GNOME Bugzilla – Bug 732826
nmcli - Disconnect VPN Without Specifying ID or UUID
Last modified: 2015-04-20 18:51:01 UTC
In a recent attempt to eliminate steps when switching between VPNs ( https://bugs.launchpad.net/ubuntu/+source/network-manager-vpnc/+bug/1215262 ), I discovered a need for adding an additional option to the nmcli command. Currently, in order to disconnect a VPN, you have to specify its id or uuid. I'm proposing that a general disconnection feature be added that will disconnect any connected VPN without having to specify its id or UUID. This need becomes more clear when you attempt to automate switching between VPNs, as I describe in this comment: https://bugs.launchpad.net/ubuntu/+source/network-manager-vpnc/+bug/1215262/comments/4 As you can see, without this proposed feature, switching between VPNs is very verbose to automate. I wish there was a command like this: nmcli con down allvpn This proposed command would disconnects any currently connected VPNs (without the necessity of specifying their id or uuid). If you are connected to a VPN, this command will return a list of established VPN connections: nmcli con status | grep -oP '^(([^\s]+\s){1,}[\s]{2,}){4}yes.+$' This command will list the IDs of any established vpn connections (one per line): nmcli con status | grep -oP '^(([^\s]+\s){1,}[\s]{2,}){4}yes.+$' | grep -oP '^.*?(?=\s{2,})' So to disconnect all VPN connections you could do it based on this ID like this: nmcli con status | grep -oP '^(([^\s]+\s){1,}[\s]{2,}){4}yes.+$' | grep -oP '^.*?(?=\s{2,})' | sed 's/^/\x27/' | sed 's/$/\x27/' | xargs -L1 nmcli con down id However, perhaps it is better to do this using the UUIDs. You can list the UUIDs of all established VPN connections like this: nmcli con status | grep -oP '^(([^\s]+\s){1,}[\s]{2,}){4}yes.+$' | grep -oP '(?<=[\s]{2})[^\s]+(?=(\s+[^\s]+){2}\s+yes.*)' So you can disconnect all established VPN connections by UUID like this: nmcli con status | grep -oP '^(([^\s]+\s){1,}[\s]{2,}){4}yes.+$' | grep -oP '(?<=[\s]{2})[^\s]+(?=(\s+[^\s]+){2}\s+yes.*)' | xargs -L1 nmcli con down uuid Perhaps this logic could be added to nmcli, so that this following proposed option would concisely achieve the same results: nmcli con down allvpn Downstream: https://bugs.launchpad.net/network-manager-openvpn/+bug/1338382
Sidenote: in the meantime nmcli changed the syntax to show active connections. On 0.9.10 you would do instead: [1] nmcli connection show --active And there was a short time, where the above would have to be written as [2] nmcli connection show active The latter syntax was during development of 0.9.9, and is only present in Fedora 20 AFAIK. Also, nmcli has also the options --terse, --fields, and --mode. Those might help with parsing of the output. Regarding a new VPN disconnect-all option: I am not convinced about the need for that. Especially since there is a simple(?) workaround as you presented.
Perhaps someone with your experience would find these workarounds simple, but I won't pretend that I wrote those commands at my max-type-speed. Plus, you've already revealed that the latest version already breaks the work-arounds I've implemented. Therefore, if this feature was offered inherently, by nmcli, it could be relied upon without worry that future updates might break commands, code, or scripts that rely upon parsing "nmcli-output that has an unchanging format/interface".
(In reply to comment #2) > Plus, you've already revealed that the latest version already breaks the > work-arounds I've implemented. > > Therefore, if this feature was offered inherently, by nmcli, it could be relied > upon without worry that future updates might break commands, code, or scripts > that rely upon parsing "nmcli-output that has an unchanging format/interface". If you depend on this new command, you already restrict your script to >= 0.9.10 (unless somebody backports it to nmcli <= 0.9.8, which most likely won't happen). nmcli <= 0.9.8 was new and not yet finished. Therefore the command line syntax was changed. In the future we will be very careful not to do that again. Really!! :) Anyway. Such a new command could become a proper NM method that NetworkManager provides via the DBUS interface ( https://developer.gnome.org/NetworkManager/0.9/spec.html ). Any client (including nmcli) would only call this new method and all the work would be done by NetworkManager. However, probably it would be better and more flexibly to implement it entirely inside the client, i.e. nmcli would use the DBUS API to query the active VPN connections and down them one by one. If you do that, the nmcli solution is not at all more powerful then a python script (or any other client application that uses the DBUS interface). nmcli uses no other interface then the public DBUS API. I would suggest instead to write a python application that implements the new command. Examples how to do that would be here http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/examples/python/ (btw. the DBUS API is "quite" stable, so the script could easily work with >= 0.9.8). If somebody is willing to implement the such a command in nmcli, I certainly don't oppose it. But I wouldn't hold my breath, and a script using DBUS could do the very same.
I have added Lua and Python scripts for deactivating connection by type. Find them in the examples directory: http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/examples/lua/lgi/deactivate-all.lua http://cgit.freedesktop.org/NetworkManager/NetworkManager/tree/examples/python/gi/deactivate-all.py
In the new version of nmcli, you can disconnect all active vpn connections with the following command: nmcli connection show --active | grep vpn | grep -oP .{8}-.{4}-.{4}-.{4}-.{12} | xargs -L1 nmcli con down uuid