cockpit
cockpit copied to clipboard
cockpit-project
networking: VPN support
It would be great to have a VPN section on the Networking page.
This should be like the Firewall functionality, where it's exposed on the Networking page yet has additional details on a sub-page.
It could include Wireguard and OpenVPN.
Does this mean VPN's created by networkmanager? Interestingly networkmanager shows my wireguard vpn under "Wireguard" and openvpn under "VPN"
Yes, It'd be nice for Cockpit to be able to create and manage VPNs.
You're right that a good first step is to at least show that they exist (they do exist as another network currently, as you demonstrate @ https://github.com/cockpit-project/cockpit/issues/16948#issuecomment-1039289225) and we should visually tag them somehow as such.
Hi! I'm interested on make contributions from Newtork views. I'm currently working on NetDevOps, but recently met cockpit. I keep an eye on that thread. In June I finish exams from university and I will have time for contributions!
@gil-obradors: That's great!
If you happen to know about IRC and how to use that with an IRC client, we're on #cockpit on irc.libera.chat and generally are most active during European "business" hours. (Monday through Friday, central European time.) Although people hang out at all times of the day and even on the weekend and might reply at other times too... but standard hours are best for conversations.
There's also a web-based way of joining and chatting with us using your browser at this link: https://kiwiirc.com/nextclient/irc.libera.chat/#cockpit (Although you do have to become a registered user to actually join the channel. Libera has info about how to do that @ https://libera.chat/guides/registration)
When you do have the time (I suppose in June?), please drop by and we'd be happy to help.
We also have contribution guidelines and documentation on our website @ https://cockpit-project.org/external/wiki/Contributing.html, which also includes how to set up your system to work on Cockpit: https://cockpit-project.org/external/source/HACKING.html
Thanks @garrett ! I will be full-free after 18 of June. From now, in some idle times I'm going to study all the documentation,thanks for links. I'm amazed at that wonderful on demand architecture. I want to play on it! We're in touch!
I'm trying to integrate Wireguard and OpenVPN
A basic object to generate this kind of vps via dbus and NetworkManager ( by python):
# Creating vpn interface with python dbus : wireguard and openvpn
import uuid
from pydbus import SystemBus, Variant
bus = SystemBus()
remote_object = bus.get("org.freedesktop.NetworkManager",
"/org/freedesktop/NetworkManager/Settings")
wg = {"connection": {'id': Variant("s", "wg1"),
'type': Variant("s", "wireguard"),
'interface-name': Variant("s", "wg1"),
'autoconnect': Variant("b", True),
'uuid': Variant("s", str(uuid.uuid4()))},
"wireguard": {"peers": Variant('aa{sv}',
[{'public-key': Variant("s", "vFapZXxbhQEhqTSV883VSCd6J+xs0FBihpg4wQCl4BA="),
'endpoint': Variant('s', "192.168.2.1:13238"),
'allowed-ips': Variant('as', ['192.168.50.0/24'])}]),
"private-key": Variant("s", "KImII0Ti4tRZjYIlzWVYZKsTr+h/i3/79Z+CPr0YWF4=")},
"ipv4": {'address-data': Variant('aa{sv}', [{'address': Variant('s', '192.168.50.2'),
'prefix': Variant('i', 24)}]),
'addresses': Variant('aau', [[36874432, 24, 20097216], ]),
'gateway': Variant('s', "192.168.50.3"),
'dns': Variant('au', [16843009, ]),
'method': Variant("s", "manual")}}
openvpn = {'connection': {'autoconnect': Variant('b', True),
'id': Variant('s', 'Connexió VPN'),
'type': Variant('s', 'vpn'),
'metered': Variant('i', 2),
'uuid': Variant('s', str(uuid.uuid4()))
},
'vpn': {'data': Variant('a{ss}',
{'ca': '/home/gil/openvpn_ssl/rootCACert.pem',
'connection-type': 'password',
'dev-type': 'tun',
'password-flags': '1',
'proto-tcp': 'yes',
'remote': '192.168.2.1:1194:tcp',
'username': 'prova'
}),
'secrets': Variant('a{ss}', {"password": "contrasenya"}),
'service-type': Variant('s', 'org.freedesktop.NetworkManager.openvpn')},
}
And for create interface
remote_object.AddConnection(wg)
remote_object.AddConnection(openvpn)
I will start with Wireguard because it's more easy. OpenVPN have a lot of options to deal.
Points to discuss:
- How to assure system dependencies? Wireguard needs
wireguardon dpkg/rhel system. - Networking vpn layout
- Create onair private key from browser
Hands on!
I'm trying to integrate Wireguard and OpenVPN
I will start with Wireguard because it's more easy. OpenVPN have a lot of options to deal.
Cool! Thanks for doing all the research!
Points to discuss:
- How to assure system dependencies? Wireguard needs
wireguardon dpkg/rhel system.
For this we usually use packagekit, other pages have an option to install the required dependency if it's missing. There is a dialog for this in pkg/lib/cockpit-components-install-dialog.jsx. See for example pkg/metrics/metrics.jsx if cockpit-pcp is missing a button is shown to install it. I am not 100% sure how that would work if we have a Add vpn dropdown, would it then show install wireguard?
- Networking vpn layout
Something which should maybe first require a change is how we show network interfaces, if I enable my wireguard vpn named dedi I don't really see that it's a VPN and what type. As far as I understand for wireguard is it's own interface type so that should be possible to show:
Thinking a bit further ahead, how would one edit a VPN in the future? Should it even be done through interfaces and not in a separate section.
And for example tun0 for openvpn. (depends on configuration of course)
- Create a pair private key from browser
That should be possible with cockpit.spawn() we can call the required wg genkey commands, in the android app this happens if the field is unset iirc. As wireguard supports multiple setups would this support setting it up as VPN server? Should adding a VPN open the wireguard port in firewalld when it is found? (With a checkbox, as the client does not need to open a port, might be a bit tricky UX wise)
I think the wireguard android app is probably a good UI to look at for inspiration, It contains some more optional fields.
Thanks @jelly for your time!
As do you know cockpit in deep, in OpenVPN scenario We need files with keys. Is there any solution better than specify the file path of the system? ( this implies having transfered the file before, Wireguard is more frendly in that... )
I'm on it! I have work quite advanced... maybe this weekend I can take it out of the oven :meat_on_bone:
About networking vpn layout page... may be @garrett could you show de way... There are many possibilities:
- Dropdown with [openvpn,wireguard,pppoe] in actual interfaces table. ( Or better.... if vpn-provider not installed -> Install Wireguard, otherwise button with Wireguard text as attached image)
- Table order, order by type, different colors shadows , icons column
- New article networking-interfaces-vpn with new card-table
I don't care what we decide, I'm not very good at UI but I have time :smile:
Thanks @jelly for your time!
As do you know cockpit in deep, in OpenVPN scenario We need files with keys. Is there any solution better than specify the file path of the system? ( this implies having transfered the file before, Wireguard is more frendly in that... )
Do you mean the remote or the local system? We do have FileAutoComplete which is used in for example cockpit-podman to select a container path on the host.
I think that Add VPN button with a dropdown menu is reasonable. I'm not really a fan of that pattern, but it sure beats tossing a ton of various VPN buttons on the page.
We could just have add VPN with a selector too. However, the dialogs are pretty huge, especially the PPoE one:
- Are any of the options optional? What do they mean?
- What's the difference between "Name" and "Service name"? I'm guessing name is the "Connection name". Leaving it unprefixed (just "Name") is a bit confusing, especially with "Username" right below it. (It could be your name if it's just an empty field.)
- What type of values are needed for each? (I'm assuming the LCP stuff is numbers...)
- Shouldn't the parent interface be a dropdown with available (and probably active) interfaces?
BTW: It's looking great! I love the progress on this! :+1:
Thanks for comments @garrett and @jelly !
With everything we have discussed...here the result:
I would put some tooltips/texthelpers/palceholders...for example in wireguard endpoint, network manager waits for <IP: HOST> format. How do you see it?
If looks fine, I continue with openvpn.... and maybe fortinetSSL? It doesn't comes by default like WireGuard, but it's an installable plugin like openvpn. I have in mind to check if vpn-provider is available when the modal is loading. If not present, will show a button to install it like others sites from cockpit.
Have nice init(week)!
Looks good, I think it makes sense to to first make a PR for just the wireguard functionality and then in future PR's add other VPN solutions.
I do wonder if we don't need a separate section for your existing VPN profiles (from networkmanager). As how else does one activate/de-activate and edit existing profiles?
I do wonder if we don't need a separate section for your existing VPN profiles (from networkmanager). As how else does one activate/de-activate and edit existing profiles?
And if that's the case, then the add VPN button would go there.
Like this?
For enable/disable/edit this user-interface is 100% reusable. Courtesy of NM objects :smile:
Thanks for these changes!
Main network page
Wireguard should go to the right (which is the most default for the header actions), and shouldn't be primary (it should be secondary, like the rest).
Wireguard should use an auto-install on add, if it's not installed already. If auto-install isn't possible (like on an OStree installation) and it isn't already installed, then it shouldn't show up. Similar for other VPN types.
Headings should also be sentence case, so it should say "VPN interfaces" (lowercase i).
Shouldn't FortiSSLVPN be "FortiClient"? https://www.fortinet.com/support/product-downloads
Details page
We might want to indicate if it's a VPN interface somewhere in the details as well. Perhaps "VPN: wg0"
OK :)
I notice that through install_dialog and manifest.json We can install the package on Ubuntu,Debian,Fedora,Arch...
https://github.com/cockpit-project/cockpit/blob/3f5d4c87ef6090cb3174c402a6b64ba9e0c6723d/pkg/lib/cockpit-components-install-dialog.jsx#L55
But How We deal with distributions that need to activate other repositories (RHEL,Centos...)? https://www.wireguard.com/install/
Can be an acceptable work around focus on Ubuntu / Debian / Fedora for self-install behavior on ADD Wireguard. And for distributions that do not serve wireguard on main stream, show a message asking for manual install?
OK :)
I notice that through install_dialog and
manifest.jsonWe can install the package on Ubuntu,Debian,Fedora,Arch...https://github.com/cockpit-project/cockpit/blob/3f5d4c87ef6090cb3174c402a6b64ba9e0c6723d/pkg/lib/cockpit-components-install-dialog.jsx#L55
But How We deal with distributions that need to activate other repositories (RHEL,Centos...)? https://www.wireguard.com/install/
I personally don't want to recommend adding an EPEL repo as official instructions, I think we should only enable it on modern systems which have it. What we require for wireguad in cockpit should be the following:
- not sure what your code does but if it calls
wg genkeythen we needwireguard-toolsand we can use theinstall_dialogwith manifest for it. - For networkmanager we require version 1.16. It seems that most of the distros we support have this version.
- Kernel could in theory not be build with wireguard support.
Can be an acceptable work around focus on Ubuntu / Debian / Fedora for self-install behavior on ADD Wireguard. And for distributions that do not serve wireguard on main stream, show a message asking for manual install?
Yes, we don't show anything for things we don't support, it's acceptable to require a modern kernel for this feature and we need NetworkManager > 1.16.
So in short, I guess we want to install wireguard-tools? And then allow users to configure wireguard?
Hi! Working on it.
This is the current scenario:
- New section with Interface Vpn if any detected.
- Add wireguard button conditional to having kernel >= 5.6
- Generate Keys button conditional to have installed wireguard-tools. Distributions without this package will not be able to auto-generate. Need to manual typing.
Questions:
- Can a user-admin see private key configured in connection? Yes, for me. In NM you can. But I have not found how to get this key-value because is protected.
➜ ~ nmcli connection show wg1 | grep wireguard
connection.type: wireguard
wireguard.private-key: <hidden>
wireguard.private-key-flags: 0 (cap)
wireguard.listen-port: 0
wireguard.fwmark: 0x0
wireguard.peer-routes: sí
wireguard.mtu: 0
wireguard.ip4-auto-default-route: -1 (default)
wireguard.ip6-auto-default-route: -1 (default)
This setting is hiiden by default. But can be shown with -show-secrets :
➜ nmcli -show-secrets connection show wg1 | grep wireguard
connection.type: wireguard
wireguard.private-key: ULQiG2CUuR4/BpYlXj081Y12xYApQ/1b0fBEsUosl30=
wireguard.private-key-flags: 0 (cap)
wireguard.listen-port: 0
wireguard.fwmark: 0x0
wireguard.peer-routes: sí
wireguard.mtu: 0
wireguard.ip4-auto-default-route: -1 (default)
wireguard.ip6-auto-default-route: -1 (default)
I have inspected the function that loads network-manager dbus tree to frontend but wireguard object like connection,ipv4,ipv6 isn't present ( and then wireguard.private-key not too)
https://github.com/cockpit-project/cockpit/blob/b971699bfb1311db6420d1b2aefcea1014c7531c/pkg/networkmanager/interfaces.js#L480
- Can an user-admin see public key configured in connection, after being configured?
Public key value is not stored and not showed in NetworkManager.
I see that wg tool wich comes with wireguard-tools give you public key of an interface configured. Need to investigate more how to retrive it... maybe can be found inside /proc as general for all distributions... any idea?
- Endpoints must be configured like IP:PORT, and allowed addresses must be a net comma separated.
How does the project deal with this fields that a newbie-admin may be fall configuring them. Tooltips,comments, or nothing because Network Manger will bring the error message?
- New section with Interface Vpn if any detected.
- Add wireguard button conditional to having kernel >= 5.6
- Generate Keys button conditional to have installed wireguard-tools. Distributions without this package will not be able to auto-generate. Need to manual typing.
Questions:
- Can a user-admin see private key configured in connection? Yes, for me. In NM you can. But I have not found how to get this key-value because is protected.
➜ ~ nmcli connection show wg1 | grep wireguard connection.type: wireguard wireguard.private-key: <hidden> wireguard.private-key-flags: 0 (cap) wireguard.listen-port: 0 wireguard.fwmark: 0x0 wireguard.peer-routes: sí wireguard.mtu: 0 wireguard.ip4-auto-default-route: -1 (default) wireguard.ip6-auto-default-route: -1 (default)This setting is hiiden by default. But can be shown with -show-secrets :
➜ nmcli -show-secrets connection show wg1 | grep wireguard connection.type: wireguard wireguard.private-key: ULQiG2CUuR4/BpYlXj081Y12xYApQ/1b0fBEsUosl30= wireguard.private-key-flags: 0 (cap) wireguard.listen-port: 0 wireguard.fwmark: 0x0 wireguard.peer-routes: sí wireguard.mtu: 0 wireguard.ip4-auto-default-route: -1 (default) wireguard.ip6-auto-default-route: -1 (default)I have inspected the function that loads network-manager dbus tree to frontend but wireguard object like
connection,ipv4,ipv6isn't present ( and then wireguard.private-key not too)https://github.com/cockpit-project/cockpit/blob/b971699bfb1311db6420d1b2aefcea1014c7531c/pkg/networkmanager/interfaces.js#L480
Ok, that's a bummer, I also see no wireguard support in GNOME itself but I can import a connection file. This blog post says the DBus API should support it hmmm.
I did find:
https://developer-old.gnome.org/NetworkManager/stable/gdbus-org.freedesktop.NetworkManager.Device.WireGuard.html
And this can be exposed in cockpit with the following patch:
--- a/pkg/networkmanager/interfaces.js
+++ b/pkg/networkmanager/interfaces.js
@@ -972,7 +972,8 @@ export function NetworkManagerModel() {
"org.freedesktop.NetworkManager.Device.Bond",
"org.freedesktop.NetworkManager.Device.Team",
"org.freedesktop.NetworkManager.Device.Bridge",
- "org.freedesktop.NetworkManager.Device.Vlan"
+ "org.freedesktop.NetworkManager.Device.Vlan",
+ "org.freedesktop.NetworkManager.Device.WireGuard"
],
props: {
@@ -992,6 +993,10 @@ export function NetworkManagerModel() {
Carrier: { def: true },
Speed: { },
Managed: { def: false },
+ // WireGuard
+ PublicKey: { },
+ ListenPort: { },
+ FwMark: { },
// See below for "Members"
},
But that doesn't give the information you want for the modal (for editing)
- Can an user-admin see public key configured in connection, after being configured?
Public key value is not stored and not showed in NetworkManager. I see that
wgtool wich comes withwireguard-toolsgive you public key of an interface configured. Need to investigate more how to retrive it... maybe can be found inside/procas general for all distributions... any idea?
As shown above it can be retrieved.
- Endpoints must be configured like IP:PORT, and allowed addresses must be a net comma separated.
How does the project deal with this fields that a newbie-admin may be fall configuring them. Tooltips,comments, or nothing because Network Manger will bring the error message?
Patternfly has tooltips and validation so this is something we can add and do in other places in the UI
I think the dialog should use the connection settings API
[jelle@t14s][~/projects/cockpit/main]%busctl call org.freedesktop.NetworkManager /org/freedesktop/NetworkManager/Settings/36 org.freedesktop.NetworkManager.Settings.Connection GetSettings
a{sa{sv}} 5 "connection" 6 "id" s "home" "interface-name" s "home" "permissions" as 0 "timestamp" t 1660570370 "type" s "wireguard" "uuid" s "$UUID" "wireguard" 1 "peers" aa{sv} 1 4 "public-key" s "PUBKEY" "endpoint" s "8.8.8.8:10" "persistent-keepalive" u 25 "allowed-ips" as 1 "10.0.0.0/24" "ipv4" 6 "address-data" aa{sv} 1 2 "address" s "10.200.200.4" "prefix" u 32 "addresses" aau 1 3 339339 32 0 "dns-search" as 0 "method" s "manual" "route-data" aa{sv} 0 "routes" aau 0 "ipv6" 6 "address-data" aa{sv} 0 "addresses" a(ayuay) 0 "dns-search" as 0 "method" s "disabled" "route-data" aa{sv} 0 "routes" a(ayuayu) 0 "proxy" 0
I also see no wireguard support in GNOME itself
It's supposedly a feature in GNOME 43, which has just hit beta.
https://9to5linux.com/gnome-43-alpha-released-to-kick-off-guadec-2022-in-guadalajara-mexico
The upcoming GNOME desktop release also comes with a new Sidebar and the ability to zoom the Week view for GNOME Calendar, support for composite emoji in GNOME Characters, improved handling of VPN connections (especially for WireGuard), more Wayland improvements, and more GTK4 and libadwaita ports.
However, I'm on the latest GNOME OS nightly in GNOME Boxes (Nightly) and I don't see it:
Perhaps it requires something in the stack that isn't in GNOME OS (yet)?
I did try Fedora Silverblue rebased to Rawhide and did install all the wireguard related packages Fedora ships with (wireguard-tools wgctrl), just in case. But it doesn't show wireguard either. (It does have an SSH connection as VPN which seems nifty though and PPTP is there too.)
I did a little digging around and found the original PR for GNOME Settings about wireguard creating and editing support — with screenshots — @ https://gitlab.gnome.org/GNOME/gnome-control-center/-/merge_requests/1125, but it was closed in favor of https://gitlab.gnome.org/GNOME/gnome-control-center/-/merge_requests/1364 which is still open (and marked as WIP).
Here are the screenshots, for comparison (you can tell it's from an older PR as these aren't using the newer libadwaita style):
Meanwhile, GNOME Shell did get support for wireguard toggling in VPNs @ https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1995.
I guess this is what the blog post was talking about? And I guess creating and editing will (eventually) show up in GNOME 44?
Oh and FYI, how I found settings dbus calls was by running sudo busctl monitor > log and in a different terminal running nmcli con show home and you can see how they create a new profile with nmcli con import type wireguard file /etc/wireguard/home.conf.
I also see no wireguard support in GNOME itself
It's supposedly a feature in GNOME 43, which has just hit beta.
https://9to5linux.com/gnome-43-alpha-released-to-kick-off-guadec-2022-in-guadalajara-mexico
The upcoming GNOME desktop release also comes with a new Sidebar and the ability to zoom the Week view for GNOME Calendar, support for composite emoji in GNOME Characters, improved handling of VPN connections (especially for WireGuard), more Wayland improvements, and more GTK4 and libadwaita ports.
Meanwhile, GNOME Shell did get support for wireguard toggling in VPNs @ https://gitlab.gnome.org/GNOME/gnome-shell/-/merge_requests/1995.
I guess this is what the blog post was talking about? And I guess creating and editing will (eventually) show up in GNOME 44?
I assume they first added Wireguard support in NetworkManager and importing of profiles. And then gradually support it in GNOME itself \o/
Already being able to toggle it in GNOME Shell is a big win for me :-)
happy to read you! Summing up:
- (Wireguard) network-vpn-interface-modal to NM is :ok:
- NM to (wireguard) network-vpn-interface-modal have problems:
- Need to read object Device.Wireguard. We want
ListenPortandPublicKeyI understand with that patch We are able to load proprieties objectDevice.Wireguard?
--- a/pkg/networkmanager/interfaces.js
+++ b/pkg/networkmanager/interfaces.js
@@ -972,7 +972,8 @@ export function NetworkManagerModel() {
"org.freedesktop.NetworkManager.Device.Bond",
"org.freedesktop.NetworkManager.Device.Team",
"org.freedesktop.NetworkManager.Device.Bridge",
- "org.freedesktop.NetworkManager.Device.Vlan"
+ "org.freedesktop.NetworkManager.Device.Vlan",
+ "org.freedesktop.NetworkManager.Device.WireGuard"
],
props: {
@@ -992,6 +993,10 @@ export function NetworkManagerModel() {
Carrier: { def: true },
Speed: { },
Managed: { def: false },
+ // WireGuard
+ PublicKey: { },
+ ListenPort: { },
+ FwMark: { },
// See below for "Members"
},
I can't see them...
- Need to call GetSecrets for obtain private-key from
Wireguard-InstanceI have found that there's a GetSecrets Method for that, and privatekey is stored there. How Can I call this method from cockpit?
➜ ~ dbus-send --system --print-reply --dest=org.freedesktop.NetworkManager /org/freedesktop/NetworkManager/Settings/13 org.freedesktop.NetworkManager.Settings.Connection.GetSecrets string:"wireguard"
method return time=1661020841.177166 sender=:1.12 -> destination=:1.19778 serial=84779 reply_serial=2
array [
dict entry(
string "connection"
array [
]
)
dict entry(
string "wireguard"
array [
dict entry(
string "peers"
variant array [
array [
dict entry(
string "public-key"
variant string "xq/101tmyY6nM9IgXobQ6MZr5+YK+0gLkFUKjE72cHo="
)
]
]
)
dict entry(
string "private-key"
variant string "0IiqhN9DBmKsXx5mjknRbSgu8wLybzqUsV1+1RwsLnI="
)
]
)
dict entry(
string "ipv4"
array [
]
)
dict entry(
string "ipv6"
array [
]
)
dict entry(
string "proxy"
array [
]
)
]
Or as a workaround, We can call from CLI with cockpit.console...
➜ ~ nmcli --show-secrets -f wireguard.private-key connection show wireguard
wireguard.private-key: 0IiqhN9DBmKsXx5mjknRbSgu8wLybzqUsV1+1RwsLnI=
➜ ~
With:
diff --git a/pkg/networkmanager/interfaces.js b/pkg/networkmanager/interfaces.js
index 277ede9de..4795b681f 100644
--- a/pkg/networkmanager/interfaces.js
+++ b/pkg/networkmanager/interfaces.js
@@ -972,7 +972,8 @@ export function NetworkManagerModel() {
"org.freedesktop.NetworkManager.Device.Bond",
"org.freedesktop.NetworkManager.Device.Team",
"org.freedesktop.NetworkManager.Device.Bridge",
- "org.freedesktop.NetworkManager.Device.Vlan"
+ "org.freedesktop.NetworkManager.Device.Vlan",
+ "org.freedesktop.NetworkManager.Device.WireGuard"
],
props: {
@@ -992,6 +993,8 @@ export function NetworkManagerModel() {
Carrier: { def: true },
Speed: { },
Managed: { def: false },
+ PublicKey: { },
+ ListenPort: { },
// See below for "Members"
},
diff --git a/pkg/networkmanager/network-main.jsx b/pkg/networkmanager/network-main.jsx
index 09402b8be..2949ded6b 100644
--- a/pkg/networkmanager/network-main.jsx
+++ b/pkg/networkmanager/network-main.jsx
@@ -71,6 +71,7 @@ export const NetworkPage = ({ privileged, operationInProgress, usage_monitor, pl
return;
const dev = iface.Device;
+ console.log(iface);
const show_traffic = (dev && (dev.State == 100 || dev.State == 10) && dev.Carrier === true);
plot_ifaces.push(iface.Name);
I do see the ListenPort/PublicKey but only when the device is active, not inactive. So that's not super useful. Probably better to get it from the settings.
- Need to call GetSecrets for obtain private-key from
Wireguard-InstanceI have found that there's a GetSecrets Method for that, and privatekey is stored there. How Can I call this method from cockpit?
This is possible, see for example:
https://github.com/cockpit-project/cockpit/blob/main/pkg/networkmanager/interfaces.js#L774
objpath resolves to path: "/org/freedesktop/NetworkManager/Settings/29" for me, so you need to call
client.call("/org/freedesktop/NetworkManager/Settings/29", "org.freedesktop.NetworkManager.Settings.Connection", "GetSecrets")
Haven't tested it myself.
Thanks Jelly! With all this information I can already see an initial feasible version. I will try to put it in the oven this week!