
index 00000000..13e02c4d
--- /dev/null
+++ b/nmrs/examples/vpn_list.rs
@@ -0,0 +1,45 @@
+use nmrs::NetworkManager;
+
+#[tokio::main]
+async fn main() -> nmrs::Result<()> {
+ let nm = NetworkManager::new().await?;
+ let vpns = nm.list_vpn_connections().await?;
+
+ println!(
+ "{:<20} {:<38} {:<16} {:<12} active",
+ "id", "uuid", "type", "user"
+ );
+ println!("{}", "-".repeat(90));
+
+ for vpn in &vpns {
+ let type_label = match &vpn.vpn_type {
+ nmrs::VpnType::WireGuard { .. } => "wireguard".to_string(),
+ nmrs::VpnType::OpenVpn {
+ connection_type, ..
+ } => {
+ format!(
+ "openvpn/{}",
+ connection_type
+ .map(|ct| format!("{ct:?}"))
+ .unwrap_or_default()
+ )
+ }
+ nmrs::VpnType::OpenConnect { .. } => "openconnect".to_string(),
+ nmrs::VpnType::StrongSwan { .. } => "strongswan".to_string(),
+ nmrs::VpnType::Pptp { .. } => "pptp".to_string(),
+ nmrs::VpnType::L2tp { .. } => "l2tp".to_string(),
+ nmrs::VpnType::Generic { service_type, .. } => service_type.clone(),
+ _ => "(unknown)".to_string(),
+ };
+
+ let user = vpn.user_name.as_deref().unwrap_or("(n/a)");
+ let active_icon = if vpn.active { "●" } else { "○" };
+
+ println!(
+ "{:<20} {:<38} {:<16} {:<12} {}",
+ vpn.id, vpn.uuid, type_label, user, active_icon
+ );
+ }
+
+ Ok(())
+}
diff --git a/nmrs/examples/wifi_enterprise.rs b/nmrs/examples/wifi_enterprise.rs
index e931d6b8..efcbc70e 100644
--- a/nmrs/examples/wifi_enterprise.rs
+++ b/nmrs/examples/wifi_enterprise.rs
@@ -17,12 +17,12 @@ async fn main() -> nmrs::Result<()> {
.anonymous_identity("anonymous@company.com")
.domain_suffix_match("company.com")
.system_ca_certs(true)
- .build();
+ .build()?;
let security = WifiSecurity::WpaEap { opts: eap_opts };
println!("Connecting to enterprise WiFi network...");
- nm.connect("CorpNetwork", security).await?;
+ nm.connect("CorpNetwork", None, security).await?;
println!("Successfully connected to enterprise WiFi!");
diff --git a/nmrs/examples/wifi_scan.rs b/nmrs/examples/wifi_scan.rs
index 19788373..ba76e6d5 100644
--- a/nmrs/examples/wifi_scan.rs
+++ b/nmrs/examples/wifi_scan.rs
@@ -6,9 +6,9 @@ async fn main() -> nmrs::Result<()> {
let nm = NetworkManager::new().await?;
println!("Scanning for WiFi networks...");
- nm.scan_networks().await?;
+ nm.scan_networks(None).await?;
- let networks = nm.list_networks().await?;
+ let networks = nm.list_networks(None).await?;
for net in networks {
println!("{:30} {}%", net.ssid, net.strength.unwrap_or(0));
}
diff --git a/nmrs/src/api/builders/mod.rs b/nmrs/src/api/builders/mod.rs
index d40aad4b..5035d57d 100644
--- a/nmrs/src/api/builders/mod.rs
+++ b/nmrs/src/api/builders/mod.rs
@@ -20,7 +20,7 @@
//!
//! ```ignore
//! use nmrs::builders::{build_wifi_connection, build_wireguard_connection, build_ethernet_connection};
-//! use nmrs::{WifiSecurity, ConnectionOptions, VpnCredentials, VpnType, WireGuardPeer};
+//! use nmrs::{WifiSecurity, ConnectionOptions, VpnCredentials, VpnKind, WireGuardPeer};
//!
//! let opts = ConnectionOptions {
//! autoconnect: true,
@@ -45,7 +45,7 @@
//! };
//!
//! let creds = VpnCredentials {
-//! vpn_type: VpnType::WireGuard,
+//! vpn_type: VpnKind::WireGuard,
//! name: "MyVPN".into(),
//! gateway: "vpn.example.com:51820".into(),
//! private_key: "YBk6X3pP8KjKz7+HFWzVHNqL3qTZq8hX9VxFQJ4zVmM=".into(),
@@ -70,6 +70,7 @@
pub mod bluetooth;
pub mod connection_builder;
+pub mod openvpn_builder;
pub mod vpn;
pub mod wifi;
pub mod wifi_builder;
@@ -77,10 +78,11 @@ pub mod wireguard_builder;
// Re-export core builder types
pub use connection_builder::{ConnectionBuilder, IpConfig, Route};
+pub use openvpn_builder::OpenVpnBuilder;
pub use wifi_builder::{WifiBand, WifiConnectionBuilder, WifiMode};
pub use wireguard_builder::WireGuardBuilder;
// Re-export builder functions for convenience
pub use bluetooth::build_bluetooth_connection;
-pub use vpn::build_wireguard_connection;
+pub use vpn::{build_openvpn_connection, build_wireguard_connection};
pub use wifi::{build_ethernet_connection, build_wifi_connection};
diff --git a/nmrs/src/api/builders/openvpn_builder.rs b/nmrs/src/api/builders/openvpn_builder.rs
new file mode 100644
index 00000000..e54a71ca
--- /dev/null
+++ b/nmrs/src/api/builders/openvpn_builder.rs
@@ -0,0 +1,1102 @@
+//! OpenVPN connection builder with validation.
+//!
+//! Provides a type-safe builder API for constructing [`OpenVpnConfig`] with
+//! validation of required fields and auth-type-specific requirements at
+//! build time.
+//!
+//! Unlike [`super::vpn::build_wireguard_connection`] which returns NM-ready
+//! D-Bus settings directly, this builder produces an [`OpenVpnConfig`] domain
+//! struct. Use [`super::vpn::build_openvpn_connection`] to convert it into
+//! NetworkManager connection settings.
+
+use std::path::Path;
+
+use uuid::Uuid;
+
+use crate::api::models::{
+ ConnectionError, OpenVpnAuthType, OpenVpnCompression, OpenVpnConfig, OpenVpnProxy, VpnRoute,
+ vpn_route_from_parser,
+};
+use crate::core::ovpn_parser::parser::{self, CertSource, OvpnFile};
+use crate::util::cert_store::store_inline_cert;
+use crate::util::validation::validate_connection_name;
+
+/// Builder for OpenVPN connections.
+///
+/// Validates at build time:
+/// - `remote` must be set and non-empty
+/// - `auth_type` must be set
+/// - `Password` or `PasswordTls`: `username` required
+/// - `Tls` or `PasswordTls`: `ca_cert`, `client_cert`, `client_key` required
+/// - port must be 1–65535
+///
+/// # Example
+///
+/// ```rust
+/// use nmrs::builders::OpenVpnBuilder;
+/// use nmrs::OpenVpnAuthType;
+///
+/// let config = OpenVpnBuilder::new("CorpVPN")
+/// .remote("vpn.example.com")
+/// .port(1194)
+/// .auth_type(OpenVpnAuthType::Tls)
+/// .ca_cert("/etc/openvpn/ca.crt")
+/// .client_cert("/etc/openvpn/client.crt")
+/// .client_key("/etc/openvpn/client.key")
+/// .build()
+/// .expect("Failed to build OpenVPN config");
+/// ```
+#[non_exhaustive]
+#[derive(Debug)]
+pub struct OpenVpnBuilder {
+ name: String,
+ remote: Option,
+ port: Option,
+ tcp: bool,
+ auth_type: Option,
+ auth: Option,
+ cipher: Option,
+ dns: Option>,
+ mtu: Option,
+ uuid: Option,
+ ca_cert: Option,
+ client_cert: Option,
+ client_key: Option,
+ key_password: Option,
+ username: Option,
+ password: Option,
+ compression: Option,
+ proxy: Option,
+ tls_auth_key: Option,
+ tls_auth_direction: Option,
+ tls_crypt: Option,
+ tls_crypt_v2: Option,
+ tls_version_min: Option,
+ tls_version_max: Option,
+ tls_cipher: Option,
+ remote_cert_tls: Option,
+ verify_x509_name: Option<(String, String)>,
+ crl_verify: Option,
+ redirect_gateway: bool,
+ routes: Vec,
+ ping: Option,
+ ping_exit: Option,
+ ping_restart: Option,
+ reneg_seconds: Option,
+ connect_timeout: Option,
+ data_ciphers: Option,
+ data_ciphers_fallback: Option,
+ ncp_disable: bool,
+}
+
+impl OpenVpnBuilder {
+ /// Creates a new OpenVPN connection builder.
+ #[must_use]
+ pub fn new(name: impl Into) -> Self {
+ Self {
+ name: name.into(),
+ remote: None,
+ port: None,
+ tcp: false,
+ auth_type: None,
+ auth: None,
+ cipher: None,
+ dns: None,
+ mtu: None,
+ uuid: None,
+ ca_cert: None,
+ client_cert: None,
+ client_key: None,
+ key_password: None,
+ username: None,
+ password: None,
+ compression: None,
+ proxy: None,
+ tls_auth_key: None,
+ tls_auth_direction: None,
+ tls_crypt: None,
+ tls_crypt_v2: None,
+ tls_version_min: None,
+ tls_version_max: None,
+ tls_cipher: None,
+ remote_cert_tls: None,
+ verify_x509_name: None,
+ crl_verify: None,
+ redirect_gateway: false,
+ routes: Vec::new(),
+ ping: None,
+ ping_exit: None,
+ ping_restart: None,
+ reneg_seconds: None,
+ connect_timeout: None,
+ data_ciphers: None,
+ data_ciphers_fallback: None,
+ ncp_disable: false,
+ }
+ }
+
+ /// Creates a builder pre-populated from a `.ovpn` file on disk.
+ ///
+ /// Reads the file, parses it, extracts inline certificates (persisting them
+ /// via the cert store), and pre-populates the builder. The connection name
+ /// defaults to the file stem (e.g. `"corp"` for `corp.ovpn`).
+ ///
+ /// The caller can override any field before calling [`build()`](Self::build).
+ ///
+ /// # Errors
+ ///
+ /// - `ConnectionError::VpnFailed` if the file cannot be read
+ /// - `ConnectionError::ParseError` if the `.ovpn` content is malformed
+ /// - `ConnectionError::InvalidGateway` if no `remote` directive is found
+ pub fn from_ovpn_file(path: impl AsRef) -> Result {
+ let path = path.as_ref();
+ let content = std::fs::read_to_string(path).map_err(|e| {
+ ConnectionError::VpnFailed(format!("failed to read {}: {e}", path.display()))
+ })?;
+ let name = path
+ .file_stem()
+ .and_then(|s| s.to_str())
+ .unwrap_or("openvpn")
+ .to_string();
+ Self::from_ovpn_str(&content, name)
+ }
+
+ /// Creates a builder pre-populated from `.ovpn` file content.
+ ///
+ /// Parses the content, extracts inline certificates (persisting them via
+ /// the cert store under `name`), and pre-populates the builder.
+ ///
+ /// The caller can override any field before calling [`build()`](Self::build).
+ ///
+ /// # Errors
+ ///
+ /// - `ConnectionError::ParseError` if the content is malformed
+ /// - `ConnectionError::InvalidGateway` if no `remote` directive is found
+ /// - `ConnectionError::VpnFailed` if inline cert storage fails
+ pub fn from_ovpn_str(content: &str, name: impl Into) -> Result {
+ let name = name.into();
+ let ovpn = parser::parse_ovpn(content)?;
+ Self::from_parsed(ovpn, name)
+ }
+
+ /// Populates a builder from a parsed `OvpnFile`, resolving inline certs.
+ fn from_parsed(f: OvpnFile, name: String) -> Result {
+ use crate::core::ovpn_parser::parser::{AllowCompress, Compress};
+
+ let first_remote = f
+ .remotes
+ .into_iter()
+ .next()
+ .ok_or_else(|| ConnectionError::InvalidGateway("no remote in .ovpn file".into()))?;
+
+ let tcp = first_remote
+ .proto
+ .as_deref()
+ .map(|p: &str| p.starts_with("tcp"))
+ .unwrap_or_else(|| {
+ f.proto
+ .as_deref()
+ .map(|p: &str| p.starts_with("tcp"))
+ .unwrap_or(false)
+ });
+
+ let routes: Vec = f
+ .routes
+ .into_iter()
+ .map(vpn_route_from_parser)
+ .collect::>()?;
+
+ let redirect_gateway = f.redirect_gateway.is_some();
+
+ let data_ciphers = if f.data_ciphers.is_empty() {
+ None
+ } else {
+ Some(f.data_ciphers.join(":"))
+ };
+
+ let compression = match (f.compress, f.allow_compress) {
+ (Some(Compress::Algorithm(ref s)), _) => Some(match s.as_str() {
+ "lz4" => OpenVpnCompression::Lz4,
+ "lz4-v2" => OpenVpnCompression::Lz4V2,
+ _ => OpenVpnCompression::Yes,
+ }),
+ (Some(Compress::Stub | Compress::StubV2), _) => Some(OpenVpnCompression::No),
+ (None, Some(AllowCompress::No)) => Some(OpenVpnCompression::No),
+ _ => None,
+ };
+
+ let resolve_cert =
+ |src: CertSource, cert_type: &str, conn: &str| -> Result {
+ match src {
+ CertSource::File(p) => Ok(p),
+ CertSource::Inline(pem) => {
+ let path = store_inline_cert(conn, cert_type, &pem)?;
+ Ok(path.to_string_lossy().into_owned())
+ }
+ }
+ };
+
+ let ca_cert = f.ca.map(|s| resolve_cert(s, "ca", &name)).transpose()?;
+ let client_cert = f.cert.map(|s| resolve_cert(s, "cert", &name)).transpose()?;
+ let client_key = f.key.map(|s| resolve_cert(s, "key", &name)).transpose()?;
+
+ let has_client_cert_pair = client_cert.is_some() && client_key.is_some();
+ let auth_type = match (f.auth_user_pass, has_client_cert_pair) {
+ (true, true) => Some(OpenVpnAuthType::PasswordTls),
+ (true, false) => Some(OpenVpnAuthType::Password),
+ (false, true) => Some(OpenVpnAuthType::Tls),
+ (false, false) => None,
+ };
+
+ let (tls_auth_key, tls_auth_direction) = match f.tls_auth {
+ Some(ta) => {
+ let path = resolve_cert(ta.source, "ta", &name)?;
+ (Some(path), ta.key_direction)
+ }
+ None => (None, None),
+ };
+
+ let tls_crypt = f
+ .tls_crypt
+ .map(|s| resolve_cert(s, "tls-crypt", &name))
+ .transpose()?;
+
+ Ok(Self {
+ name,
+ remote: Some(first_remote.host),
+ port: first_remote.port,
+ tcp,
+ auth_type,
+ auth: f.auth,
+ cipher: f.cipher,
+ dns: None,
+ mtu: None,
+ uuid: None,
+ ca_cert,
+ client_cert,
+ client_key,
+ key_password: None,
+ username: None,
+ password: None,
+ compression,
+ proxy: None,
+ tls_auth_key,
+ tls_auth_direction,
+ tls_crypt,
+ tls_crypt_v2: None,
+ tls_version_min: None,
+ tls_version_max: None,
+ tls_cipher: None,
+ remote_cert_tls: None,
+ verify_x509_name: None,
+ crl_verify: None,
+ redirect_gateway,
+ routes,
+ ping: None,
+ ping_exit: None,
+ ping_restart: None,
+ reneg_seconds: None,
+ connect_timeout: None,
+ data_ciphers,
+ data_ciphers_fallback: None,
+ ncp_disable: false,
+ })
+ }
+
+ /// Sets the remote server hostname or IP address.
+ #[must_use]
+ pub fn remote(mut self, remote: impl Into) -> Self {
+ self.remote = Some(remote.into());
+ self
+ }
+
+ /// Sets the remote server port (1–65535).
+ #[must_use]
+ pub fn port(mut self, port: u16) -> Self {
+ self.port = Some(port);
+ self
+ }
+
+ /// Use TCP instead of UDP.
+ #[must_use]
+ pub fn tcp(mut self, tcp: bool) -> Self {
+ self.tcp = tcp;
+ self
+ }
+
+ /// Sets the authentication type.
+ #[must_use]
+ pub fn auth_type(mut self, auth_type: OpenVpnAuthType) -> Self {
+ self.auth_type = Some(auth_type);
+ self
+ }
+
+ /// Sets the HMAC digest algorithm (e.g. "SHA256").
+ #[must_use]
+ pub fn auth(mut self, auth: impl Into) -> Self {
+ self.auth = Some(auth.into());
+ self
+ }
+
+ /// Sets the data channel cipher (e.g. "AES-256-GCM").
+ #[must_use]
+ pub fn cipher(mut self, cipher: impl Into) -> Self {
+ self.cipher = Some(cipher.into());
+ self
+ }
+
+ /// Sets DNS servers for the connection.
+ #[must_use]
+ pub fn dns(mut self, servers: Vec) -> Self {
+ self.dns = Some(servers);
+ self
+ }
+
+ /// Sets the MTU size.
+ #[must_use]
+ pub fn mtu(mut self, mtu: u32) -> Self {
+ self.mtu = Some(mtu);
+ self
+ }
+
+ /// Sets a specific UUID for the connection.
+ #[must_use]
+ pub fn uuid(mut self, uuid: Uuid) -> Self {
+ self.uuid = Some(uuid);
+ self
+ }
+
+ /// Sets the CA certificate path.
+ #[must_use]
+ pub fn ca_cert(mut self, path: impl Into) -> Self {
+ self.ca_cert = Some(path.into());
+ self
+ }
+
+ /// Sets the client certificate path.
+ #[must_use]
+ pub fn client_cert(mut self, path: impl Into) -> Self {
+ self.client_cert = Some(path.into());
+ self
+ }
+
+ /// Sets the client private key path.
+ #[must_use]
+ pub fn client_key(mut self, path: impl Into) -> Self {
+ self.client_key = Some(path.into());
+ self
+ }
+
+ /// Sets the password for an encrypted private key.
+ #[must_use]
+ pub fn key_password(mut self, password: impl Into) -> Self {
+ self.key_password = Some(password.into());
+ self
+ }
+
+ /// Sets the username for password authentication.
+ #[must_use]
+ pub fn username(mut self, username: impl Into) -> Self {
+ self.username = Some(username.into());
+ self
+ }
+
+ /// Sets the password for password authentication.
+ #[must_use]
+ pub fn password(mut self, password: impl Into) -> Self {
+ self.password = Some(password.into());
+ self
+ }
+
+ /// Sets the compression algorithm.
+ ///
+ /// # Security Warning
+ ///
+ /// Some compression modes are subject to the VORACLE vulnerability.
+ /// See [`OpenVpnCompression`] for details and recommendations.
+ #[must_use]
+ pub fn compression(mut self, compression: OpenVpnCompression) -> Self {
+ self.compression = Some(compression);
+ self
+ }
+
+ /// Sets the proxy configuration.
+ #[must_use]
+ pub fn proxy(mut self, proxy: OpenVpnProxy) -> Self {
+ self.proxy = Some(proxy);
+ self
+ }
+
+ /// Sets the TLS authentication key path and optional direction.
+ #[must_use]
+ pub fn tls_auth(mut self, key_path: impl Into, direction: Option) -> Self {
+ self.tls_auth_key = Some(key_path.into());
+ self.tls_auth_direction = direction;
+ self
+ }
+
+ /// Sets the TLS-Crypt key path.
+ #[must_use]
+ pub fn tls_crypt(mut self, key_path: impl Into) -> Self {
+ self.tls_crypt = Some(key_path.into());
+ self
+ }
+
+ /// Sets the TLS-Crypt-v2 key path.
+ #[must_use]
+ pub fn tls_crypt_v2(mut self, key_path: impl Into) -> Self {
+ self.tls_crypt_v2 = Some(key_path.into());
+ self
+ }
+
+ /// Sets the minimum TLS protocol version.
+ #[must_use]
+ pub fn tls_version_min(mut self, version: impl Into) -> Self {
+ self.tls_version_min = Some(version.into());
+ self
+ }
+
+ /// Sets the maximum TLS protocol version.
+ #[must_use]
+ pub fn tls_version_max(mut self, version: impl Into) -> Self {
+ self.tls_version_max = Some(version.into());
+ self
+ }
+
+ /// Sets the control channel TLS cipher suites.
+ #[must_use]
+ pub fn tls_cipher(mut self, cipher: impl Into) -> Self {
+ self.tls_cipher = Some(cipher.into());
+ self
+ }
+
+ /// Requires the remote certificate to be of a specific type.
+ #[must_use]
+ pub fn remote_cert_tls(mut self, cert_type: impl Into) -> Self {
+ self.remote_cert_tls = Some(cert_type.into());
+ self
+ }
+
+ /// Sets X.509 name verification for the remote certificate.
+ #[must_use]
+ pub fn verify_x509_name(
+ mut self,
+ name: impl Into,
+ name_type: impl Into,
+ ) -> Self {
+ self.verify_x509_name = Some((name.into(), name_type.into()));
+ self
+ }
+
+ /// Sets the path to a Certificate Revocation List.
+ #[must_use]
+ pub fn crl_verify(mut self, path: impl Into) -> Self {
+ self.crl_verify = Some(path.into());
+ self
+ }
+
+ /// When true, the profile may become the default IPv4 route.
+ #[must_use]
+ pub fn redirect_gateway(mut self, redirect: bool) -> Self {
+ self.redirect_gateway = redirect;
+ self
+ }
+
+ /// Sets static IPv4 routes for split tunneling.
+ #[must_use]
+ pub fn routes(mut self, routes: Vec) -> Self {
+ self.routes = routes;
+ self
+ }
+
+ /// Sets OpenVPN `ping` (seconds).
+ #[must_use]
+ pub fn ping(mut self, seconds: u32) -> Self {
+ self.ping = Some(seconds);
+ self
+ }
+
+ /// Sets OpenVPN `ping-exit` (seconds).
+ #[must_use]
+ pub fn ping_exit(mut self, seconds: u32) -> Self {
+ self.ping_exit = Some(seconds);
+ self
+ }
+
+ /// Sets OpenVPN `ping-restart` (seconds).
+ #[must_use]
+ pub fn ping_restart(mut self, seconds: u32) -> Self {
+ self.ping_restart = Some(seconds);
+ self
+ }
+
+ /// Sets TLS renegotiation period (`reneg-sec`, seconds).
+ #[must_use]
+ pub fn reneg_seconds(mut self, seconds: u32) -> Self {
+ self.reneg_seconds = Some(seconds);
+ self
+ }
+
+ /// Sets initial connection timeout (`connect-timeout`, seconds).
+ #[must_use]
+ pub fn connect_timeout(mut self, seconds: u32) -> Self {
+ self.connect_timeout = Some(seconds);
+ self
+ }
+
+ /// Sets negotiable data ciphers (colon-separated).
+ #[must_use]
+ pub fn data_ciphers(mut self, ciphers: impl Into) -> Self {
+ self.data_ciphers = Some(ciphers.into());
+ self
+ }
+
+ /// Sets `data-ciphers-fallback`.
+ #[must_use]
+ pub fn data_ciphers_fallback(mut self, cipher: impl Into) -> Self {
+ self.data_ciphers_fallback = Some(cipher.into());
+ self
+ }
+
+ /// When true, disables NCP (`ncp-disable`).
+ #[must_use]
+ pub fn ncp_disable(mut self, disable: bool) -> Self {
+ self.ncp_disable = disable;
+ self
+ }
+
+ /// Builds and validates the `OpenVpnConfig`.
+ ///
+ /// # Errors
+ ///
+ /// - `ConnectionError::InvalidGateway` if `remote` is not set or empty
+ /// - `ConnectionError::InvalidGateway` if `port` is 0
+ /// - `ConnectionError::VpnFailed` if `auth_type` is not set
+ /// - `ConnectionError::VpnFailed` if `username` is required but missing
+ /// - `ConnectionError::VpnFailed` if TLS certs are required but missing
+ #[must_use = "the validated OpenVPN config should be used to build connection settings"]
+ pub fn build(self) -> Result {
+ validate_connection_name(&self.name)?;
+
+ let remote = self
+ .remote
+ .ok_or_else(|| ConnectionError::InvalidGateway("remote must be set".into()))?;
+ if remote.trim().is_empty() {
+ return Err(ConnectionError::InvalidGateway(
+ "remote must not be empty".into(),
+ ));
+ }
+
+ // Validate port
+ let port = self.port.unwrap_or(1194);
+ if port == 0 {
+ return Err(ConnectionError::InvalidGateway(
+ "port must be between 1 and 65535".into(),
+ ));
+ }
+
+ // Validate auth_type
+ let auth_type = self
+ .auth_type
+ .ok_or_else(|| ConnectionError::VpnFailed("auth_type must be set".into()))?;
+
+ // auth_type-specific validation
+ match &auth_type {
+ OpenVpnAuthType::Password | OpenVpnAuthType::PasswordTls if self.username.is_none() => {
+ return Err(ConnectionError::VpnFailed(
+ "username is required for Password and PasswordTls auth".into(),
+ ));
+ }
+ _ => {}
+ }
+
+ if matches!(auth_type, OpenVpnAuthType::StaticKey) {
+ return Err(ConnectionError::VpnFailed(
+ "StaticKey auth validation is not yet implemented".into(),
+ ));
+ }
+
+ match &auth_type {
+ OpenVpnAuthType::Tls | OpenVpnAuthType::PasswordTls => {
+ if self.ca_cert.is_none() {
+ return Err(ConnectionError::VpnFailed(
+ "ca_cert is required for Tls and PasswordTls auth".into(),
+ ));
+ }
+ if self.client_cert.is_none() {
+ return Err(ConnectionError::VpnFailed(
+ "client_cert is required for Tls and PasswordTls auth".into(),
+ ));
+ }
+ if self.client_key.is_none() {
+ return Err(ConnectionError::VpnFailed(
+ "client_key is required for Tls and PasswordTls auth".into(),
+ ));
+ }
+ }
+ _ => {}
+ }
+
+ Ok(OpenVpnConfig {
+ name: self.name,
+ remote,
+ port,
+ tcp: self.tcp,
+ auth_type: Some(auth_type),
+ auth: self.auth,
+ cipher: self.cipher,
+ dns: self.dns,
+ mtu: self.mtu,
+ uuid: self.uuid,
+ ca_cert: self.ca_cert,
+ client_cert: self.client_cert,
+ client_key: self.client_key,
+ key_password: self.key_password,
+ username: self.username,
+ password: self.password,
+ compression: self.compression,
+ proxy: self.proxy,
+ tls_auth_key: self.tls_auth_key,
+ tls_auth_direction: self.tls_auth_direction,
+ tls_crypt: self.tls_crypt,
+ tls_crypt_v2: self.tls_crypt_v2,
+ tls_version_min: self.tls_version_min,
+ tls_version_max: self.tls_version_max,
+ tls_cipher: self.tls_cipher,
+ remote_cert_tls: self.remote_cert_tls,
+ verify_x509_name: self.verify_x509_name,
+ crl_verify: self.crl_verify,
+ redirect_gateway: self.redirect_gateway,
+ routes: self.routes,
+ ping: self.ping,
+ ping_exit: self.ping_exit,
+ ping_restart: self.ping_restart,
+ reneg_seconds: self.reneg_seconds,
+ connect_timeout: self.connect_timeout,
+ data_ciphers: self.data_ciphers,
+ data_ciphers_fallback: self.data_ciphers_fallback,
+ ncp_disable: self.ncp_disable,
+ })
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+
+ fn tls_builder() -> OpenVpnBuilder {
+ OpenVpnBuilder::new("TestVPN")
+ .remote("vpn.example.com")
+ .port(1194)
+ .auth_type(OpenVpnAuthType::Tls)
+ .ca_cert("/etc/openvpn/ca.crt")
+ .client_cert("/etc/openvpn/client.crt")
+ .client_key("/etc/openvpn/client.key")
+ }
+
+ fn password_builder() -> OpenVpnBuilder {
+ OpenVpnBuilder::new("TestVPN")
+ .remote("vpn.example.com")
+ .port(1194)
+ .auth_type(OpenVpnAuthType::Password)
+ .username("user")
+ }
+
+ #[test]
+ fn builds_tls_connection() {
+ let config = tls_builder().build();
+ assert!(config.is_ok());
+ let config = config.unwrap();
+ assert_eq!(config.name, "TestVPN");
+ assert_eq!(config.remote, "vpn.example.com");
+ assert_eq!(config.port, 1194);
+ assert!(!config.tcp);
+ }
+
+ #[test]
+ fn builds_password_connection() {
+ let config = password_builder().build();
+ assert!(config.is_ok());
+ }
+
+ #[test]
+ fn builds_password_tls_connection() {
+ let config = OpenVpnBuilder::new("TestVPN")
+ .remote("vpn.example.com")
+ .auth_type(OpenVpnAuthType::PasswordTls)
+ .username("user")
+ .ca_cert("/etc/openvpn/ca.crt")
+ .client_cert("/etc/openvpn/client.crt")
+ .client_key("/etc/openvpn/client.key")
+ .build();
+ assert!(config.is_ok());
+ }
+
+ #[test]
+ fn rejects_static_key_unimplemented() {
+ let result = OpenVpnBuilder::new("TestVPN")
+ .remote("vpn.example.com")
+ .auth_type(OpenVpnAuthType::StaticKey)
+ .build();
+ assert!(matches!(result.unwrap_err(), ConnectionError::VpnFailed(_)));
+ }
+
+ #[test]
+ fn defaults_port_to_1194() {
+ let config = tls_builder().build().unwrap();
+ assert_eq!(config.port, 1194);
+ }
+
+ #[test]
+ fn sets_tcp_flag() {
+ let config = tls_builder().tcp(true).build().unwrap();
+ assert!(config.tcp);
+ }
+
+ #[test]
+ fn sets_optional_fields() {
+ let config = tls_builder()
+ .auth("SHA256")
+ .cipher("AES-256-GCM")
+ .mtu(1400)
+ .dns(vec!["1.1.1.1".into()])
+ .build()
+ .unwrap();
+ assert_eq!(config.auth, Some("SHA256".into()));
+ assert_eq!(config.cipher, Some("AES-256-GCM".into()));
+ assert_eq!(config.mtu, Some(1400));
+ assert!(config.dns.is_some());
+ }
+
+ #[test]
+ fn sets_compression() {
+ let config = tls_builder()
+ .compression(OpenVpnCompression::Lz4V2)
+ .build()
+ .unwrap();
+ assert_eq!(config.compression, Some(OpenVpnCompression::Lz4V2));
+ }
+
+ #[test]
+ fn sets_proxy() {
+ let config = tls_builder()
+ .proxy(OpenVpnProxy::Http {
+ server: "proxy.example.com".into(),
+ port: 8080,
+ username: None,
+ password: None,
+ retry: false,
+ })
+ .build()
+ .unwrap();
+ assert!(config.proxy.is_some());
+ }
+
+ #[test]
+ fn rejects_empty_name() {
+ let result = OpenVpnBuilder::new("")
+ .remote("vpn.example.com")
+ .auth_type(OpenVpnAuthType::Tls)
+ .ca_cert("/etc/openvpn/ca.crt")
+ .client_cert("/etc/openvpn/client.crt")
+ .client_key("/etc/openvpn/client.key")
+ .build();
+ assert!(result.is_err());
+ }
+
+ #[test]
+ fn requires_remote() {
+ let result = OpenVpnBuilder::new("TestVPN")
+ .auth_type(OpenVpnAuthType::Tls)
+ .ca_cert("/etc/openvpn/ca.crt")
+ .client_cert("/etc/openvpn/client.crt")
+ .client_key("/etc/openvpn/client.key")
+ .build();
+ assert!(matches!(
+ result.unwrap_err(),
+ ConnectionError::InvalidGateway(_)
+ ));
+ }
+
+ #[test]
+ fn rejects_empty_remote() {
+ let result = OpenVpnBuilder::new("TestVPN")
+ .remote("")
+ .auth_type(OpenVpnAuthType::Tls)
+ .ca_cert("/etc/openvpn/ca.crt")
+ .client_cert("/etc/openvpn/client.crt")
+ .client_key("/etc/openvpn/client.key")
+ .build();
+ assert!(matches!(
+ result.unwrap_err(),
+ ConnectionError::InvalidGateway(_)
+ ));
+ }
+
+ #[test]
+ fn rejects_zero_port() {
+ let result = tls_builder().port(0).build();
+ assert!(matches!(
+ result.unwrap_err(),
+ ConnectionError::InvalidGateway(_)
+ ));
+ }
+
+ #[test]
+ fn requires_auth_type() {
+ let result = OpenVpnBuilder::new("TestVPN")
+ .remote("vpn.example.com")
+ .build();
+ assert!(matches!(result.unwrap_err(), ConnectionError::VpnFailed(_)));
+ }
+
+ #[test]
+ fn requires_username_for_password_auth() {
+ let result = OpenVpnBuilder::new("TestVPN")
+ .remote("vpn.example.com")
+ .auth_type(OpenVpnAuthType::Password)
+ .build();
+ assert!(matches!(result.unwrap_err(), ConnectionError::VpnFailed(_)));
+ }
+
+ #[test]
+ fn requires_username_for_password_tls_auth() {
+ let result = OpenVpnBuilder::new("TestVPN")
+ .remote("vpn.example.com")
+ .auth_type(OpenVpnAuthType::PasswordTls)
+ .ca_cert("/etc/openvpn/ca.crt")
+ .client_cert("/etc/openvpn/client.crt")
+ .client_key("/etc/openvpn/client.key")
+ .build();
+ assert!(matches!(result.unwrap_err(), ConnectionError::VpnFailed(_)));
+ }
+
+ #[test]
+ fn requires_ca_cert_for_tls_auth() {
+ let result = OpenVpnBuilder::new("TestVPN")
+ .remote("vpn.example.com")
+ .auth_type(OpenVpnAuthType::Tls)
+ .client_cert("/etc/openvpn/client.crt")
+ .client_key("/etc/openvpn/client.key")
+ .build();
+ assert!(matches!(result.unwrap_err(), ConnectionError::VpnFailed(_)));
+ }
+
+ #[test]
+ fn requires_client_cert_for_tls_auth() {
+ let result = OpenVpnBuilder::new("TestVPN")
+ .remote("vpn.example.com")
+ .auth_type(OpenVpnAuthType::Tls)
+ .ca_cert("/etc/openvpn/ca.crt")
+ .client_key("/etc/openvpn/client.key")
+ .build();
+ assert!(matches!(result.unwrap_err(), ConnectionError::VpnFailed(_)));
+ }
+
+ #[test]
+ fn requires_client_key_for_tls_auth() {
+ let result = OpenVpnBuilder::new("TestVPN")
+ .remote("vpn.example.com")
+ .auth_type(OpenVpnAuthType::Tls)
+ .ca_cert("/etc/openvpn/ca.crt")
+ .client_cert("/etc/openvpn/client.crt")
+ .build();
+ assert!(matches!(result.unwrap_err(), ConnectionError::VpnFailed(_)));
+ }
+
+ // --- from_ovpn_str tests ---
+
+ use std::sync::Mutex;
+
+ static ENV_LOCK: Mutex<()> = Mutex::new(());
+
+ fn with_fake_xdg(f: impl FnOnce() -> R) -> R {
+ let _g = ENV_LOCK.lock().unwrap();
+ let base = std::env::temp_dir().join(format!("nmrs-ovpn-test-{}", uuid::Uuid::new_v4()));
+ std::fs::create_dir_all(&base).unwrap();
+ unsafe { std::env::set_var("XDG_DATA_HOME", &base) };
+ let out = f();
+ unsafe { std::env::remove_var("XDG_DATA_HOME") };
+ let _ = std::fs::remove_dir_all(&base);
+ out
+ }
+
+ #[test]
+ fn from_ovpn_str_basic_tls_file_certs() {
+ let ovpn = "\
+remote vpn.example.com 1194 udp
+ca /etc/openvpn/ca.crt
+cert /etc/openvpn/client.crt
+key /etc/openvpn/client.key
+";
+ let builder = OpenVpnBuilder::from_ovpn_str(ovpn, "test-tls").unwrap();
+ let config = builder.build().unwrap();
+ assert_eq!(config.remote, "vpn.example.com");
+ assert_eq!(config.port, 1194);
+ assert!(!config.tcp);
+ assert_eq!(config.auth_type, Some(OpenVpnAuthType::Tls));
+ assert_eq!(config.ca_cert, Some("/etc/openvpn/ca.crt".into()));
+ assert_eq!(config.client_cert, Some("/etc/openvpn/client.crt".into()));
+ assert_eq!(config.client_key, Some("/etc/openvpn/client.key".into()));
+ }
+
+ #[test]
+ fn from_ovpn_str_password_auth() {
+ let ovpn = "remote vpn.example.com 443 tcp\nauth-user-pass\n";
+ let builder = OpenVpnBuilder::from_ovpn_str(ovpn, "test-pw")
+ .unwrap()
+ .username("user");
+ let config = builder.build().unwrap();
+ assert_eq!(config.auth_type, Some(OpenVpnAuthType::Password));
+ assert!(config.tcp);
+ assert_eq!(config.port, 443);
+ }
+
+ #[test]
+ fn from_ovpn_str_inline_certs_stored() {
+ with_fake_xdg(|| {
+ let ovpn = "\
+remote vpn.example.com 1194
+
+-----BEGIN CERTIFICATE-----
+FAKECA
+-----END CERTIFICATE-----
+
+
+-----BEGIN CERTIFICATE-----
+FAKECERT
+-----END CERTIFICATE-----
+
+
+-----BEGIN PRIVATE KEY-----
+FAKEKEY
+-----END PRIVATE KEY-----
+
+";
+ let builder = OpenVpnBuilder::from_ovpn_str(ovpn, "inline-test").unwrap();
+ let config = builder.build().unwrap();
+ assert_eq!(config.auth_type, Some(OpenVpnAuthType::Tls));
+
+ let ca = config.ca_cert.unwrap();
+ assert!(
+ std::path::Path::new(&ca).exists(),
+ "CA cert should be written to disk: {ca}"
+ );
+ assert!(config.client_cert.is_some());
+ assert!(config.client_key.is_some());
+ });
+ }
+
+ #[test]
+ fn from_ovpn_str_tls_auth_with_direction() {
+ let ovpn = "\
+remote vpn.example.com 1194
+ca /etc/openvpn/ca.crt
+cert /etc/openvpn/client.crt
+key /etc/openvpn/client.key
+tls-auth /etc/openvpn/ta.key 1
+";
+ let builder = OpenVpnBuilder::from_ovpn_str(ovpn, "test-ta").unwrap();
+ let config = builder.build().unwrap();
+ assert_eq!(config.tls_auth_key, Some("/etc/openvpn/ta.key".into()));
+ assert_eq!(config.tls_auth_direction, Some(1));
+ }
+
+ #[test]
+ fn from_ovpn_str_inline_tls_auth() {
+ with_fake_xdg(|| {
+ let ovpn = "\
+remote vpn.example.com 1194
+ca /etc/openvpn/ca.crt
+cert /etc/openvpn/client.crt
+key /etc/openvpn/client.key
+key-direction 0
+
+-----BEGIN OpenVPN Static key V1-----
+FAKEKEY
+-----END OpenVPN Static key V1-----
+
+";
+ let builder = OpenVpnBuilder::from_ovpn_str(ovpn, "inline-ta").unwrap();
+ let config = builder.build().unwrap();
+ assert!(config.tls_auth_key.is_some());
+ assert_eq!(config.tls_auth_direction, Some(0));
+ });
+ }
+
+ #[test]
+ fn from_ovpn_str_compression_lz4() {
+ let ovpn = "\
+remote vpn.example.com 1194
+ca /etc/openvpn/ca.crt
+cert /etc/openvpn/client.crt
+key /etc/openvpn/client.key
+compress lz4-v2
+";
+ let builder = OpenVpnBuilder::from_ovpn_str(ovpn, "test-comp").unwrap();
+ let config = builder.build().unwrap();
+ assert_eq!(config.compression, Some(OpenVpnCompression::Lz4V2));
+ }
+
+ #[test]
+ fn from_ovpn_str_cipher_and_auth() {
+ let ovpn = "\
+remote vpn.example.com 1194
+ca /etc/openvpn/ca.crt
+cert /etc/openvpn/client.crt
+key /etc/openvpn/client.key
+cipher AES-256-GCM
+auth SHA256
+";
+ let builder = OpenVpnBuilder::from_ovpn_str(ovpn, "test-cipher").unwrap();
+ let config = builder.build().unwrap();
+ assert_eq!(config.cipher, Some("AES-256-GCM".into()));
+ assert_eq!(config.auth, Some("SHA256".into()));
+ }
+
+ #[test]
+ fn from_ovpn_str_caller_can_override() {
+ let ovpn = "\
+remote vpn.example.com 1194
+ca /etc/openvpn/ca.crt
+cert /etc/openvpn/client.crt
+key /etc/openvpn/client.key
+";
+ let config = OpenVpnBuilder::from_ovpn_str(ovpn, "test-override")
+ .unwrap()
+ .port(443)
+ .tcp(true)
+ .dns(vec!["1.1.1.1".into()])
+ .build()
+ .unwrap();
+ assert_eq!(config.port, 443);
+ assert!(config.tcp);
+ assert!(config.dns.is_some());
+ }
+
+ #[test]
+ fn from_ovpn_str_no_remote_fails() {
+ let ovpn = "cipher AES-256-GCM\n";
+ let result = OpenVpnBuilder::from_ovpn_str(ovpn, "test-fail");
+ assert!(matches!(
+ result.unwrap_err(),
+ ConnectionError::InvalidGateway(_)
+ ));
+ }
+
+ #[test]
+ fn from_ovpn_file_reads_and_parses() {
+ let dir = std::env::temp_dir().join(format!("nmrs-ovpn-file-{}", uuid::Uuid::new_v4()));
+ std::fs::create_dir_all(&dir).unwrap();
+ let path = dir.join("corp.ovpn");
+ std::fs::write(&path, "remote vpn.corp.com 1194\nauth-user-pass\n").unwrap();
+
+ let builder = OpenVpnBuilder::from_ovpn_file(&path).unwrap();
+ assert_eq!(builder.name, "corp");
+ let config = builder.username("user").build().unwrap();
+ assert_eq!(config.remote, "vpn.corp.com");
+ assert_eq!(config.auth_type, Some(OpenVpnAuthType::Password));
+
+ let _ = std::fs::remove_dir_all(&dir);
+ }
+}
diff --git a/nmrs/src/api/builders/vpn.rs b/nmrs/src/api/builders/vpn.rs
index 8cda4508..fe93338e 100644
--- a/nmrs/src/api/builders/vpn.rs
+++ b/nmrs/src/api/builders/vpn.rs
@@ -1,9 +1,10 @@
//! VPN connection settings builders.
//!
//! This module provides functions to build NetworkManager settings dictionaries
-//! for VPN connections. Currently supports:
+//! for VPN connections. Supports:
//!
-//! - **WireGuard** - Modern, high-performance VPN protocol
+//! - **WireGuard** — Modern, high-performance VPN protocol
+//! - **OpenVPN** — Widely-used open-source VPN protocol (via NM plugin)
//!
//! # Usage
//!
@@ -40,7 +41,7 @@
//!
//! ```rust
//! use nmrs::builders::build_wireguard_connection;
-//! use nmrs::{VpnCredentials, VpnType, WireGuardPeer, ConnectionOptions};
+//! use nmrs::{VpnCredentials, VpnKind, WireGuardPeer, ConnectionOptions};
//!
//! let peer = WireGuardPeer::new(
//! "HIgo9xNzJMWLKAShlKl6/bUT1VI9Q0SDBXGtLXkPFXc=",
@@ -49,7 +50,7 @@
//! ).with_persistent_keepalive(25);
//!
//! let creds = VpnCredentials::new(
-//! VpnType::WireGuard,
+//! VpnKind::WireGuard,
//! "MyVPN",
//! "vpn.example.com:51820",
//! "YBk6X3pP8KjKz7+HFWzVHNqL3qTZq8hX9VxFQJ4zVmM=",
@@ -62,12 +63,16 @@
//! let settings = build_wireguard_connection(&creds, &opts).unwrap();
//! // Pass settings to NetworkManager's AddAndActivateConnection
//! ```
+#![allow(deprecated)]
use std::collections::HashMap;
-use zvariant::Value;
+use zvariant::{Dict, Value, signature};
use super::wireguard_builder::WireGuardBuilder;
-use crate::api::models::{ConnectionError, ConnectionOptions, VpnCredentials};
+use crate::api::models::{
+ ConnectionError, ConnectionOptions, OpenVpnAuthType, OpenVpnCompression, OpenVpnConfig,
+ OpenVpnProxy, VpnCredentials,
+};
/// Builds WireGuard VPN connection settings.
///
@@ -83,6 +88,7 @@ use crate::api::models::{ConnectionError, ConnectionOptions, VpnCredentials};
///
/// This function is maintained for backward compatibility. For new code,
/// consider using `WireGuardBuilder` for a more ergonomic API.
+#[must_use = "the connection settings must be passed to NetworkManager"]
pub fn build_wireguard_connection(
creds: &VpnCredentials,
opts: &ConnectionOptions,
@@ -108,10 +114,294 @@ pub fn build_wireguard_connection(
builder.build()
}
+/// Converts a list of string key-value pairs into a `zvariant::Dict` with
+/// D-Bus signature `a{ss}`, which NetworkManager requires for `vpn.data`
+/// and `vpn.secrets`.
+fn string_pairs_to_dict(
+ pairs: Vec<(String, String)>,
+) -> Result, ConnectionError> {
+ let sig = signature!("s");
+ let mut dict = Dict::new(&sig, &sig);
+ for (k, v) in pairs {
+ dict.append(Value::from(k), Value::from(v)).map_err(|e| {
+ ConnectionError::VpnFailed(format!("failed to append VPN setting: {e}"))
+ })?;
+ }
+ Ok(dict)
+}
+
+/// Builds OpenVPN connection settings for NetworkManager.
+///
+/// Returns a settings dictionary suitable for `AddAndActivateConnection`.
+/// OpenVPN uses the NM VPN plugin model: `connection.type = "vpn"` with
+/// `vpn.service-type = "org.freedesktop.NetworkManager.openvpn"`.
+/// All config lives in the flat `vpn.data` dict.
+///
+/// # Errors
+///
+/// - `ConnectionError::InvalidGateway` if `remote` is empty
+/// - `ConnectionError::InvalidAddress` if a proxy port is zero
+#[must_use = "the connection settings must be passed to NetworkManager"]
+pub fn build_openvpn_connection(
+ config: &OpenVpnConfig,
+ opts: &ConnectionOptions,
+) -> Result>>, ConnectionError> {
+ if config.remote.is_empty() {
+ return Err(ConnectionError::InvalidGateway(
+ "OpenVPN remote must not be empty".into(),
+ ));
+ }
+
+ let uuid = config.uuid.unwrap_or_else(uuid::Uuid::new_v4).to_string();
+
+ let mut connection: HashMap<&'static str, Value<'static>> = HashMap::new();
+ connection.insert("type", Value::from("vpn"));
+ connection.insert("id", Value::from(config.name.clone()));
+ connection.insert("uuid", Value::from(uuid));
+ connection.insert("autoconnect", Value::from(opts.autoconnect));
+ if let Some(p) = opts.autoconnect_priority {
+ connection.insert("autoconnect-priority", Value::from(p));
+ }
+
+ let mut vpn_data: Vec<(String, String)> = Vec::new();
+
+ let remote = format!("{}:{}", config.remote, config.port);
+
+ vpn_data.push(("remote".into(), remote));
+
+ let connection_type = match config.auth_type {
+ Some(OpenVpnAuthType::Password) => "password",
+ Some(OpenVpnAuthType::Tls) => "tls",
+ Some(OpenVpnAuthType::PasswordTls) => "password-tls",
+ Some(OpenVpnAuthType::StaticKey) => "static-key",
+ None => "tls",
+ };
+ vpn_data.push(("connection-type".into(), connection_type.into()));
+
+ if config.tcp {
+ vpn_data.push(("proto-tcp".into(), "yes".into()));
+ }
+
+ if let Some(ref username) = config.username {
+ vpn_data.push(("username".into(), username.clone()));
+ }
+ if let Some(ref auth) = config.auth {
+ vpn_data.push(("auth".into(), auth.clone()));
+ }
+ if let Some(ref cipher) = config.cipher {
+ vpn_data.push(("cipher".into(), cipher.clone()));
+ }
+ if let Some(mtu) = config.mtu {
+ vpn_data.push(("tunnel-mtu".into(), mtu.to_string()));
+ }
+
+ // certs
+ if let Some(ref ca) = config.ca_cert {
+ vpn_data.push(("ca".into(), ca.clone()));
+ }
+ if let Some(ref cert) = config.client_cert {
+ vpn_data.push(("cert".into(), cert.clone()));
+ }
+ if let Some(ref key) = config.client_key {
+ vpn_data.push(("key".into(), key.clone()));
+ }
+
+ if let Some(ref compression) = config.compression {
+ #[allow(deprecated)]
+ match compression {
+ OpenVpnCompression::No => {
+ vpn_data.push(("compress".into(), "no".into()));
+ }
+ OpenVpnCompression::Lzo => {
+ vpn_data.push(("comp-lzo".into(), "yes".into()));
+ }
+ OpenVpnCompression::Lz4 => {
+ vpn_data.push(("compress".into(), "lz4".into()));
+ }
+ OpenVpnCompression::Lz4V2 => {
+ vpn_data.push(("compress".into(), "lz4-v2".into()));
+ }
+ OpenVpnCompression::Yes => {
+ vpn_data.push(("compress".into(), "yes".into()));
+ }
+ }
+ }
+
+ // TLS hardening options
+ if let Some(ref key) = config.tls_auth_key {
+ vpn_data.push(("tls-auth".into(), key.clone()));
+ if let Some(dir) = config.tls_auth_direction {
+ vpn_data.push(("ta-dir".into(), dir.to_string()));
+ }
+ }
+ // FIXME: surely, there must be a better way to do this
+ if let Some(ref key) = config.tls_crypt {
+ vpn_data.push(("tls-crypt".into(), key.clone()));
+ }
+ if let Some(ref key) = config.tls_crypt_v2 {
+ vpn_data.push(("tls-crypt-v2".into(), key.clone()));
+ }
+ if let Some(ref ver) = config.tls_version_min {
+ vpn_data.push(("tls-version-min".into(), ver.clone()));
+ }
+ if let Some(ref ver) = config.tls_version_max {
+ vpn_data.push(("tls-version-max".into(), ver.clone()));
+ }
+ if let Some(ref cipher) = config.tls_cipher {
+ vpn_data.push(("tls-cipher".into(), cipher.clone()));
+ }
+ if let Some(ref cert_type) = config.remote_cert_tls {
+ vpn_data.push(("remote-cert-tls".into(), cert_type.clone()));
+ }
+ if let Some((ref name, ref name_type)) = config.verify_x509_name {
+ vpn_data.push(("verify-x509-name".into(), name.clone()));
+ vpn_data.push(("verify-x509-type".into(), name_type.clone()));
+ }
+ if let Some(ref path) = config.crl_verify {
+ vpn_data.push(("crl-verify".into(), path.clone()));
+ }
+
+ if let Some(v) = config.ping {
+ vpn_data.push(("ping".into(), v.to_string()));
+ }
+ if let Some(v) = config.ping_exit {
+ vpn_data.push(("ping-exit".into(), v.to_string()));
+ }
+ if let Some(v) = config.ping_restart {
+ vpn_data.push(("ping-restart".into(), v.to_string()));
+ }
+ if let Some(v) = config.reneg_seconds {
+ vpn_data.push(("reneg-sec".into(), v.to_string()));
+ }
+ if let Some(v) = config.connect_timeout {
+ vpn_data.push(("connect-timeout".into(), v.to_string()));
+ }
+ if let Some(ref s) = config.data_ciphers {
+ vpn_data.push(("data-ciphers".into(), s.clone()));
+ }
+ if let Some(ref s) = config.data_ciphers_fallback {
+ vpn_data.push(("data-ciphers-fallback".into(), s.clone()));
+ }
+ if config.ncp_disable {
+ vpn_data.push(("ncp-disable".into(), "yes".into()));
+ }
+ // holy moly
+
+ if let Some(ref proxy) = config.proxy {
+ match proxy {
+ OpenVpnProxy::Http {
+ server,
+ port,
+ username,
+ password,
+ retry,
+ } => {
+ if *port == 0 {
+ return Err(ConnectionError::InvalidAddress(
+ "proxy port must not be zero".into(),
+ ));
+ }
+ vpn_data.push(("proxy-type".into(), "http".into()));
+ vpn_data.push(("proxy-server".into(), server.clone()));
+ vpn_data.push(("proxy-port".into(), port.to_string()));
+ vpn_data.push((
+ "proxy-retry".into(),
+ if *retry { "yes" } else { "no" }.into(),
+ ));
+ if let Some(u) = username {
+ vpn_data.push(("http-proxy-username".into(), u.clone()));
+ }
+ if let Some(p) = password {
+ vpn_data.push(("http-proxy-password".into(), p.clone()));
+ }
+ }
+ OpenVpnProxy::Socks {
+ server,
+ port,
+ retry,
+ } => {
+ if *port == 0 {
+ return Err(ConnectionError::InvalidAddress(
+ "proxy port must not be zero".into(),
+ ));
+ }
+ vpn_data.push(("proxy-type".into(), "socks".into()));
+ vpn_data.push(("proxy-server".into(), server.clone()));
+ vpn_data.push(("proxy-port".into(), port.to_string()));
+ vpn_data.push((
+ "proxy-retry".into(),
+ if *retry { "yes" } else { "no" }.into(),
+ ));
+ }
+ }
+ }
+
+ let data_dict = string_pairs_to_dict(vpn_data)?;
+
+ let mut vpn_secrets: Vec<(String, String)> = Vec::new();
+ if let Some(ref password) = config.password {
+ vpn_secrets.push(("password".into(), password.clone()));
+ }
+ if let Some(ref key_password) = config.key_password {
+ vpn_secrets.push(("cert-pass".into(), key_password.clone()));
+ }
+
+ let mut vpn: HashMap<&'static str, Value<'static>> = HashMap::new();
+ vpn.insert(
+ "service-type",
+ Value::from("org.freedesktop.NetworkManager.openvpn"),
+ );
+ vpn.insert("data", Value::from(data_dict));
+ if !vpn_secrets.is_empty() {
+ vpn.insert("secrets", Value::from(string_pairs_to_dict(vpn_secrets)?));
+ }
+
+ let mut ipv4: HashMap<&'static str, Value<'static>> = HashMap::new();
+ ipv4.insert("method", Value::from("auto"));
+ if config.redirect_gateway {
+ ipv4.insert("never-default", Value::from(false));
+ }
+ if !config.routes.is_empty() {
+ let route_data: Vec>> = config
+ .routes
+ .iter()
+ .map(|route| {
+ let mut route_dict = HashMap::new();
+ route_dict.insert("dest".to_string(), Value::from(route.dest.clone()));
+ route_dict.insert("prefix".to_string(), Value::from(route.prefix));
+ if let Some(ref nh) = route.next_hop {
+ route_dict.insert("next-hop".to_string(), Value::from(nh.clone()));
+ }
+ if let Some(m) = route.metric {
+ route_dict.insert("metric".to_string(), Value::from(m));
+ }
+ route_dict
+ })
+ .collect();
+ ipv4.insert("route-data", Value::from(route_data));
+ }
+ if let Some(dns) = &config.dns {
+ let dns_array: Vec = dns.iter().map(|s| Value::from(s.clone())).collect();
+ ipv4.insert("dns", Value::from(dns_array));
+ }
+
+ let mut ipv6: HashMap<&'static str, Value<'static>> = HashMap::new();
+ ipv6.insert("method", Value::from("ignore"));
+
+ let mut settings = HashMap::new();
+ settings.insert("connection", connection);
+ settings.insert("vpn", vpn);
+ settings.insert("ipv4", ipv4);
+ settings.insert("ipv6", ipv6);
+
+ Ok(settings)
+}
#[cfg(test)]
mod tests {
use super::*;
- use crate::api::models::{VpnType, WireGuardPeer};
+ use crate::api::models::{
+ OpenVpnCompression, OpenVpnConfig, OpenVpnProxy, VpnKind, WireGuardPeer,
+ };
fn create_test_credentials() -> VpnCredentials {
let peer = WireGuardPeer::new(
@@ -122,7 +412,7 @@ mod tests {
.with_persistent_keepalive(25);
VpnCredentials::new(
- VpnType::WireGuard,
+ VpnKind::WireGuard,
"TestVPN",
"vpn.example.com:51820",
"YBk6X3pP8KjKz7+HFWzVHNqL3qTZq8hX9VxFQJ4zVmM=",
@@ -598,4 +888,437 @@ mod tests {
assert!(result.is_ok(), "Should accept valid gateway: {}", gateway);
}
}
+
+ // --- OpenVPN tests ---
+ fn create_openvpn_config() -> OpenVpnConfig {
+ OpenVpnConfig::new("TestOpenVPN", "vpn.example.com", 1194, false)
+ .with_ca_cert("/etc/openvpn/ca.crt")
+ .with_client_cert("/etc/openvpn/client.crt")
+ .with_client_key("/etc/openvpn/client.key")
+ }
+
+ #[test]
+ fn builds_openvpn_connection() {
+ let config = create_openvpn_config();
+ let opts = create_test_options();
+ let result = build_openvpn_connection(&config, &opts);
+ assert!(result.is_ok());
+ let settings = result.unwrap();
+ assert!(settings.contains_key("connection"));
+ assert!(settings.contains_key("vpn"));
+ assert!(settings.contains_key("ipv4"));
+ assert!(settings.contains_key("ipv6"));
+ }
+
+ #[test]
+ fn openvpn_connection_type_is_vpn() {
+ let config = create_openvpn_config();
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ let conn = settings.get("connection").unwrap();
+ assert_eq!(conn.get("type").unwrap(), &Value::from("vpn"));
+ }
+
+ #[test]
+ fn openvpn_service_type_is_correct() {
+ let config = create_openvpn_config();
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ let vpn = settings.get("vpn").unwrap();
+ assert_eq!(
+ vpn.get("service-type").unwrap(),
+ &Value::from("org.freedesktop.NetworkManager.openvpn")
+ );
+ }
+
+ #[test]
+ fn openvpn_rejects_empty_remote() {
+ let mut config = create_openvpn_config();
+ config.remote = "".into();
+ let opts = create_test_options();
+ let result = build_openvpn_connection(&config, &opts);
+ assert!(matches!(
+ result.unwrap_err(),
+ ConnectionError::InvalidGateway(_)
+ ));
+ }
+
+ #[test]
+ fn openvpn_compression_no() {
+ let config = create_openvpn_config().with_compression(OpenVpnCompression::No);
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ let vpn = settings.get("vpn").unwrap();
+ // vpn.data is packed — just assert the section exists and no error
+ assert!(vpn.contains_key("data"));
+ }
+ #[allow(deprecated)]
+ #[test]
+ fn openvpn_compression_lzo() {
+ let config = create_openvpn_config().with_compression(OpenVpnCompression::Lzo);
+ let opts = create_test_options();
+ assert!(build_openvpn_connection(&config, &opts).is_ok());
+ }
+
+ #[test]
+ fn openvpn_compression_lz4() {
+ let config = create_openvpn_config().with_compression(OpenVpnCompression::Lz4);
+ let opts = create_test_options();
+ assert!(build_openvpn_connection(&config, &opts).is_ok());
+ }
+
+ #[test]
+ fn openvpn_compression_lz4v2() {
+ let config = create_openvpn_config().with_compression(OpenVpnCompression::Lz4V2);
+ let opts = create_test_options();
+ assert!(build_openvpn_connection(&config, &opts).is_ok());
+ }
+
+ #[test]
+ fn openvpn_compression_yes() {
+ let config = create_openvpn_config().with_compression(OpenVpnCompression::Yes);
+ let opts = create_test_options();
+ assert!(build_openvpn_connection(&config, &opts).is_ok());
+ }
+
+ #[test]
+ fn openvpn_http_proxy() {
+ let config = create_openvpn_config().with_proxy(OpenVpnProxy::Http {
+ server: "proxy.example.com".into(),
+ port: 8080,
+ username: Some("user".into()),
+ password: Some("pass".into()),
+ retry: true,
+ });
+ let opts = create_test_options();
+ assert!(build_openvpn_connection(&config, &opts).is_ok());
+ }
+
+ #[test]
+ fn openvpn_http_proxy_no_credentials() {
+ let config = create_openvpn_config().with_proxy(OpenVpnProxy::Http {
+ server: "proxy.example.com".into(),
+ port: 3128,
+ username: None,
+ password: None,
+ retry: false,
+ });
+ let opts = create_test_options();
+ assert!(build_openvpn_connection(&config, &opts).is_ok());
+ }
+
+ #[test]
+ fn openvpn_socks_proxy() {
+ let config = create_openvpn_config().with_proxy(OpenVpnProxy::Socks {
+ server: "socks.example.com".into(),
+ port: 1080,
+ retry: false,
+ });
+ let opts = create_test_options();
+ assert!(build_openvpn_connection(&config, &opts).is_ok());
+ }
+
+ #[test]
+ fn openvpn_proxy_rejects_zero_port_http() {
+ let config = create_openvpn_config().with_proxy(OpenVpnProxy::Http {
+ server: "proxy.example.com".into(),
+ port: 0,
+ username: None,
+ password: None,
+ retry: false,
+ });
+ let opts = create_test_options();
+ assert!(matches!(
+ build_openvpn_connection(&config, &opts).unwrap_err(),
+ ConnectionError::InvalidAddress(_)
+ ));
+ }
+
+ #[test]
+ fn openvpn_proxy_rejects_zero_port_socks() {
+ let config = create_openvpn_config().with_proxy(OpenVpnProxy::Socks {
+ server: "socks.example.com".into(),
+ port: 0,
+ retry: false,
+ });
+ let opts = create_test_options();
+ assert!(matches!(
+ build_openvpn_connection(&config, &opts).unwrap_err(),
+ ConnectionError::InvalidAddress(_)
+ ));
+ }
+
+ #[test]
+ fn openvpn_with_dns() {
+ let config = create_openvpn_config().with_dns(vec!["1.1.1.1".into(), "8.8.8.8".into()]);
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ let ipv4 = settings.get("ipv4").unwrap();
+ assert!(ipv4.contains_key("dns"));
+ }
+
+ #[test]
+ fn openvpn_tcp_emits_proto_tcp() {
+ let config = OpenVpnConfig::new("TcpVPN", "vpn.example.com", 443, true);
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ let vpn = settings.get("vpn").unwrap();
+ assert!(vpn.contains_key("data"));
+ }
+
+ #[test]
+ fn openvpn_vpn_data_has_dict_signature() {
+ let config = create_openvpn_config();
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ let vpn = settings.get("vpn").unwrap();
+ let data = vpn.get("data").unwrap();
+ assert_eq!(
+ data.value_signature().to_string(),
+ "a{ss}",
+ "vpn.data must be a{{ss}} for NetworkManager"
+ );
+ }
+
+ fn get_vpn_data_value(
+ settings: &HashMap<&str, HashMap<&str, Value>>,
+ key: &str,
+ ) -> Option {
+ let vpn = settings.get("vpn")?;
+ let data = vpn.get("data")?;
+ if let Value::Dict(dict) = data {
+ let val: String = dict.get::(&Value::from(key)).ok()??;
+ return Some(val);
+ }
+ None
+ }
+
+ #[test]
+ fn openvpn_vpn_secrets_has_dict_signature() {
+ let config = create_openvpn_config()
+ .with_auth_type(OpenVpnAuthType::Password)
+ .with_username("user")
+ .with_password("secret");
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ let vpn = settings.get("vpn").unwrap();
+ let secrets = vpn.get("secrets").unwrap();
+ assert_eq!(
+ secrets.value_signature().to_string(),
+ "a{ss}",
+ "vpn.secrets must be a{{ss}} for NetworkManager"
+ );
+ }
+
+ #[test]
+ fn openvpn_tls_auth_key_and_direction() {
+ let config = create_openvpn_config().with_tls_auth("/etc/openvpn/ta.key", Some(1));
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ assert_eq!(
+ get_vpn_data_value(&settings, "tls-auth").as_deref(),
+ Some("/etc/openvpn/ta.key")
+ );
+ assert_eq!(
+ get_vpn_data_value(&settings, "ta-dir").as_deref(),
+ Some("1")
+ );
+ }
+
+ #[test]
+ fn openvpn_tls_auth_key_without_direction() {
+ let config = create_openvpn_config().with_tls_auth("/etc/openvpn/ta.key", None);
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ assert_eq!(
+ get_vpn_data_value(&settings, "tls-auth").as_deref(),
+ Some("/etc/openvpn/ta.key")
+ );
+ assert!(get_vpn_data_value(&settings, "ta-dir").is_none());
+ }
+
+ #[test]
+ fn openvpn_tls_crypt() {
+ let config = create_openvpn_config().with_tls_crypt("/etc/openvpn/tls-crypt.key");
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ assert_eq!(
+ get_vpn_data_value(&settings, "tls-crypt").as_deref(),
+ Some("/etc/openvpn/tls-crypt.key")
+ );
+ }
+
+ #[test]
+ fn openvpn_tls_crypt_v2() {
+ let config = create_openvpn_config().with_tls_crypt_v2("/etc/openvpn/tls-crypt-v2.key");
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ assert_eq!(
+ get_vpn_data_value(&settings, "tls-crypt-v2").as_deref(),
+ Some("/etc/openvpn/tls-crypt-v2.key")
+ );
+ }
+
+ #[test]
+ fn openvpn_tls_version_min() {
+ let config = create_openvpn_config().with_tls_version_min("1.2");
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ assert_eq!(
+ get_vpn_data_value(&settings, "tls-version-min").as_deref(),
+ Some("1.2")
+ );
+ }
+
+ #[test]
+ fn openvpn_tls_version_max() {
+ let config = create_openvpn_config().with_tls_version_max("1.3");
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ assert_eq!(
+ get_vpn_data_value(&settings, "tls-version-max").as_deref(),
+ Some("1.3")
+ );
+ }
+
+ #[test]
+ fn openvpn_tls_cipher() {
+ let config =
+ create_openvpn_config().with_tls_cipher("TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384");
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ assert_eq!(
+ get_vpn_data_value(&settings, "tls-cipher").as_deref(),
+ Some("TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384")
+ );
+ }
+
+ #[test]
+ fn openvpn_remote_cert_tls() {
+ let config = create_openvpn_config().with_remote_cert_tls("server");
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ assert_eq!(
+ get_vpn_data_value(&settings, "remote-cert-tls").as_deref(),
+ Some("server")
+ );
+ }
+
+ #[test]
+ fn openvpn_verify_x509_name() {
+ let config = create_openvpn_config().with_verify_x509_name("vpn.example.com", "name");
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ assert_eq!(
+ get_vpn_data_value(&settings, "verify-x509-name").as_deref(),
+ Some("vpn.example.com")
+ );
+ assert_eq!(
+ get_vpn_data_value(&settings, "verify-x509-type").as_deref(),
+ Some("name")
+ );
+ }
+
+ #[test]
+ fn openvpn_crl_verify() {
+ let config = create_openvpn_config().with_crl_verify("/etc/openvpn/crl.pem");
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ assert_eq!(
+ get_vpn_data_value(&settings, "crl-verify").as_deref(),
+ Some("/etc/openvpn/crl.pem")
+ );
+ }
+
+ #[test]
+ fn openvpn_tls_options_absent_by_default() {
+ let config = create_openvpn_config();
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ assert!(get_vpn_data_value(&settings, "tls-auth").is_none());
+ assert!(get_vpn_data_value(&settings, "ta-dir").is_none());
+ assert!(get_vpn_data_value(&settings, "tls-crypt").is_none());
+ assert!(get_vpn_data_value(&settings, "tls-crypt-v2").is_none());
+ assert!(get_vpn_data_value(&settings, "tls-version-min").is_none());
+ assert!(get_vpn_data_value(&settings, "tls-version-max").is_none());
+ assert!(get_vpn_data_value(&settings, "tls-cipher").is_none());
+ assert!(get_vpn_data_value(&settings, "remote-cert-tls").is_none());
+ assert!(get_vpn_data_value(&settings, "verify-x509-name").is_none());
+ assert!(get_vpn_data_value(&settings, "crl-verify").is_none());
+ }
+
+ #[test]
+ fn openvpn_resilience_keys_in_vpn_data() {
+ let config = create_openvpn_config()
+ .with_ping(10)
+ .with_ping_exit(60)
+ .with_ping_restart(120)
+ .with_reneg_seconds(3600)
+ .with_connect_timeout(30);
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ assert_eq!(get_vpn_data_value(&settings, "ping").as_deref(), Some("10"));
+ assert_eq!(
+ get_vpn_data_value(&settings, "ping-exit").as_deref(),
+ Some("60")
+ );
+ assert_eq!(
+ get_vpn_data_value(&settings, "ping-restart").as_deref(),
+ Some("120")
+ );
+ assert_eq!(
+ get_vpn_data_value(&settings, "reneg-sec").as_deref(),
+ Some("3600")
+ );
+ assert_eq!(
+ get_vpn_data_value(&settings, "connect-timeout").as_deref(),
+ Some("30")
+ );
+ }
+
+ #[test]
+ fn openvpn_data_ciphers_and_ncp_disable() {
+ let config = create_openvpn_config()
+ .with_data_ciphers("AES-256-GCM:AES-128-GCM")
+ .with_data_ciphers_fallback("AES-256-GCM")
+ .with_ncp_disable(true);
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ assert_eq!(
+ get_vpn_data_value(&settings, "data-ciphers").as_deref(),
+ Some("AES-256-GCM:AES-128-GCM")
+ );
+ assert_eq!(
+ get_vpn_data_value(&settings, "data-ciphers-fallback").as_deref(),
+ Some("AES-256-GCM")
+ );
+ assert_eq!(
+ get_vpn_data_value(&settings, "ncp-disable").as_deref(),
+ Some("yes")
+ );
+ }
+
+ #[test]
+ fn openvpn_ipv4_route_data() {
+ use crate::api::models::VpnRoute;
+ let config = create_openvpn_config()
+ .with_routes(vec![VpnRoute::new("10.0.0.0", 24).next_hop("192.168.1.1")]);
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ let ipv4 = settings.get("ipv4").unwrap();
+ let rd = ipv4.get("route-data").unwrap();
+ let Value::Array(arr) = rd else {
+ panic!("route-data must be an array");
+ };
+ assert_eq!(arr.iter().count(), 1, "expected one static route");
+ }
+
+ #[test]
+ fn openvpn_redirect_gateway_sets_never_default() {
+ let config = create_openvpn_config().with_redirect_gateway(true);
+ let opts = create_test_options();
+ let settings = build_openvpn_connection(&config, &opts).unwrap();
+ let ipv4 = settings.get("ipv4").unwrap();
+ assert_eq!(ipv4.get("never-default"), Some(&Value::from(false)));
+ }
}
diff --git a/nmrs/src/api/builders/wifi_builder.rs b/nmrs/src/api/builders/wifi_builder.rs
index 0acff2b1..4851bb58 100644
--- a/nmrs/src/api/builders/wifi_builder.rs
+++ b/nmrs/src/api/builders/wifi_builder.rs
@@ -10,6 +10,7 @@ use super::connection_builder::ConnectionBuilder;
use crate::api::models::{self, ConnectionOptions, EapMethod};
/// WiFi band selection.
+#[non_exhaustive]
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum WifiBand {
/// 2.4 GHz band
diff --git a/nmrs/src/api/builders/wireguard_builder.rs b/nmrs/src/api/builders/wireguard_builder.rs
index b675ec4f..8a72120f 100644
--- a/nmrs/src/api/builders/wireguard_builder.rs
+++ b/nmrs/src/api/builders/wireguard_builder.rs
@@ -36,6 +36,7 @@ use crate::api::models::{ConnectionError, ConnectionOptions, WireGuardPeer};
/// .build()
/// .expect("Failed to build WireGuard connection");
/// ```
+#[non_exhaustive]
pub struct WireGuardBuilder {
inner: ConnectionBuilder,
name: String,
@@ -185,6 +186,7 @@ impl WireGuardBuilder {
/// - `ConnectionError::InvalidAddress` if address is missing or invalid
/// - `ConnectionError::InvalidPeers` if no peers are configured or peer validation fails
/// - `ConnectionError::InvalidGateway` if any peer gateway is invalid
+ #[must_use = "the connection settings must be passed to NetworkManager"]
pub fn build(
mut self,
) -> Result>>, ConnectionError> {
diff --git a/nmrs/src/api/mod.rs b/nmrs/src/api/mod.rs
index 86bb8a0b..e0da5502 100644
--- a/nmrs/src/api/mod.rs
+++ b/nmrs/src/api/mod.rs
@@ -5,3 +5,4 @@
pub mod builders;
pub mod models;
pub mod network_manager;
+pub mod wifi_scope;
diff --git a/nmrs/src/api/models/access_point.rs b/nmrs/src/api/models/access_point.rs
new file mode 100644
index 00000000..bc92c264
--- /dev/null
+++ b/nmrs/src/api/models/access_point.rs
@@ -0,0 +1,410 @@
+//! Per-AP model preserving BSSID and per-device state.
+//!
+//! [`AccessPoint`] represents a single Wi-Fi access point seen by a specific
+//! wireless device, preserving the BSSID and all NM-reported properties.
+//! Use [`list_access_points`](crate::NetworkManager::list_access_points) to
+//! enumerate them; use [`list_networks`](crate::NetworkManager::list_networks)
+//! for the deduplicated SSID-grouped view.
+
+use std::fmt;
+
+use serde::{Deserialize, Serialize};
+use zvariant::OwnedObjectPath;
+
+use super::DeviceState;
+
+/// A single Wi-Fi access point reported by NetworkManager.
+///
+/// Unlike [`Network`](super::Network), which groups APs sharing an SSID,
+/// each `AccessPoint` corresponds to one BSSID and carries per-device state.
+#[non_exhaustive]
+#[derive(Debug, Clone, PartialEq)]
+pub struct AccessPoint {
+ /// D-Bus path of this access point object.
+ pub path: OwnedObjectPath,
+ /// D-Bus path of the wireless device that sees this AP.
+ pub device_path: OwnedObjectPath,
+ /// Interface name of the device (e.g. `"wlan0"`).
+ pub interface: String,
+ /// SSID decoded as UTF-8, or `""` for hidden networks.
+ pub ssid: String,
+ /// Raw SSID bytes for non-UTF-8 SSIDs.
+ pub ssid_bytes: Vec,
+ /// BSSID in `"XX:XX:XX:XX:XX:XX"` format.
+ pub bssid: String,
+ /// Operating frequency in MHz.
+ pub frequency_mhz: u32,
+ /// Maximum supported bitrate in Kbit/s.
+ pub max_bitrate_kbps: u32,
+ /// Signal strength percentage (0–100).
+ pub strength: u8,
+ /// AP operating mode.
+ pub mode: ApMode,
+ /// Decoded security capabilities.
+ pub security: SecurityFeatures,
+ /// Monotonic seconds since boot when last seen, or `None` if never.
+ pub last_seen_secs: Option,
+ /// `true` if this AP is the active connection on `device_path`.
+ pub is_active: bool,
+ /// State of the wireless device at enumeration time (not live).
+ pub device_state: DeviceState,
+}
+
+/// Wi-Fi access point operating mode.
+#[non_exhaustive]
+#[derive(Debug, Clone, Copy, Eq, PartialEq, Serialize, Deserialize)]
+pub enum ApMode {
+ /// Ad-hoc (IBSS) network.
+ Adhoc,
+ /// Infrastructure (managed) mode — the most common.
+ Infrastructure,
+ /// Access point (hotspot) mode.
+ Ap,
+ /// Mesh mode.
+ Mesh,
+ /// Unknown or unrecognised NM mode value.
+ Unknown(u32),
+}
+
+impl From for ApMode {
+ fn from(value: u32) -> Self {
+ match value {
+ 1 => Self::Adhoc,
+ 2 => Self::Infrastructure,
+ 3 => Self::Ap,
+ 4 => Self::Mesh,
+ other => Self::Unknown(other),
+ }
+ }
+}
+
+impl fmt::Display for ApMode {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ match self {
+ Self::Adhoc => write!(f, "Ad-Hoc"),
+ Self::Infrastructure => write!(f, "Infrastructure"),
+ Self::Ap => write!(f, "AP"),
+ Self::Mesh => write!(f, "Mesh"),
+ Self::Unknown(v) => write!(f, "Unknown({v})"),
+ }
+ }
+}
+
+/// Decoded security capabilities of an access point.
+///
+/// Derived from NetworkManager's `Flags`, `WpaFlags`, and `RsnFlags` properties
+/// using the `NM80211ApFlags` and `NM80211ApSecurityFlags` bitmask values:
+///
+/// | Flag constant | Value | Field(s) |
+/// |---|---|---|
+/// | `NM_802_11_AP_FLAGS_PRIVACY` | `0x1` | `privacy` |
+/// | `NM_802_11_AP_FLAGS_WPS` | `0x2` | `wps` |
+/// | `PAIR_WEP40` | `0x1` | `wep40` |
+/// | `PAIR_WEP104` | `0x2` | `wep104` |
+/// | `PAIR_TKIP` | `0x4` | `tkip` |
+/// | `PAIR_CCMP` | `0x8` | `ccmp` |
+/// | `KEY_MGMT_PSK` | `0x100` | `psk` |
+/// | `KEY_MGMT_802_1X` | `0x200` | `eap` |
+/// | `KEY_MGMT_SAE` | `0x400` | `sae` |
+/// | `KEY_MGMT_OWE` | `0x800` | `owe` |
+/// | `KEY_MGMT_OWE_TM` | `0x1000` | `owe_transition_mode` |
+/// | `KEY_MGMT_EAP_SUITE_B_192` | `0x2000` | `eap_suite_b_192` |
+#[non_exhaustive]
+#[derive(Debug, Clone, Copy, Eq, PartialEq, Default, Serialize, Deserialize)]
+pub struct SecurityFeatures {
+ /// AP advertises privacy (WEP or higher).
+ pub privacy: bool,
+ /// WPS (Wi-Fi Protected Setup) is available.
+ pub wps: bool,
+
+ /// Pre-shared key authentication (WPA/WPA2-Personal).
+ pub psk: bool,
+ /// 802.1X / EAP authentication (WPA/WPA2-Enterprise).
+ pub eap: bool,
+ /// Simultaneous Authentication of Equals (WPA3-Personal).
+ pub sae: bool,
+ /// Opportunistic Wireless Encryption.
+ pub owe: bool,
+ /// OWE transition mode (mixed open + OWE).
+ pub owe_transition_mode: bool,
+ /// EAP Suite B 192-bit (WPA3-Enterprise 192-bit).
+ pub eap_suite_b_192: bool,
+
+ /// Pairwise WEP-40 cipher.
+ pub wep40: bool,
+ /// Pairwise WEP-104 cipher.
+ pub wep104: bool,
+ /// TKIP cipher.
+ pub tkip: bool,
+ /// CCMP (AES) cipher.
+ pub ccmp: bool,
+}
+
+impl SecurityFeatures {
+ /// Returns `true` if no security mechanism is advertised.
+ #[must_use]
+ pub fn is_open(&self) -> bool {
+ !self.privacy
+ && !self.psk
+ && !self.eap
+ && !self.sae
+ && !self.owe
+ && !self.owe_transition_mode
+ && !self.eap_suite_b_192
+ && !self.wep40
+ && !self.wep104
+ }
+
+ /// Returns `true` if enterprise authentication is available.
+ #[must_use]
+ pub fn is_enterprise(&self) -> bool {
+ self.eap || self.eap_suite_b_192
+ }
+
+ /// Returns `true` if WPA3 (SAE or OWE) is available.
+ #[must_use]
+ pub fn is_wpa3(&self) -> bool {
+ self.sae || self.owe
+ }
+
+ /// Returns the preferred connection type for this security profile.
+ #[must_use]
+ pub fn preferred_connect_type(&self) -> ConnectType {
+ if self.eap || self.eap_suite_b_192 {
+ ConnectType::Eap
+ } else if self.sae {
+ ConnectType::Sae
+ } else if self.owe || self.owe_transition_mode {
+ ConnectType::Owe
+ } else if self.psk {
+ ConnectType::Psk
+ } else {
+ ConnectType::Open
+ }
+ }
+}
+
+/// Preferred connection type derived from [`SecurityFeatures`].
+#[non_exhaustive]
+#[derive(Debug, Clone, Copy, Eq, PartialEq, Serialize, Deserialize)]
+pub enum ConnectType {
+ /// Open (no authentication).
+ Open,
+ /// Pre-shared key (WPA/WPA2-Personal).
+ Psk,
+ /// SAE (WPA3-Personal).
+ Sae,
+ /// 802.1X / EAP (Enterprise).
+ Eap,
+ /// Opportunistic Wireless Encryption.
+ Owe,
+}
+
+impl fmt::Display for ConnectType {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ match self {
+ Self::Open => write!(f, "Open"),
+ Self::Psk => write!(f, "PSK"),
+ Self::Sae => write!(f, "SAE"),
+ Self::Eap => write!(f, "EAP"),
+ Self::Owe => write!(f, "OWE"),
+ }
+ }
+}
+
+// NM80211ApFlags
+const AP_FLAGS_PRIVACY: u32 = 0x1;
+const AP_FLAGS_WPS: u32 = 0x2;
+
+// NM80211ApSecurityFlags (applied to both WpaFlags and RsnFlags)
+const SEC_PAIR_WEP40: u32 = 0x1;
+const SEC_PAIR_WEP104: u32 = 0x2;
+const SEC_PAIR_TKIP: u32 = 0x4;
+const SEC_PAIR_CCMP: u32 = 0x8;
+const SEC_KEY_MGMT_PSK: u32 = 0x100;
+const SEC_KEY_MGMT_802_1X: u32 = 0x200;
+const SEC_KEY_MGMT_SAE: u32 = 0x400;
+const SEC_KEY_MGMT_OWE: u32 = 0x800;
+const SEC_KEY_MGMT_OWE_TM: u32 = 0x1000;
+const SEC_KEY_MGMT_EAP_SUITE_B_192: u32 = 0x2000;
+
+/// Decodes NM's AP flag triplet into a [`SecurityFeatures`].
+///
+/// `flags` is `NM80211ApFlags`, `wpa` and `rsn` are `NM80211ApSecurityFlags`
+/// from the `WpaFlags` and `RsnFlags` AP properties respectively.
+pub(crate) fn decode_security(flags: u32, wpa: u32, rsn: u32) -> SecurityFeatures {
+ let combined = wpa | rsn;
+ SecurityFeatures {
+ privacy: (flags & AP_FLAGS_PRIVACY) != 0,
+ wps: (flags & AP_FLAGS_WPS) != 0,
+ psk: (combined & SEC_KEY_MGMT_PSK) != 0,
+ eap: (combined & SEC_KEY_MGMT_802_1X) != 0,
+ sae: (combined & SEC_KEY_MGMT_SAE) != 0,
+ owe: (combined & SEC_KEY_MGMT_OWE) != 0,
+ owe_transition_mode: (combined & SEC_KEY_MGMT_OWE_TM) != 0,
+ eap_suite_b_192: (combined & SEC_KEY_MGMT_EAP_SUITE_B_192) != 0,
+ wep40: (combined & SEC_PAIR_WEP40) != 0,
+ wep104: (combined & SEC_PAIR_WEP104) != 0,
+ tkip: (combined & SEC_PAIR_TKIP) != 0,
+ ccmp: (combined & SEC_PAIR_CCMP) != 0,
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+
+ #[test]
+ fn decode_open_network() {
+ let sec = decode_security(0, 0, 0);
+ assert!(sec.is_open());
+ assert!(!sec.is_enterprise());
+ assert!(!sec.is_wpa3());
+ assert_eq!(sec.preferred_connect_type(), ConnectType::Open);
+ }
+
+ #[test]
+ fn decode_wep40() {
+ let sec = decode_security(AP_FLAGS_PRIVACY, SEC_PAIR_WEP40, 0);
+ assert!(!sec.is_open());
+ assert!(sec.privacy);
+ assert!(sec.wep40);
+ assert_eq!(sec.preferred_connect_type(), ConnectType::Open);
+ }
+
+ #[test]
+ fn decode_wep104() {
+ let sec = decode_security(AP_FLAGS_PRIVACY, SEC_PAIR_WEP104, 0);
+ assert!(sec.wep104);
+ assert!(sec.privacy);
+ }
+
+ #[test]
+ fn decode_wpa_tkip_psk() {
+ let sec = decode_security(AP_FLAGS_PRIVACY, SEC_PAIR_TKIP | SEC_KEY_MGMT_PSK, 0);
+ assert!(sec.psk);
+ assert!(sec.tkip);
+ assert!(!sec.ccmp);
+ assert_eq!(sec.preferred_connect_type(), ConnectType::Psk);
+ }
+
+ #[test]
+ fn decode_wpa2_ccmp_psk() {
+ let sec = decode_security(AP_FLAGS_PRIVACY, 0, SEC_PAIR_CCMP | SEC_KEY_MGMT_PSK);
+ assert!(sec.psk);
+ assert!(sec.ccmp);
+ assert!(!sec.tkip);
+ assert_eq!(sec.preferred_connect_type(), ConnectType::Psk);
+ }
+
+ #[test]
+ fn decode_wpa2_enterprise() {
+ let sec = decode_security(AP_FLAGS_PRIVACY, 0, SEC_PAIR_CCMP | SEC_KEY_MGMT_802_1X);
+ assert!(sec.eap);
+ assert!(sec.ccmp);
+ assert!(sec.is_enterprise());
+ assert_eq!(sec.preferred_connect_type(), ConnectType::Eap);
+ }
+
+ #[test]
+ fn decode_wpa3_sae() {
+ let sec = decode_security(AP_FLAGS_PRIVACY, 0, SEC_PAIR_CCMP | SEC_KEY_MGMT_SAE);
+ assert!(sec.sae);
+ assert!(sec.ccmp);
+ assert!(sec.is_wpa3());
+ assert_eq!(sec.preferred_connect_type(), ConnectType::Sae);
+ }
+
+ #[test]
+ fn decode_owe() {
+ let sec = decode_security(0, 0, SEC_PAIR_CCMP | SEC_KEY_MGMT_OWE);
+ assert!(sec.owe);
+ assert!(sec.is_wpa3());
+ assert_eq!(sec.preferred_connect_type(), ConnectType::Owe);
+ }
+
+ #[test]
+ fn decode_owe_transition() {
+ let sec = decode_security(0, 0, SEC_KEY_MGMT_OWE_TM);
+ assert!(sec.owe_transition_mode);
+ assert_eq!(sec.preferred_connect_type(), ConnectType::Owe);
+ }
+
+ #[test]
+ fn decode_eap_suite_b_192() {
+ let sec = decode_security(
+ AP_FLAGS_PRIVACY,
+ 0,
+ SEC_PAIR_CCMP | SEC_KEY_MGMT_EAP_SUITE_B_192,
+ );
+ assert!(sec.eap_suite_b_192);
+ assert!(sec.is_enterprise());
+ assert_eq!(sec.preferred_connect_type(), ConnectType::Eap);
+ }
+
+ #[test]
+ fn decode_wps_flag() {
+ let sec = decode_security(AP_FLAGS_WPS, 0, 0);
+ assert!(sec.wps);
+ }
+
+ #[test]
+ fn decode_mixed_wpa_wpa2() {
+ let sec = decode_security(
+ AP_FLAGS_PRIVACY,
+ SEC_PAIR_TKIP | SEC_KEY_MGMT_PSK,
+ SEC_PAIR_CCMP | SEC_KEY_MGMT_PSK,
+ );
+ assert!(sec.psk);
+ assert!(sec.tkip);
+ assert!(sec.ccmp);
+ }
+
+ #[test]
+ fn ap_mode_from_u32() {
+ assert_eq!(ApMode::from(1), ApMode::Adhoc);
+ assert_eq!(ApMode::from(2), ApMode::Infrastructure);
+ assert_eq!(ApMode::from(3), ApMode::Ap);
+ assert_eq!(ApMode::from(4), ApMode::Mesh);
+ assert_eq!(ApMode::from(99), ApMode::Unknown(99));
+ }
+
+ #[test]
+ fn connect_type_display() {
+ assert_eq!(ConnectType::Open.to_string(), "Open");
+ assert_eq!(ConnectType::Psk.to_string(), "PSK");
+ assert_eq!(ConnectType::Sae.to_string(), "SAE");
+ assert_eq!(ConnectType::Eap.to_string(), "EAP");
+ assert_eq!(ConnectType::Owe.to_string(), "OWE");
+ }
+
+ #[test]
+ fn security_features_default_is_open() {
+ let sec = SecurityFeatures::default();
+ assert!(sec.is_open());
+ }
+
+ #[test]
+ fn eap_prioritized_over_psk() {
+ let sec = SecurityFeatures {
+ psk: true,
+ eap: true,
+ ccmp: true,
+ privacy: true,
+ ..Default::default()
+ };
+ assert_eq!(sec.preferred_connect_type(), ConnectType::Eap);
+ }
+
+ #[test]
+ fn sae_prioritized_over_psk() {
+ let sec = SecurityFeatures {
+ psk: true,
+ sae: true,
+ ccmp: true,
+ privacy: true,
+ ..Default::default()
+ };
+ assert_eq!(sec.preferred_connect_type(), ConnectType::Sae);
+ }
+}
diff --git a/nmrs/src/api/models/bluetooth.rs b/nmrs/src/api/models/bluetooth.rs
index eb8fe4f7..430e8f8e 100644
--- a/nmrs/src/api/models/bluetooth.rs
+++ b/nmrs/src/api/models/bluetooth.rs
@@ -40,6 +40,8 @@ pub struct BluetoothIdentity {
pub bdaddr: String,
/// Bluetooth device type (DUN or PANU)
pub bt_device_type: BluetoothNetworkRole,
+ /// Optional Bluetooth adapter name (e.g., "hci1"). Defaults to "hci0".
+ pub adapter: Option,
}
impl BluetoothIdentity {
@@ -73,6 +75,32 @@ impl BluetoothIdentity {
Ok(Self {
bdaddr,
bt_device_type,
+ adapter: None,
+ })
+ }
+
+ /// Creates a new `BluetoothIdentity` with a specific adapter.
+ ///
+ /// # Arguments
+ ///
+ /// * `bdaddr` - Bluetooth MAC address (e.g., "00:1A:7D:DA:71:13")
+ /// * `bt_device_type` - Bluetooth network role (PanU or Dun)
+ /// * `adapter` - Bluetooth adapter name (e.g., "hci1")
+ ///
+ /// # Errors
+ ///
+ /// Returns a `ConnectionError` if the provided `bdaddr` is not a
+ /// valid Bluetooth MAC address format.
+ pub fn with_adapter(
+ bdaddr: String,
+ bt_device_type: BluetoothNetworkRole,
+ adapter: String,
+ ) -> Result {
+ validate_bluetooth_address(&bdaddr)?;
+ Ok(Self {
+ bdaddr,
+ bt_device_type,
+ adapter: Some(adapter),
})
}
}
diff --git a/nmrs/src/api/models/connectivity.rs b/nmrs/src/api/models/connectivity.rs
new file mode 100644
index 00000000..a6ad7e6c
--- /dev/null
+++ b/nmrs/src/api/models/connectivity.rs
@@ -0,0 +1,129 @@
+//! Connectivity state and captive-portal awareness.
+//!
+//! NetworkManager periodically (or on demand via
+//! [`crate::NetworkManager::check_connectivity`]) probes a well-known URL to
+//! determine whether the host has actual internet access or is behind a captive
+//! portal. The result is exposed as a [`ConnectivityState`].
+//!
+//! UIs should watch for [`ConnectivityState::Portal`] and prompt the user to
+//! open their browser at the captive portal URL (see
+//! [`crate::NetworkManager::captive_portal_url`]).
+
+use std::fmt;
+
+/// NM's `NMConnectivityState` enum.
+#[non_exhaustive]
+#[derive(Debug, Clone, Copy, Eq, PartialEq, Hash)]
+pub enum ConnectivityState {
+ /// NM has not checked yet.
+ Unknown,
+ /// No network connection at all.
+ None,
+ /// Connected behind a captive portal.
+ Portal,
+ /// Connected but no internet (upstream unreachable).
+ Limited,
+ /// Connected and internet-reachable.
+ Full,
+}
+
+impl ConnectivityState {
+ /// `true` only when the host has verified internet connectivity.
+ #[must_use]
+ pub fn is_usable_for_internet(self) -> bool {
+ matches!(self, Self::Full)
+ }
+
+ /// `true` when NM detected a captive portal.
+ #[must_use]
+ pub fn is_captive(self) -> bool {
+ matches!(self, Self::Portal)
+ }
+}
+
+impl From for ConnectivityState {
+ fn from(v: u32) -> Self {
+ match v {
+ 0 => Self::Unknown,
+ 1 => Self::None,
+ 2 => Self::Portal,
+ 3 => Self::Limited,
+ 4 => Self::Full,
+ _ => Self::Unknown,
+ }
+ }
+}
+
+impl From for u32 {
+ fn from(s: ConnectivityState) -> u32 {
+ match s {
+ ConnectivityState::Unknown => 0,
+ ConnectivityState::None => 1,
+ ConnectivityState::Portal => 2,
+ ConnectivityState::Limited => 3,
+ ConnectivityState::Full => 4,
+ }
+ }
+}
+
+impl fmt::Display for ConnectivityState {
+ fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+ match self {
+ Self::Unknown => write!(f, "unknown"),
+ Self::None => write!(f, "none"),
+ Self::Portal => write!(f, "portal"),
+ Self::Limited => write!(f, "limited"),
+ Self::Full => write!(f, "full"),
+ }
+ }
+}
+
+/// Snapshot of NM's connectivity subsystem.
+///
+/// Returned by [`crate::NetworkManager::connectivity_report`].
+#[non_exhaustive]
+#[derive(Debug, Clone)]
+pub struct ConnectivityReport {
+ /// Current connectivity state.
+ pub state: ConnectivityState,
+ /// Whether NM is allowed to probe.
+ pub check_enabled: bool,
+ /// URL NM probes when checking (may be empty if disabled).
+ pub check_uri: Option,
+ /// Captive-portal URL detected by NM, if state is [`ConnectivityState::Portal`].
+ /// `None` when NM has not filled in the URL or the NM version doesn't expose it.
+ pub captive_portal_url: Option,
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+
+ #[test]
+ fn round_trip_all() {
+ for code in 0..=4 {
+ let s = ConnectivityState::from(code);
+ assert_eq!(u32::from(s), code);
+ }
+ }
+
+ #[test]
+ fn out_of_range_maps_to_unknown() {
+ assert_eq!(ConnectivityState::from(99), ConnectivityState::Unknown);
+ }
+
+ #[test]
+ fn is_captive() {
+ assert!(ConnectivityState::Portal.is_captive());
+ assert!(!ConnectivityState::Full.is_captive());
+ assert!(!ConnectivityState::None.is_captive());
+ }
+
+ #[test]
+ fn is_usable() {
+ assert!(ConnectivityState::Full.is_usable_for_internet());
+ assert!(!ConnectivityState::Portal.is_usable_for_internet());
+ assert!(!ConnectivityState::Limited.is_usable_for_internet());
+ assert!(!ConnectivityState::Unknown.is_usable_for_internet());
+ }
+}
diff --git a/nmrs/src/api/models/device.rs b/nmrs/src/api/models/device.rs
index e6c92adf..94f72140 100644
--- a/nmrs/src/api/models/device.rs
+++ b/nmrs/src/api/models/device.rs
@@ -1,5 +1,7 @@
use std::fmt::{Display, Formatter};
+use zvariant::OwnedObjectPath;
+
/// Represents a network device managed by NetworkManager.
///
/// A device can be a WiFi adapter, Ethernet interface, or other network hardware.
@@ -59,6 +61,39 @@ pub struct Device {
// pub speed: Option,
}
+/// A Wi-Fi device summary returned by
+/// [`list_wifi_devices`](crate::NetworkManager::list_wifi_devices).
+///
+/// Use this on multi-radio machines (laptops with USB dongles, docks with a
+/// second wireless adapter, etc.) to discover the available interfaces and
+/// pick one to scope subsequent operations to. Pair with
+/// [`NetworkManager::wifi`](crate::NetworkManager::wifi) for ergonomic
+/// per-interface calls.
+#[non_exhaustive]
+#[derive(Debug, Clone)]
+pub struct WifiDevice {
+ /// D-Bus object path of the device.
+ pub path: OwnedObjectPath,
+ /// Interface name (e.g. `"wlan0"`).
+ pub interface: String,
+ /// Current MAC address (may be randomized).
+ pub hw_address: String,
+ /// Permanent (factory-burned) MAC, if NM exposes it.
+ pub permanent_hw_address: Option,
+ /// Kernel driver name, if available.
+ pub driver: Option,
+ /// Current device state.
+ pub state: DeviceState,
+ /// Whether NetworkManager manages this device.
+ pub managed: bool,
+ /// Whether NM will autoconnect known networks on this device.
+ pub autoconnect: bool,
+ /// `true` if the device currently has an active access point.
+ pub is_active: bool,
+ /// SSID of the currently active AP, if any.
+ pub active_ssid: Option,
+}
+
/// Represents the hardware identity of a network device.
///
/// Contains MAC addresses that uniquely identify the device. The permanent
diff --git a/nmrs/src/api/models/error.rs b/nmrs/src/api/models/error.rs
index 2b9bc8fc..4c724f9a 100644
--- a/nmrs/src/api/models/error.rs
+++ b/nmrs/src/api/models/error.rs
@@ -1,5 +1,7 @@
use thiserror::Error;
+use crate::core::ovpn_parser::error::OvpnParseError;
+
use super::connection_state::ConnectionStateReason;
use super::state_reason::StateReason;
@@ -18,7 +20,7 @@ use super::state_reason::StateReason;
/// # async fn example() -> nmrs::Result<()> {
/// let nm = NetworkManager::new().await?;
///
-/// match nm.connect("MyNetwork", WifiSecurity::WpaPsk {
+/// match nm.connect("MyNetwork", None, WifiSecurity::WpaPsk {
/// psk: "password".into()
/// }).await {
/// Ok(_) => println!("Connected!"),
@@ -46,7 +48,7 @@ use super::state_reason::StateReason;
/// let nm = NetworkManager::new().await?;
///
/// for attempt in 1..=3 {
-/// match nm.connect("MyNetwork", WifiSecurity::Open).await {
+/// match nm.connect("MyNetwork", None, WifiSecurity::Open).await {
/// Ok(_) => {
/// println!("Connected on attempt {}", attempt);
/// break;
@@ -112,6 +114,22 @@ pub enum ConnectionError {
#[error("no saved connection for network")]
NoSavedConnection,
+ /// No saved profile with the given UUID.
+ #[error("saved connection '{0}' not found")]
+ SavedConnectionNotFound(String),
+
+ /// Saved profile settings are missing required keys or are inconsistent.
+ #[error("saved connection malformed: {0}")]
+ MalformedSavedConnection(String),
+
+ /// A public builder was missing a required field.
+ #[error("incomplete builder: {0}")]
+ IncompleteBuilder(String),
+
+ /// NM's connectivity checks are disabled; `check_connectivity` cannot run.
+ #[error("connectivity checks are disabled in NetworkManager")]
+ ConnectivityCheckDisabled,
+
/// An empty password was provided for the requested network.
#[error("no password was provided")]
MissingPassword,
@@ -132,6 +150,14 @@ pub enum ConnectionError {
#[error("no VPN connection found")]
NoVpnConnection,
+ /// VPN connection not found by UUID or name.
+ #[error("VPN connection '{0}' not found")]
+ VpnNotFound(String),
+
+ /// Multiple VPN connections share the same display name.
+ #[error("multiple VPN connections named '{0}', use UUID")]
+ VpnIdAmbiguous(String),
+
/// Invalid IP address or CIDR notation
#[error("invalid address: {0}")]
InvalidAddress(String),
@@ -182,4 +208,43 @@ pub enum ConnectionError {
/// A secret agent is already registered under this identifier.
#[error("secret agent already registered under this identifier")]
AgentAlreadyRegistered,
+
+ /// An error occured while parsing a configuration
+ #[error("error while parsing a configuration: {0}")]
+ ParseError(OvpnParseError),
+
+ /// Access point with the given SSID and BSSID was not found.
+ #[error("access point for SSID '{ssid}' with BSSID '{bssid}' not found")]
+ ApBssidNotFound {
+ /// SSID that was searched for.
+ ssid: String,
+ /// BSSID that was searched for.
+ bssid: String,
+ },
+
+ /// Invalid BSSID format.
+ #[error("invalid BSSID format: '{0}' (expected XX:XX:XX:XX:XX:XX)")]
+ InvalidBssid(String),
+
+ /// Interface exists but is not a Wi-Fi device.
+ #[error("interface '{interface}' is not a Wi-Fi device")]
+ NotAWifiDevice {
+ /// The interface name that was checked.
+ interface: String,
+ },
+
+ /// No Wi-Fi device with the given interface name.
+ #[error("no Wi-Fi device named '{interface}'")]
+ WifiInterfaceNotFound {
+ /// The interface name that was searched for.
+ interface: String,
+ },
+
+ /// A radio is hardware-disabled via rfkill.
+ #[error("radio is hardware-disabled (rfkill)")]
+ HardwareRadioKilled,
+
+ /// The BlueZ Bluetooth stack is unavailable.
+ #[error("bluetooth stack unavailable: {0}")]
+ BluezUnavailable(String),
}
diff --git a/nmrs/src/api/models/mod.rs b/nmrs/src/api/models/mod.rs
index c5f1b030..f5ca15b7 100644
--- a/nmrs/src/api/models/mod.rs
+++ b/nmrs/src/api/models/mod.rs
@@ -1,21 +1,33 @@
+pub(crate) mod access_point;
mod bluetooth;
mod config;
mod connection_state;
+mod connectivity;
mod device;
mod error;
+mod openvpn;
+mod radio;
+mod saved_connection;
mod state_reason;
mod vpn;
mod wifi;
+mod wireguard;
#[cfg(test)]
#[path = "tests.rs"]
mod tests;
+pub use access_point::*;
pub use bluetooth::*;
pub use config::*;
pub use connection_state::*;
+pub use connectivity::*;
pub use device::*;
pub use error::*;
+pub use openvpn::*;
+pub use radio::*;
+pub use saved_connection::*;
pub use state_reason::*;
pub use vpn::*;
pub use wifi::*;
+pub use wireguard::*;
diff --git a/nmrs/src/api/models/openvpn.rs b/nmrs/src/api/models/openvpn.rs
new file mode 100644
index 00000000..76cc41a6
--- /dev/null
+++ b/nmrs/src/api/models/openvpn.rs
@@ -0,0 +1,791 @@
+#![allow(deprecated)]
+
+use super::vpn::{VpnConfig, VpnKind};
+use crate::api::models::error::ConnectionError;
+use std::convert::TryFrom;
+use std::net::Ipv4Addr;
+use uuid::Uuid;
+
+/// A static IPv4 route for OpenVPN split tunneling.
+///
+/// Serialized to NetworkManager `ipv4.route-data`.
+#[non_exhaustive]
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct VpnRoute {
+ /// Destination network (e.g. `10.0.0.0`).
+ pub dest: String,
+ /// CIDR prefix length (0–32).
+ pub prefix: u32,
+ /// Optional gateway (`next-hop` in NM).
+ pub next_hop: Option,
+ /// Optional route metric.
+ pub metric: Option,
+}
+
+impl VpnRoute {
+ /// Creates a route to `dest`/`prefix`.
+ #[must_use]
+ pub fn new(dest: impl Into, prefix: u32) -> Self {
+ Self {
+ dest: dest.into(),
+ prefix,
+ next_hop: None,
+ metric: None,
+ }
+ }
+
+ /// Sets the gateway for this route.
+ #[must_use]
+ pub fn next_hop(mut self, gateway: impl Into) -> Self {
+ self.next_hop = Some(gateway.into());
+ self
+ }
+
+ /// Sets the route metric.
+ #[must_use]
+ pub fn metric(mut self, metric: u32) -> Self {
+ self.metric = Some(metric);
+ self
+ }
+}
+
+/// OpenVPN authentication type.
+///
+/// Specifies how the client authenticates with the OpenVPN server.
+#[non_exhaustive]
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum OpenVpnAuthType {
+ /// Username/password authentication only.
+ Password,
+ /// TLS certificate authentication only.
+ Tls,
+ /// Both password and TLS certificate authentication.
+ PasswordTls,
+ /// Static key authentication (pre-shared key).
+ StaticKey,
+}
+
+/// OpenVPN connection configuration.
+///
+/// Stores the necessary information to configure and connect to an OpenVPN server.
+///
+/// # Example
+///
+/// ```rust
+/// use nmrs::{OpenVpnConfig, OpenVpnAuthType};
+///
+/// let config = OpenVpnConfig::new("MyVPN", "vpn.example.com", 1194, false)
+/// .with_auth_type(OpenVpnAuthType::PasswordTls)
+/// .with_username("user")
+/// .with_password("secret")
+/// .with_ca_cert("/path/to/ca.crt")
+/// .with_dns(vec!["1.1.1.1".into()]);
+/// ```
+#[non_exhaustive]
+#[derive(Debug, Clone)]
+pub struct OpenVpnConfig {
+ /// Connection name.
+ pub name: String,
+ /// Remote server hostname or IP.
+ pub remote: String,
+ /// Remote server port (default: 1194).
+ pub port: u16,
+ /// Use TCP instead of UDP.
+ pub tcp: bool,
+ /// Authentication type.
+ pub auth_type: Option,
+ /// HMAC digest algorithm (e.g., "SHA256").
+ pub auth: Option,
+ /// Data channel cipher (e.g., "AES-256-GCM").
+ pub cipher: Option,
+ /// DNS servers to use when connected.
+ pub dns: Option>,
+ /// MTU size.
+ pub mtu: Option,
+ /// Connection UUID.
+ pub uuid: Option,
+ /// Path to CA certificate.
+ pub ca_cert: Option,
+ /// Path to client certificate.
+ pub client_cert: Option,
+ /// Path to client private key.
+ pub client_key: Option,
+ /// Password for encrypted private key.
+ pub key_password: Option,
+ /// Username for password authentication.
+ pub username: Option,
+ /// Password for password authentication.
+ pub password: Option,
+ /// Compression algorithm. See [`OpenVpnCompression`] for security considerations.
+ pub compression: Option,
+ /// Proxy configuration.
+ pub proxy: Option,
+ /// Path to TLS authentication (HMAC firewall) key file.
+ pub tls_auth_key: Option,
+ /// TLS auth direction (`0` or `1`). Only meaningful when `tls_auth_key` is set.
+ pub tls_auth_direction: Option,
+ /// Path to TLS-Crypt key file (encrypt+authenticate control channel).
+ pub tls_crypt: Option,
+ /// Path to TLS-Crypt-v2 key file (per-client TLS-Crypt).
+ pub tls_crypt_v2: Option,
+ /// Minimum TLS version (e.g. "1.2").
+ pub tls_version_min: Option,
+ /// Maximum TLS version (e.g. "1.3").
+ pub tls_version_max: Option,
+ /// Control channel TLS cipher suites (e.g. "TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384").
+ pub tls_cipher: Option,
+ /// Require remote certificate to be of a specific type ("server" or "client").
+ pub remote_cert_tls: Option,
+ /// X.509 name verification: `(name, type)` where type is e.g. "name", "subject",
+ /// or "name-prefix".
+ pub verify_x509_name: Option<(String, String)>,
+ /// Path to a Certificate Revocation List file.
+ pub crl_verify: Option,
+ /// When true, this profile may become the default route (full tunnel / `redirect-gateway`).
+ ///
+ /// Maps to `ipv4.never-default = false` in NetworkManager when set.
+ pub redirect_gateway: bool,
+ /// Static IPv4 routes for split tunneling (`ipv4.route-data`).
+ pub routes: Vec,
+ /// OpenVPN `ping` interval in seconds.
+ pub ping: Option,
+ /// OpenVPN `ping-exit` seconds.
+ pub ping_exit: Option,
+ /// OpenVPN `ping-restart` seconds.
+ pub ping_restart: Option,
+ /// TLS renegotiation period (`reneg-sec`).
+ pub reneg_seconds: Option,
+ /// Initial connection timeout in seconds (`connect-timeout`).
+ pub connect_timeout: Option,
+ /// Negotiable data ciphers list (`data-ciphers`), colon-separated.
+ pub data_ciphers: Option,
+ /// Fallback data cipher (`data-ciphers-fallback`).
+ pub data_ciphers_fallback: Option,
+ /// When true, disables NCP (`ncp-disable`).
+ pub ncp_disable: bool,
+}
+
+impl OpenVpnConfig {
+ /// Creates a new `OpenVpnConfig` with required fields.
+ pub fn new(name: impl Into, remote: impl Into, port: u16, tcp: bool) -> Self {
+ Self {
+ name: name.into(),
+ remote: remote.into(),
+ port,
+ tcp,
+ auth_type: None,
+ auth: None,
+ cipher: None,
+ dns: None,
+ mtu: None,
+ uuid: None,
+ ca_cert: None,
+ client_cert: None,
+ client_key: None,
+ key_password: None,
+ username: None,
+ password: None,
+ compression: None,
+ proxy: None,
+ tls_auth_key: None,
+ tls_auth_direction: None,
+ tls_crypt: None,
+ tls_crypt_v2: None,
+ tls_version_min: None,
+ tls_version_max: None,
+ tls_cipher: None,
+ remote_cert_tls: None,
+ verify_x509_name: None,
+ crl_verify: None,
+ redirect_gateway: false,
+ routes: Vec::new(),
+ ping: None,
+ ping_exit: None,
+ ping_restart: None,
+ reneg_seconds: None,
+ connect_timeout: None,
+ data_ciphers: None,
+ data_ciphers_fallback: None,
+ ncp_disable: false,
+ }
+ }
+
+ /// Sets the authentication type.
+ #[must_use]
+ pub fn with_auth_type(mut self, auth_type: OpenVpnAuthType) -> Self {
+ self.auth_type = Some(auth_type);
+ self
+ }
+
+ /// Sets the HMAC digest algorithm.
+ #[must_use]
+ pub fn with_auth(mut self, auth: impl Into) -> Self {
+ self.auth = Some(auth.into());
+ self
+ }
+
+ /// Sets the data channel cipher.
+ #[must_use]
+ pub fn with_cipher(mut self, cipher: impl Into) -> Self {
+ self.cipher = Some(cipher.into());
+ self
+ }
+
+ /// Sets the DNS servers to use when connected.
+ #[must_use]
+ pub fn with_dns(mut self, dns: Vec) -> Self {
+ self.dns = Some(dns);
+ self
+ }
+
+ /// Sets the MTU (Maximum Transmission Unit) size.
+ #[must_use]
+ pub fn with_mtu(mut self, mtu: u32) -> Self {
+ self.mtu = Some(mtu);
+ self
+ }
+
+ /// Sets the UUID for the connection.
+ #[must_use]
+ pub fn with_uuid(mut self, uuid: Uuid) -> Self {
+ self.uuid = Some(uuid);
+ self
+ }
+
+ /// Sets the CA certificate path.
+ #[must_use]
+ pub fn with_ca_cert(mut self, path: impl Into) -> Self {
+ self.ca_cert = Some(path.into());
+ self
+ }
+
+ /// Sets the client certificate path.
+ #[must_use]
+ pub fn with_client_cert(mut self, path: impl Into) -> Self {
+ self.client_cert = Some(path.into());
+ self
+ }
+
+ /// Sets the client private key path.
+ #[must_use]
+ pub fn with_client_key(mut self, path: impl Into) -> Self {
+ self.client_key = Some(path.into());
+ self
+ }
+
+ /// Sets the password for an encrypted private key.
+ #[must_use]
+ pub fn with_key_password(mut self, password: impl Into) -> Self {
+ self.key_password = Some(password.into());
+ self
+ }
+
+ /// Sets the username for password authentication.
+ #[must_use]
+ pub fn with_username(mut self, username: impl Into) -> Self {
+ self.username = Some(username.into());
+ self
+ }
+
+ /// Sets the password for password authentication.
+ #[must_use]
+ pub fn with_password(mut self, password: impl Into) -> Self {
+ self.password = Some(password.into());
+ self
+ }
+
+ /// Sets the compression algorithm.
+ ///
+ /// # Security Warning
+ ///
+ /// Some compression modes are subject to the VORACLE vulnerability.
+ /// See [`OpenVpnCompression`] for details and recommendations.
+ #[must_use]
+ pub fn with_compression(mut self, compression: OpenVpnCompression) -> Self {
+ self.compression = Some(compression);
+ self
+ }
+
+ /// Sets the proxy configuration.
+ #[must_use]
+ pub fn with_proxy(mut self, proxy: OpenVpnProxy) -> Self {
+ self.proxy = Some(proxy);
+ self
+ }
+
+ /// Sets the TLS authentication key path and optional direction.
+ ///
+ /// The `--tls-auth` option adds an HMAC firewall to the control channel,
+ /// providing an additional layer of DoS protection.
+ #[must_use]
+ pub fn with_tls_auth(mut self, key_path: impl Into, direction: Option) -> Self {
+ self.tls_auth_key = Some(key_path.into());
+ self.tls_auth_direction = direction;
+ self
+ }
+
+ /// Sets the TLS-Crypt key path.
+ ///
+ /// Encrypts and authenticates the control channel with a pre-shared key,
+ /// providing stronger protection than `--tls-auth`.
+ #[must_use]
+ pub fn with_tls_crypt(mut self, key_path: impl Into) -> Self {
+ self.tls_crypt = Some(key_path.into());
+ self
+ }
+
+ /// Sets the TLS-Crypt-v2 key path (per-client key wrapping).
+ #[must_use]
+ pub fn with_tls_crypt_v2(mut self, key_path: impl Into) -> Self {
+ self.tls_crypt_v2 = Some(key_path.into());
+ self
+ }
+
+ /// Sets the minimum TLS protocol version (e.g. "1.2").
+ #[must_use]
+ pub fn with_tls_version_min(mut self, version: impl Into) -> Self {
+ self.tls_version_min = Some(version.into());
+ self
+ }
+
+ /// Sets the maximum TLS protocol version (e.g. "1.3").
+ #[must_use]
+ pub fn with_tls_version_max(mut self, version: impl Into) -> Self {
+ self.tls_version_max = Some(version.into());
+ self
+ }
+
+ /// Sets the allowed control channel TLS cipher suites.
+ #[must_use]
+ pub fn with_tls_cipher(mut self, cipher: impl Into) -> Self {
+ self.tls_cipher = Some(cipher.into());
+ self
+ }
+
+ /// Requires the remote certificate to be of a specific type ("server" or "client").
+ #[must_use]
+ pub fn with_remote_cert_tls(mut self, cert_type: impl Into) -> Self {
+ self.remote_cert_tls = Some(cert_type.into());
+ self
+ }
+
+ /// Sets X.509 name verification for the remote certificate.
+ ///
+ /// `name_type` is one of "name", "subject", or "name-prefix".
+ #[must_use]
+ pub fn with_verify_x509_name(
+ mut self,
+ name: impl Into,
+ name_type: impl Into,
+ ) -> Self {
+ self.verify_x509_name = Some((name.into(), name_type.into()));
+ self
+ }
+
+ /// Sets the path to a Certificate Revocation List for peer verification.
+ #[must_use]
+ pub fn with_crl_verify(mut self, path: impl Into) -> Self {
+ self.crl_verify = Some(path.into());
+ self
+ }
+
+ /// When true, the connection may become the default IPv4 route (full tunnel).
+ #[must_use]
+ pub fn with_redirect_gateway(mut self, redirect: bool) -> Self {
+ self.redirect_gateway = redirect;
+ self
+ }
+
+ /// Replaces static IPv4 routes for split tunneling.
+ #[must_use]
+ pub fn with_routes(mut self, routes: Vec) -> Self {
+ self.routes = routes;
+ self
+ }
+
+ /// Sets the OpenVPN `ping` interval (seconds).
+ #[must_use]
+ pub fn with_ping(mut self, seconds: u32) -> Self {
+ self.ping = Some(seconds);
+ self
+ }
+
+ /// Sets OpenVPN `ping-exit` (seconds).
+ #[must_use]
+ pub fn with_ping_exit(mut self, seconds: u32) -> Self {
+ self.ping_exit = Some(seconds);
+ self
+ }
+
+ /// Sets OpenVPN `ping-restart` (seconds).
+ #[must_use]
+ pub fn with_ping_restart(mut self, seconds: u32) -> Self {
+ self.ping_restart = Some(seconds);
+ self
+ }
+
+ /// Sets TLS renegotiation period (`reneg-sec`, seconds).
+ #[must_use]
+ pub fn with_reneg_seconds(mut self, seconds: u32) -> Self {
+ self.reneg_seconds = Some(seconds);
+ self
+ }
+
+ /// Sets initial connection timeout (`connect-timeout`, seconds).
+ #[must_use]
+ pub fn with_connect_timeout(mut self, seconds: u32) -> Self {
+ self.connect_timeout = Some(seconds);
+ self
+ }
+
+ /// Sets negotiable data ciphers (colon-separated, e.g. `AES-256-GCM:AES-128-GCM`).
+ #[must_use]
+ pub fn with_data_ciphers(mut self, ciphers: impl Into) -> Self {
+ self.data_ciphers = Some(ciphers.into());
+ self
+ }
+
+ /// Sets the fallback data cipher (`data-ciphers-fallback`).
+ #[must_use]
+ pub fn with_data_ciphers_fallback(mut self, cipher: impl Into) -> Self {
+ self.data_ciphers_fallback = Some(cipher.into());
+ self
+ }
+
+ /// When true, disables NCP cipher negotiation (`ncp-disable`).
+ #[must_use]
+ pub fn with_ncp_disable(mut self, disable: bool) -> Self {
+ self.ncp_disable = disable;
+ self
+ }
+}
+
+fn ipv4_netmask_to_prefix(netmask: Ipv4Addr) -> u32 {
+ let mut prefix = 0u32;
+ for byte in netmask.octets() {
+ if byte == 0xff {
+ prefix += 8;
+ } else if byte == 0 {
+ break;
+ } else {
+ let mut b = byte;
+ while b & 0x80 != 0 {
+ prefix += 1;
+ b <<= 1;
+ }
+ break;
+ }
+ }
+ prefix
+}
+
+pub(crate) fn vpn_route_from_parser(
+ r: crate::core::ovpn_parser::parser::Route,
+) -> Result {
+ let dest = r.network.to_string();
+ let prefix = r.netmask.map(ipv4_netmask_to_prefix).unwrap_or(32);
+ if prefix > 32 {
+ return Err(ConnectionError::InvalidAddress(format!(
+ "invalid route netmask for destination {dest}"
+ )));
+ }
+ let next_hop = r.gateway.map(|g| g.to_string());
+ Ok(VpnRoute {
+ dest,
+ prefix,
+ next_hop,
+ metric: None,
+ })
+}
+
+impl TryFrom for OpenVpnConfig {
+ type Error = ConnectionError;
+
+ fn try_from(f: crate::core::ovpn_parser::parser::OvpnFile) -> Result {
+ use crate::core::ovpn_parser::parser::{AllowCompress, CertSource, Compress};
+
+ let first_remote = f
+ .remotes
+ .into_iter()
+ .next()
+ .ok_or_else(|| ConnectionError::InvalidGateway("no remote in .ovpn file".into()))?;
+
+ let tcp = first_remote
+ .proto
+ .as_deref()
+ .map(|p: &str| p.starts_with("tcp"))
+ .unwrap_or_else(|| {
+ f.proto
+ .as_deref()
+ .map(|p: &str| p.starts_with("tcp"))
+ .unwrap_or(false)
+ });
+
+ let compression = match (f.compress, f.allow_compress) {
+ (Some(Compress::Algorithm(ref s)), _) => Some(match s.as_str() {
+ "lz4" => OpenVpnCompression::Lz4,
+ "lz4-v2" => OpenVpnCompression::Lz4V2,
+ _ => OpenVpnCompression::Yes,
+ }),
+ (Some(Compress::Stub | Compress::StubV2), _) => Some(OpenVpnCompression::No),
+ (None, Some(AllowCompress::No)) => Some(OpenVpnCompression::No),
+ _ => None,
+ };
+
+ // Client certificate auth needs both cert and key; one alone is incomplete.
+ let has_client_cert_pair = f.cert.is_some() && f.key.is_some();
+ let auth_type = match (f.auth_user_pass, has_client_cert_pair) {
+ (true, true) => Some(OpenVpnAuthType::PasswordTls),
+ (true, false) => Some(OpenVpnAuthType::Password),
+ (false, true) => Some(OpenVpnAuthType::Tls),
+ (false, false) => None,
+ };
+
+ let cert_path = |src: CertSource, field: &str| -> Result {
+ match src {
+ CertSource::File(p) => Ok(p),
+ CertSource::Inline(_) => Err(ConnectionError::VpnFailed(format!(
+ "inline <{field}> blocks require OpenVpnBuilder::from_ovpn_file() \
+ or from_ovpn_str() which persists them via the cert store; \
+ TryFrom cannot handle inline certs"
+ ))),
+ }
+ };
+
+ let routes: Vec = f
+ .routes
+ .into_iter()
+ .map(vpn_route_from_parser)
+ .collect::>()?;
+
+ let redirect_gateway = f.redirect_gateway.is_some();
+
+ let data_ciphers = if f.data_ciphers.is_empty() {
+ None
+ } else {
+ Some(f.data_ciphers.join(":"))
+ };
+
+ Ok(OpenVpnConfig {
+ name: String::new(),
+ remote: first_remote.host,
+ port: first_remote.port.unwrap_or(1194),
+ tcp,
+ auth_type,
+ auth: f.auth,
+ cipher: f.cipher,
+ dns: None,
+ mtu: None,
+ uuid: None,
+ ca_cert: f.ca.map(|s| cert_path(s, "ca")).transpose()?,
+ client_cert: f.cert.map(|s| cert_path(s, "cert")).transpose()?,
+ client_key: f.key.map(|s| cert_path(s, "key")).transpose()?,
+ key_password: None,
+ username: None,
+ password: None,
+ compression,
+ proxy: None,
+ tls_auth_key: None,
+ tls_auth_direction: None,
+ tls_crypt: None,
+ tls_crypt_v2: None,
+ tls_version_min: None,
+ tls_version_max: None,
+ tls_cipher: None,
+ remote_cert_tls: None,
+ verify_x509_name: None,
+ crl_verify: None,
+ redirect_gateway,
+ routes,
+ ping: None,
+ ping_exit: None,
+ ping_restart: None,
+ reneg_seconds: None,
+ connect_timeout: None,
+ data_ciphers,
+ data_ciphers_fallback: None,
+ ncp_disable: false,
+ })
+ }
+}
+
+impl super::vpn::sealed::Sealed for OpenVpnConfig {}
+
+impl VpnConfig for OpenVpnConfig {
+ fn vpn_kind(&self) -> VpnKind {
+ VpnKind::Plugin
+ }
+
+ fn name(&self) -> &str {
+ &self.name
+ }
+
+ fn dns(&self) -> Option<&[String]> {
+ self.dns.as_deref()
+ }
+
+ fn mtu(&self) -> Option {
+ self.mtu
+ }
+
+ fn uuid(&self) -> Option {
+ self.uuid
+ }
+}
+
+/// Compression algorithm for OpenVPN connections.
+///
+/// Maps to the NM `compress` and `comp-lzo` keys in the `vpn.data` dict.
+///
+/// # Security Warning
+///
+/// Compression is generally discouraged due to the VORACLE vulnerability,
+/// where compression oracles can be exploited to recover plaintext from
+/// encrypted tunnels. OpenVPN 2.5+ defaults to `--allow-compression no`.
+/// Prefer [`No`](OpenVpnCompression::No) unless you have a specific need
+/// and understand the risk. See .
+#[non_exhaustive]
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum OpenVpnCompression {
+ /// Disable compression explicitly. Recommended default.
+ ///
+ /// Maps to `compress no` in the NM `vpn.data` dict.
+ No,
+
+ /// LZO compression.
+ ///
+ /// Maps to `comp-lzo yes` in the NM `vpn.data` dict.
+ ///
+ /// # Security Warning
+ ///
+ /// Subject to the VORACLE vulnerability. See [`OpenVpnCompression`] docs.
+ ///
+ /// # Deprecation
+ ///
+ /// `comp-lzo` is deprecated upstream in OpenVPN in favour of the newer
+ /// `compress` directive. Use [`Lz4V2`](OpenVpnCompression::Lz4V2) if
+ /// you need compression, or [`No`](OpenVpnCompression::No) to disable it.
+ #[deprecated(note = "comp-lzo is deprecated upstream. Use Lz4V2 or No instead.")]
+ Lzo,
+
+ /// LZ4 compression.
+ ///
+ /// Maps to `compress lz4` in the NM `vpn.data` dict.
+ ///
+ /// # Security Warning
+ ///
+ /// Subject to the VORACLE vulnerability. See [`OpenVpnCompression`] docs.
+ Lz4,
+
+ /// LZ4 v2 compression.
+ ///
+ /// Maps to `compress lz4-v2` in the NM `vpn.data` dict.
+ ///
+ /// # Security Warning
+ ///
+ /// Subject to the VORACLE vulnerability. See [`OpenVpnCompression`] docs.
+ Lz4V2,
+
+ /// Adaptive compression — algorithm negotiated at runtime.
+ ///
+ /// Maps to `compress yes` in the NM `vpn.data` dict.
+ ///
+ /// # Security Warning
+ ///
+ /// Subject to the VORACLE vulnerability. See [`OpenVpnCompression`] docs.
+ Yes,
+}
+
+/// Proxy configuration for OpenVPN connections.
+///
+/// Maps to the NM `proxy-type`, `proxy-server`, `proxy-port`,
+/// `proxy-retry`, `http-proxy-username`, and `http-proxy-password` keys.
+#[non_exhaustive]
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub enum OpenVpnProxy {
+ /// HTTP proxy.
+ Http {
+ server: String,
+ port: u16,
+ username: Option,
+ password: Option,
+ retry: bool,
+ },
+ /// SOCKS proxy.
+ Socks {
+ server: String,
+ port: u16,
+ retry: bool,
+ },
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+ use crate::core::ovpn_parser::parser::parse_ovpn;
+
+ fn ovpn_with_remote(extra: &str) -> String {
+ format!("remote vpn.example.com 1194 udp\n{extra}")
+ }
+
+ #[test]
+ fn try_from_auth_user_pass_with_file_certs_infers_password_tls() {
+ let input = ovpn_with_remote(
+ "auth-user-pass\ncert /etc/openvpn/client.crt\nkey /etc/openvpn/client.key",
+ );
+ let ovpn = parse_ovpn(&input).unwrap();
+ let config = OpenVpnConfig::try_from(ovpn).unwrap();
+ assert_eq!(config.auth_type, Some(OpenVpnAuthType::PasswordTls));
+ }
+
+ #[test]
+ fn try_from_auth_user_pass_without_certs_infers_password() {
+ let input = ovpn_with_remote("auth-user-pass");
+ let ovpn = parse_ovpn(&input).unwrap();
+ let config = OpenVpnConfig::try_from(ovpn).unwrap();
+ assert_eq!(config.auth_type, Some(OpenVpnAuthType::Password));
+ }
+
+ #[test]
+ fn try_from_no_auth_user_pass_with_file_certs_infers_tls() {
+ let input = ovpn_with_remote("cert /etc/openvpn/client.crt\nkey /etc/openvpn/client.key");
+ let ovpn = parse_ovpn(&input).unwrap();
+ let config = OpenVpnConfig::try_from(ovpn).unwrap();
+ assert_eq!(config.auth_type, Some(OpenVpnAuthType::Tls));
+ }
+
+ #[test]
+ fn try_from_no_auth_user_pass_no_certs_infers_none() {
+ let input = ovpn_with_remote("");
+ let ovpn = parse_ovpn(&input).unwrap();
+ let config = OpenVpnConfig::try_from(ovpn).unwrap();
+ assert_eq!(config.auth_type, None);
+ }
+
+ #[test]
+ fn try_from_inline_cert_returns_error() {
+ let input = ovpn_with_remote("\nCERTPEM\n\n\nKEYPEM\n");
+ let ovpn = parse_ovpn(&input).unwrap();
+ let result = OpenVpnConfig::try_from(ovpn);
+ assert!(
+ result.is_err(),
+ "inline certs should be rejected by TryFrom"
+ );
+ }
+
+ #[test]
+ fn try_from_cert_only_without_auth_user_pass_does_not_infer_tls() {
+ let input = ovpn_with_remote("cert /etc/openvpn/client.crt");
+ let ovpn = parse_ovpn(&input).unwrap();
+ let config = OpenVpnConfig::try_from(ovpn).unwrap();
+ assert_eq!(config.auth_type, None);
+ }
+
+ #[test]
+ fn try_from_cert_only_with_auth_user_pass_infers_password_not_password_tls() {
+ let input = ovpn_with_remote("auth-user-pass\ncert /etc/openvpn/client.crt");
+ let ovpn = parse_ovpn(&input).unwrap();
+ let config = OpenVpnConfig::try_from(ovpn).unwrap();
+ assert_eq!(config.auth_type, Some(OpenVpnAuthType::Password));
+ }
+}
diff --git a/nmrs/src/api/models/radio.rs b/nmrs/src/api/models/radio.rs
new file mode 100644
index 00000000..99053cad
--- /dev/null
+++ b/nmrs/src/api/models/radio.rs
@@ -0,0 +1,128 @@
+//! Radio and airplane-mode state types.
+//!
+//! NetworkManager tracks both a software-enabled flag (controlled via D-Bus)
+//! and a hardware-enabled flag (reflecting the kernel rfkill state) for each
+//! radio. [`RadioState`] captures both, and [`AirplaneModeState`] aggregates
+//! Wi-Fi, WWAN, and Bluetooth into a single snapshot.
+
+/// Software and hardware enabled state for a single radio.
+///
+/// `enabled` reflects the user-facing toggle (can be written via D-Bus).
+/// `hardware_enabled` reflects the kernel rfkill state and cannot be changed
+/// from userspace — if `false`, setting `enabled = true` is accepted by NM
+/// but the radio remains off until hardware is unkilled.
+#[non_exhaustive]
+#[derive(Debug, Clone, Copy, Eq, PartialEq)]
+pub struct RadioState {
+ /// Software-enabled: can the user turn this radio on via NM?
+ pub enabled: bool,
+ /// Hardware-enabled: is rfkill allowing this radio?
+ /// If `false`, `enabled = true` is a no-op until hardware is unkilled.
+ pub hardware_enabled: bool,
+}
+
+impl RadioState {
+ /// Creates a new `RadioState`.
+ #[must_use]
+ pub fn new(enabled: bool, hardware_enabled: bool) -> Self {
+ Self {
+ enabled,
+ hardware_enabled,
+ }
+ }
+}
+
+/// Aggregated radio state for all radios that `nmrs` can control.
+///
+/// Returned by [`NetworkManager::airplane_mode_state`](crate::NetworkManager::airplane_mode_state).
+#[non_exhaustive]
+#[derive(Debug, Clone, Copy, Eq, PartialEq)]
+pub struct AirplaneModeState {
+ /// Wi-Fi radio state.
+ pub wifi: RadioState,
+ /// WWAN (mobile broadband) radio state.
+ pub wwan: RadioState,
+ /// Bluetooth radio state (sourced from BlueZ + rfkill).
+ pub bluetooth: RadioState,
+}
+
+impl AirplaneModeState {
+ /// Creates a new `AirplaneModeState`.
+ #[must_use]
+ pub fn new(wifi: RadioState, wwan: RadioState, bluetooth: RadioState) -> Self {
+ Self {
+ wifi,
+ wwan,
+ bluetooth,
+ }
+ }
+
+ /// Returns `true` if every radio `nmrs` can control is software-disabled.
+ ///
+ /// This is the "airplane mode is on" state — all radios off.
+ #[must_use]
+ pub fn is_airplane_mode(&self) -> bool {
+ !self.wifi.enabled && !self.wwan.enabled && !self.bluetooth.enabled
+ }
+
+ /// Returns `true` if any radio has its hardware kill switch active.
+ #[must_use]
+ pub fn any_hardware_killed(&self) -> bool {
+ !self.wifi.hardware_enabled
+ || !self.wwan.hardware_enabled
+ || !self.bluetooth.hardware_enabled
+ }
+}
+
+#[cfg(test)]
+mod tests {
+ use super::*;
+
+ #[test]
+ fn all_off_is_airplane_mode() {
+ let state = AirplaneModeState::new(
+ RadioState::new(false, true),
+ RadioState::new(false, true),
+ RadioState::new(false, true),
+ );
+ assert!(state.is_airplane_mode());
+ assert!(!state.any_hardware_killed());
+ }
+
+ #[test]
+ fn any_on_is_not_airplane_mode() {
+ let state = AirplaneModeState::new(
+ RadioState::new(true, true),
+ RadioState::new(false, true),
+ RadioState::new(false, true),
+ );
+ assert!(!state.is_airplane_mode());
+ }
+
+ #[test]
+ fn hardware_killed_detected() {
+ let state = AirplaneModeState::new(
+ RadioState::new(true, true),
+ RadioState::new(true, false),
+ RadioState::new(true, true),
+ );
+ assert!(state.any_hardware_killed());
+ }
+
+ #[test]
+ fn no_hardware_kill() {
+ let state = AirplaneModeState::new(
+ RadioState::new(false, true),
+ RadioState::new(false, true),
+ RadioState::new(false, true),
+ );
+ assert!(!state.any_hardware_killed());
+ }
+
+ #[test]
+ fn radio_state_new() {
+ let rs = RadioState::new(true, false);
+ assert!(rs.enabled);
+ assert!(!rs.hardware_enabled);
+ }
+}
diff --git a/nmrs/src/api/models/saved_connection.rs b/nmrs/src/api/models/saved_connection.rs
new file mode 100644
index 00000000..5580faac
--- /dev/null
+++ b/nmrs/src/api/models/saved_connection.rs
@@ -0,0 +1,216 @@
+//! Saved NetworkManager connection profiles with decoded settings summaries.
+//!
+//! Use [`crate::NetworkManager::list_saved_connections`] to enumerate every
+//! profile NM knows about (Wi-Fi, Ethernet, VPN, WireGuard, mobile, Bluetooth).
+//! Secrets (PSK, EAP passwords, VPN tokens) are **not** included in
+//! [`SavedConnection`] — NetworkManager only returns them via
+//! [`GetSecrets`](https://networkmanager.dev/docs/api/latest/gdbus-org.freedesktop.NetworkManager.Settings.Connection.html#gdbus-method-org-freedesktop-NetworkManager-Settings-Connection.GetSecrets)
+//! when a [secret agent](crate::agent) is registered. See feature `01-secret-agent`.
+
+use std::collections::HashMap;
+
+use zvariant::{OwnedObjectPath, OwnedValue};
+
+/// Full saved profile with a structured [`SettingsSummary`].
+#[non_exhaustive]
+#[derive(Debug, Clone)]
+pub struct SavedConnection {
+ /// D-Bus object path of the settings connection.
+ pub path: OwnedObjectPath,
+ /// Connection UUID (`connection.uuid`).
+ pub uuid: String,
+ /// Human-visible name (`connection.id`).
+ pub id: String,
+ /// NM connection type string (`connection.type`), e.g. `802-11-wireless`.
+ pub connection_type: String,
+ /// Bound interface, if any (`connection.interface-name`).
+ pub interface_name: Option,
+ /// Whether NM may auto-activate this profile (`connection.autoconnect`).
+ pub autoconnect: bool,
+ /// Autoconnect priority (`connection.autoconnect-priority`).
+ pub autoconnect_priority: i32,
+ /// Last activation time as Unix seconds (`connection.timestamp`), or `0` if never.
+ pub timestamp_unix: u64,
+ /// `connection.permissions` user strings, if present.
+ pub permissions: Vec,
+ /// In-memory-only profile not yet written to disk.
+ pub unsaved: bool,
+ /// On-disk keyfile path when saved.
+ pub filename: Option,
+ /// Decoded type-specific fields (no secrets).
+ pub summary: SettingsSummary,
+}
+
+/// Cheap listing: path plus `connection` identity fields only (still one `GetSettings` per profile).
+#[non_exhaustive]
+#[derive(Debug, Clone)]
+pub struct SavedConnectionBrief {
+ /// D-Bus object path.
+ pub path: OwnedObjectPath,
+ /// `connection.uuid`.
+ pub uuid: String,
+ /// `connection.id`.
+ pub id: String,
+ /// `connection.type`.
+ pub connection_type: String,
+}
+
+/// Partial update merged via [`crate::NetworkManager::update_saved_connection`].
+#[non_exhaustive]
+#[derive(Debug, Default, Clone)]
+pub struct SettingsPatch {
+ /// When `Some`, sets `connection.autoconnect`.
+ pub autoconnect: Option,
+ /// When `Some`, sets `connection.autoconnect-priority`.
+ pub autoconnect_priority: Option,
+ /// When `Some`, sets `connection.id`.
+ pub id: Option,
+ /// `Some(Some(name))` sets `interface-name`; `Some(None)` clears it (best-effort empty string).
+ pub interface_name: Option>,
+ /// Merged after the fields above; section → key → value. Overwrites keys present.
+ pub raw_overlay: Option
