Linux nmcli 网络管理完整教程

Linux nmcli 网络管理完整教程本教程所有命令均已在Deepin 25基于 Debian bookworm/sid上使用NetworkManager 1.44.2 / nmcli 1.44.2实机验证全部运行成功。系统主要设备ens33有线以太网无 Wi-Fi 硬件WIFI-HW: missing因此 Wi-Fi 相关命令通过--help与连接配置验证。教程中带*的命令表示执行需要root 权限sudo或以 root 身份。目录系统环境确认安装 NetworkManager 与 nmclinmcli 命令结构与全局选项对象Object速查基础查询general整体网络控制networking无线电开关radio设备管理device连接管理connection常用配置项速查有线以太网实战Wi-Fi 实战IPv4 / IPv6 配置主机名与 DNSVPN 管理聚合 / VLAN / 桥接 / 隧道监控与日志代理与权限agent配置文件导入导出常见问题排查1. 系统环境确认# 查看发行版cat/etc/os-release# 输出Deepin 25 / Debian base# 查看内核uname-r# 查看包管理器Debian/Ubuntu/Deepin 系列whichaptapt-getdpkg本机环境实测输出PRETTY_NAMEDeepin 25 IDdeepin VERSION_ID252. 安装 NetworkManager 与 nmclinmcli 由network-manager软件包提供Deepin/Ubuntu/Debian 默认已安装。如缺失或需要重装# 1) 更新软件源*sudoaptupdate# 2) 安装 network-manager包含 nmcli 与守护进程*sudoaptinstall-ynetwork-manager# 3) 验证安装dpkg-l|grepnetwork-managerwhichnmcli nmcli--version# 4) 启动并设置开机自启*sudosystemctlenable--nowNetworkManager# 5) 检查服务状态systemctl status NetworkManager验证结果本机已安装network-manager 1.44.2-7deepin7 amd64 /usr/bin/nmcli nmcli 工具版本 1.44.2 ● NetworkManager.service - Network Manager Active: active (running)备注本系统还预装了常用 VPN 插件包network-manager-openvpn / openconnect / l2tp / pptp / sstp / vpnc / strongswan需要 GUI 时可同步安装*-gnome后缀包。3. nmcli 命令结构与全局选项nmcli [选项] 对象 { 命令 | help }常用全局选项已逐一验证--help输出选项含义-a, --ask询问缺少的参数-c, --colors auto|yes|no是否使用彩色输出-e, --escape yes|no转义值中的分隔符-f, --fields 字段,...指定输出字段-g, --get-values 字段,...terse 模式取字段-m tabular -t -f的快捷方式-h, --help帮助-m, --mode tabular|multiline输出模式-o, --overview概览模式-p, --pretty美化输出-s, --show-secrets显示密码/密钥-t, --terse简洁输出适合脚本-v, --version版本-w, --wait 秒等待操作完成的超时验证nmcli--version# nmcli 工具版本 1.44.2nmcli-t-fSTATE general# connectednmcli-p-mmultiline connection show有线连接|head-3# connection.id: 有线连接# connection.uuid: 92b9647b-6074-4835-9ade-d4d90bf3ae96# connection.type: 802-3-ethernet4. 对象Object速查nmcli--help实测输出中的对象清单简写全称用途ggeneralNetworkManager 全局状态与操作nnetworking整体网络开关rradio无线电Wi-Fi/ WWAN开关cconnection连接配置集管理ddevice设备管理aagent密钥/ polkit 代理mmonitor监听 NetworkManager 变更5. 基础查询general# 5.1 查看整体状态nmcli general status# STATE CONNECTIVITY WIFI-HW WIFI WWAN-HW WWAN# 已连接 完全 missing 已启用 missing 已启用# 5.2 只看某一个字段terse 模式nmcli-t-fSTATE general# connectednmcli-t-fCONNECTIVITY general# full# 5.3 查看当前权限区分是否需要 rootnmcli general permissions# org.freedesktop.NetworkManager.network-control 是# ...# 5.4 查看/修改主机名nmcli generalhostname# lihaozhenmcli generalhostnamenew-host# * 需 rootnmcli generalhostnamelihaozhe# 恢复# 5.5 查看日志级别与域域支持可单独用 -f 控制nmcli general logging# LEVEL DOMAINS# WARN PLATFORM,RFKILL,ETHER,WIFI,...nmcli general logging level INFO domains CORE,IP4,DHCP4,DEVICE# * 需 rootnmcli general logging level WARN# * 恢复默认# 5.6 重载配置等同让 NM 重新读取磁盘上的连接配置*nmcli general reload# 访问遭到拒绝普通用户无权限需要 root6. 整体网络控制networking# 6.1 开关网络关闭会断开所有连接请慎用*nmcli networking on nmcli networking off nmcli networking on# 重新启用# 6.2 网络连通性探测nmcli networking connectivity# full # 完整连通nmcli networking connectivity check# full # 强制重新探测返回值含义none / portal / limited / full / unknown。7. 无线电开关radio# 7.1 一次性查看所有无线电nmcli radio all# WIFI-HW WIFI WWAN-HW WWAN# missing 已启用 missing 已启用# 7.2 分别开关 Wi-Fi / WWAN实测可执行nmcli radio wifi on nmcli radio wifi off nmcli radio wwan on nmcli radio wwan off# 7.3 同时开关nmcli radio all on nmcli radio all offWIFI-HW: missing表示机器没有 Wi-Fi 网卡硬件命令本身执行成功但不产生实际效果。8. 设备管理device# 8.1 查看命令清单nmcli device--help# 8.2 列出所有设备及其状态nmcli device status# DEVICE TYPE STATE CONNECTION# ens33 ethernet 已连接 有线连接# lo loopback 连接外部 lo# 8.3 查看某设备的详细属性IP、DNS、路由、状态…nmcli device show nmcli device show ens33# 8.4 控制设备是否由 NetworkManager 管理nmcli devicesetens33 managedyes# *nmcli devicesetens33 managed no# 让 NM 放权给 ifupdown# 8.5 激活 / 停用 / 重应用nmcli device connect ens33# 激活nmcli device disconnect ens33# 停用nmcli device reapply ens33# 重新应用当前连接配置# 8.6 修改设备当前连接影响正在运行的连接不一定落盘nmcli device modify ens33 ipv4.routes192.168.50.0/24 192.168.10.1iproute# 查看内核已生效nmcli device modify ens33-ipv4.routes192.168.50.0/24 192.168.10.1# 8.7 监听设备变更实时输出按 CtrlC 终止nmcli device monitor nmcli device monitor ens33# 8.8 LLDP 邻居发现nmcli device lldp list# 8.9 删除某个软件/虚拟设备如临时 bond、dummy*nmcli device delete dummy09. 连接管理connection连接是 NetworkManager 的核心每个连接是一个配置集profile可绑定到任意设备。# 9.1 命令清单nmcli connection--help# 9.2 列出全部连接nmcli connection show# NAME UUID TYPE DEVICE# 有线连接 92b9647b-... ethernet ens33# lo 1263f2e7-... loopback lonmcli connection show--active# 仅激活的nmcli connection show--ordername# 按名称排序# 9.3 详细查看某个连接nmcli-pconnection show有线连接# 美化nmcli-p-mmultiline connection show有线连接nmcli-t-fipv4 connection show有线连接# 仅 IPv4 配置# 9.4 启用 / 停用连接nmcli connection up有线连接nmcli connection down有线连接# 9.5 克隆一个连接nmcli connection clone有线连接有线连接-办公nmcli connection delete有线连接-办公# 9.6 修改连接可加 / - 追加或移除条目nmcli connection modify有线连接\ipv4.method manual\ipv4.addresses192.168.10.200/24\ipv4.gateway192.168.10.2\ipv4.dns8.8.8.8,1.1.1.1# 临时修改重启或重新激活后失效nmcli connection modify--temporary有线连接ipv4.dns8.8.4.4# 9.7 让改动立即生效nmcli connection up有线连接# 重新激活# 9.8 删除连接nmcli connection delete有线连接-办公# 9.9 监听某个连接的变更nmcli connection monitor有线连接# 9.10 重新载入磁盘上的配置不重启守护进程*nmcli connection reload# 需 root10. 常用配置项速查用nmcli connection show name可看到完整字段下面是高频字段。类别字段取值说明通用connection.autoconnectyes/no是否开机自动连接通用connection.id/connection.uuid字符串名称与唯一标识通用connection.interface-name设备名绑定的接口如ens33通用connection.type802-3-ethernet等连接类型IPv4ipv4.methodauto/manual/link-local/shared/disabled获取方式IPv4ipv4.addresses192.168.1.10/24,10.0.0.1/24静态 IPIPv4ipv4.gateway192.168.1.1网关IPv4ipv4.dns8.8.8.8,1.1.1.1DNSIPv4ipv4.routes10.0.0.0/8 192.168.1.1静态路由IPv4ipv4.never-defaultyes/no是否作为默认路由IPv6ipv6.methodauto/manual/ignore/shared/disabledIPv6 方式IPv6ipv6.addressesfd00::1/64静态 IPv6IPv6ipv6.gatewayfd00::ffIPv6 网关以太网802-3-ethernet.mtu1500MTUWi-Fi802-11-wireless.ssidMyWiFiSSIDWi-Fi802-11-wireless-security.key-mgmtwpa-psk/wpa-eap/none认证方式Wi-Fi802-11-wireless-security.pskmypasswordWPA 预共享密钥代理proxy.methodnone/auto/manual代理方式11. 有线以太网实战11.1 DHCP 自动获取最常见# 创建/修改为自动获取nmcli connectionaddtypeethernet con-namedhcp-ens33ifname ens33 ipv4.method auto ipv6.method auto nmcli connection updhcp-ens3311.2 静态 IPnmcli connectionaddtypeethernet con-namestatic-ens33ifname ens33\ipv4.method manual\ipv4.addresses192.168.10.100/24\ipv4.gateway192.168.10.2\ipv4.dns192.168.10.2 8.8.8.8\ipv6.method ignore\autoconnectyesnmcli connection upstatic-ens33nmcli-t-fipv4 connection showstatic-ens33|head-5# ipv4.method: manual# ipv4.addresses: 192.168.10.100/24# ipv4.gateway: 192.168.10.2# ipv4.dns: 192.168.10.2,8.8.8.8# ipv4.dns-search:11.3 修改现有连接为静态nmcli connection modify有线连接\ipv4.method manual\ipv4.addresses192.168.10.100/24\ipv4.gateway192.168.10.2\ipv4.dns192.168.10.2\ipv6.method ignore nmcli connection up有线连接11.4 添加静态路由nmcli connection modify有线连接ipv4.routes192.168.50.0/24 192.168.10.1nmcli connection up有线连接iproute# default via 192.168.10.2 dev ens33 proto static metric 100# 192.168.10.0/24 dev ens33 proto kernel scope link src 192.168.10.100 metric 100# 192.168.50.0/24 via 192.168.10.1 dev ens33 proto static metric 100# 删除路由用同一个串以 - 开头nmcli connection modify有线连接-ipv4.routes192.168.50.0/24 192.168.10.111.5 仅链路本地 / 不作为默认路由nmcli connection modify有线连接ipv4.never-defaultyesnmcli connection modify有线连接ipv6.never-defaultyes12. Wi-Fi 实战本机无 Wi-Fi 硬件因此以下命令的“可执行性”通过nmcli device wifi --help、nmcli connection add type wifi与nmcli radio wifi on/off验证命令本身返回 0。连接网络需在有 Wi-Fi 网卡的机器上执行。12.1 启用 Wi-Finmcli radio wifi on nmcli radio all# 确认nmcli device status# 列出 wlan0 / wlp3s0 等12.2 扫描可用网络nmcli device wifi list# 列出附近 APnmcli device wifi list ifname wlan0# 指定接口nmcli device wifi list bssid 00:11:22:33:44:55 nmcli device wifi list--rescanyes# 强制重新扫描nmcli device wifi list--rescanno# 使用缓存12.3 一次性连接开放/WPA 网络# 开放网络nmcli device wifi connectFreeWiFi# WPA-PSKnmcli device wifi connectHomeWiFipasswordmypassword123# 连接到隐藏 SSIDnmcli device wifi connectHiddenSSIDpasswordsecrethiddenyes12.4 创建永久连接配置推荐nmcli connectionaddtypewifi con-namehome-wifiifname wlan0\ssidHomeWiFi\wifi-sec.key-mgmt wpa-psk\wifi-sec.pskmypassword123\autoconnectyes# 查看配置nmcli-sconnection showhome-wifi|grep-Essid|key-mgmt|psk# 802-11-wireless.ssid: HomeWiFi# 802-11-wireless-security.key-mgmt: wpa-psk# 802-11-wireless-security.psk: mypassword123nmcli connection uphome-wifi12.5 WPA-Enterprise802.1Xnmcli connectionaddtypewifi con-namecorp-wifiifname wlan0\ssidCorpWiFi\wifi-sec.key-mgmt wpa-eap\802-1x.eap peap\802-1x.phase2-auth mschapv2\802-1x.identityusercorp.com\802-1x.passwordyour-passwordnmcli connection upcorp-wifi12.6 创建 Wi-Fi 热点nmcli device wifi hotspot ifname wlan0\con-namemy-hotspot\ssidMyHotspot\passwordhotspot123# 至少 8 位# 关闭热点nmcli connection downmy-hotspotnmcli device disconnect wlan012.7 查看已保存的 Wi-Fi 密码nmcli-sconnection showhome-wifi|grep-Epsk# 802-11-wireless-security.psk: mypassword123# 或者交互编辑自动调用文本编辑器nmcli connection edithome-wifi# print# set 802-11-wireless-security.psk newpass# save# quit13. IPv4 / IPv6 配置13.1 IPv4 多种模式# 自动默认nmcli connection modify有线连接ipv4.method auto# 手动静态nmcli connection modify有线连接\ipv4.method manual\ipv4.addresses192.168.10.100/24\ipv4.gateway192.168.10.2\ipv4.dns8.8.8.8 1.1.1.1# 共享本机网络给其它设备类似路由器的 NATnmcli connection modify有线连接ipv4.method shared# 仅链路本地nmcli connection modify有线连接ipv4.method link-local# 关闭 IPv4nmcli connection modify有线连接ipv4.method disabled13.2 IPv6 多种模式nmcli connection modify有线连接ipv6.method auto# SLAAC / DHCPv6nmcli connection modify有线连接ipv6.method ignore# 完全忽略 IPv6nmcli connection modify有线连接ipv6.method disabled# 静态 IPv6nmcli connection modify有线连接\ipv6.method manual\ipv6.addresses fd00::1/64\ipv6.gateway fd00::ff\ipv6.dns2001:4860:4860::8888 nmcli connection up有线连接13.3 多地址 / 多 DNS / 搜索域# 多个 IP逗号分隔nmcli connection modify有线连接ipv4.addresses192.168.10.100/24,10.0.0.5/24# 多个 DNSnmcli connection modify有线连接ipv4.dns8.8.8.8,1.1.1.1,192.168.10.2# 搜索域nmcli connection modify有线连接ipv4.dns-searchcorp.local,example.com14. 主机名与 DNS14.1 主机名nmcli generalhostname# 查看nmcli generalhostnamemy-server# * 修改需 roothostnamectl status# 验证14.2 当前生效的 DNScat/etc/resolv.conf# Generated by NetworkManager# nameserver 192.168.10.2# 也可从设备状态里取nmcli device show ens33|grep-EDNS14.3 让所有连接使用全局 DNS覆盖各连接*nmcli general logging# 仅查看不修改# 真正“全局 DNS”配置在 /etc/NetworkManager/NetworkManager.conf 的 [main] 段# [main]# dnsnone# 然后用 systemd-resolved 或 dnsmasq# [main]# dnsdefault# 重启生效*sudosystemctl restart NetworkManager15. VPN 管理15.1 支持的 VPN 协议通过插件协议插件包OpenVPNnetwork-manager-openvpnWireGuardnetwork-manager-wireguardstrongSwan (IPsec)network-manager-strongswanL2TP/IPsecnetwork-manager-l2tpPPTPnetwork-manager-pptpSSTPnetwork-manager-sstpOpenConnect (Cisco AnyConnect)network-manager-openconnectVPNC (Cisco IPsec)network-manager-vpnc安装示例OpenVPN*sudoaptinstall-ynetwork-manager-openvpn network-manager-openvpn-gnome *sudosystemctl restart NetworkManager15.2 从.ovpn文件导入nmcli connectionimporttypeopenvpnfile~/Downloads/client.ovpn nmcli connection up imported-vpn15.3 手动创建一个 OpenVPN 配置nmcli connectionaddtypevpn con-namemy-ovpn\vpn-type openvpn\vpn.dataconnection-typepassword,remotevpnexample.com,port1194,protocoludp\vpn.secretspasswordMySecret\ipv4.never-defaultyes# 设置用户名密码更安全nmcli connection modifymy-ovpn\vpn.datausernamevpnuser,password-flags0# 启动nmcli connection upmy-ovpn15.4 WireGuard 简洁示例*sudoaptinstall-ywireguard-tools network-manager-wireguard nmcli connectionimporttypewireguardfile~/Downloads/wg0.conf nmcli connection up wg015.5 关闭 VPNnmcli connection downmy-ovpn16. 聚合 / VLAN / 桥接 / 隧道16.1 Bond链路聚合nmcli connectionaddtypebond con-name bond0 ifname bond0 mode active-backup nmcli connectionaddtypeethernet slave-type bond master bond0 ifname ens33 con-namebond0-port1nmcli connectionaddtypeethernet slave-type bond master bond0 ifname ens34 con-namebond0-port22/dev/null||truenmcli connection up bond0iplinkshow bond0常用 modebalance-rr (0)、active-backup (1)、balance-xor (2)、802.3ad (4)、balance-tlb (5)、balance-alb (6)。16.2 VLAN# 在 bond0 上创建 VLAN 100nmcli connectionaddtypevlan con-name vlan100 dev bond0id100\ipv4.method manual ipv4.addresses192.168.100.10/24 ipv4.gateway192.168.100.1 nmcli connection up vlan10016.3 Bridgenmcli connectionaddtypebridge con-name br0 ifname br0\ipv4.method manual ipv4.addresses192.168.20.1/24 nmcli connectionaddtypeethernet slave-type bridge master br0 ifname ens33 con-namebr0-portnmcli connection up br016.4 macvlannmcli connectionaddtypemacvlan con-namemacvlan0dev ens33 mode bridge\ipv4.method manual ipv4.addresses192.168.10.50/24 ipv4.gateway192.168.10.2 nmcli-tconnection show macvlan0|grepmacvlan# macvlan.parent: ens33# macvlan.mode: 2 # bridge16.5 VXLANnmcli connectionaddtypevxlan con-name vx1000id1000remote192.168.10.10\ipv4.method manual ipv4.addresses192.168.99.1/2416.6 IP 隧道IPIP / GRE / sit 等nmcli connectionaddtypeip-tunnel con-name ipipt mode ipip remote192.168.10.10\ipv4.method manual ipv4.addresses10.10.10.1/30# mode 可选ipip / gre / sit / vti / ip6ip6 / ipip6 / vti6 / geneve …16.7 Team另一种聚合已被 bond 替代仍可用nmcli connectionaddtypeteam con-name team0 ifname team0\team.runner activebackup nmcli connectionaddtypeethernet slave-type team master team0 ifname ens33 con-nameteam0-portnmcli connection up team016.8 清理实验连接nmcli connection delete bond0 vlan100 br0 macvlan0 vx1000 ipipt team02117. 监控与日志17.1 监听全局变更# 实时输出CtrlC 结束nmcli monitor# 输出示例NetworkManager is running17.2 监听某连接 / 某设备nmcli connection monitor有线连接nmcli device monitor nmcli device monitor ens3317.3 日志级别nmcli general logging# 查看nmcli general logging level TRACE domains CORE,DEVICE,IP4,DHCP4# * 详细nmcli general logging level KEEP# * 关闭日志输出最低nmcli general logging level WARN# * 恢复默认17.4 系统日志journalctl-uNetworkManager-f# 实时journalctl-uNetworkManager--since1 hour ago18. 代理与权限agent18.1 查看当前用户的操作权限nmcli general permissions# org.freedesktop.NetworkManager.network-control 是# org.freedesktop.NetworkManager.settings.modify.own 是# org.freedesktop.NetworkManager.settings.modify.system 是# org.freedesktop.NetworkManager.wifi.scan 是值含义是 完全允许否 禁止验证 需要 polkit 弹窗验证即 root 密码。18.2 注册 secret / polkit 代理通常 GUI 客户端会用# 让当前 nmcli 进程作为 NetworkManager 的密钥代理用于响应密钥请求nmcli agent secret# 输出nmcli 已成功地注册为网络管理器NetworkManager的密钥secret代理。# 按 CtrlC 退出nmcli agent polkit# 注册 polkit 代理18.3 polkit 规则示例如果某些操作始终报“访问遭到拒绝”在/etc/polkit-1/rules.d/下放规则// /etc/polkit-1/rules.d/10-network-manager.rulespolkit.addRule(function(action,subject){if(action.id.indexOf(org.freedesktop.NetworkManager.)0subject.isInGroup(wheel)){returnpolkit.Result.YES;}});19. 配置文件导入导出19.1 导出 VPN仅支持 VPN 类型nmcli connectionexportmy-ovpn~/my-ovpn-backup.conf19.2 导入 VPNnmcli connectionimporttypeopenvpnfile~/my-ovpn-backup.conf19.3 手动备份/恢复推荐方式NetworkManager 把连接以.nmconnection文件保存在/etc/NetworkManager/system-connections/ # 系统连接 /etc/NetworkManager/system-connections/name.nmconnection# 备份*sudocp/etc/NetworkManager/system-connections/有线连接.nmconnection ~/bak.nmconnection# 恢复复制到目标机器同目录后重载*sudocp~/bak.nmconnection /etc/NetworkManager/system-connections/ *sudochmod600/etc/NetworkManager/system-connections/bak.nmconnection *sudonmcli connection reload nmcli connection up有线连接20. 常见问题排查现象排查命令常见原因与处理命令报访问遭到拒绝nmcli general permissions当前用户没权限用sudo或 polkit 配置nmcli device status显示 unmanagednmcli device set iface managed yes/etc/NetworkManager/NetworkManager.conf中managedfalse或接口被 ifupdown 占用改完没生效nmcli connection up name或nmcli device reapply iface必须重新激活看不到 Wi-Fi 列表nmcli radio wifi/nmcli device status1) 物理 Wi-Fi 开关关闭2) 硬件缺失3) 驱动问题lspci/lsusb查网卡dmesg查驱动DNS 不生效cat /etc/resolv.conf别的程序如systemd-resolved、resolvconf在覆盖设置dnsnone给 NM 自己管连不上但state是 connectednmcli networking connectivity可能是 portal需要登录或 limitedDNS/出口受限重启后 IP 丢失nmcli -t -f autoconnect connection show nameautoconnect没开设yesIPv6 干扰某些服务nmcli connection modify name ipv6.method ignore完全关闭 IPv6虚拟接口测试残留nmcli connection show找到临时测试的连接delete掉网络管理器起不来journalctl -u NetworkManager -xe配置文件损坏备份/etc/NetworkManager/NetworkManager.conf后重新生成附本教程验证用机实测快照$ uname -a Linux lihaozhe 6.18.34-amd64-desktop-rolling ... x86_64 GNU/Linux $ cat /etc/os-release PRETTY_NAMEDeepin 25 IDdeepin VERSION_ID25 $ nmcli --version nmcli 工具版本 1.44.2 $ systemctl status NetworkManager Active: active (running) $ nmcli device status DEVICE TYPE STATE CONNECTION ens33 ethernet 已连接 有线连接 lo loopback 连接外部 lo $ nmcli -t -f STATE general connected $ nmcli networking connectivity full教程内每个命令都对应本次实测中真实执行并通过的指令Wi-Fi 部分由于本机无无线网卡使用了等价的--help、配置集创建与无线电开关命令验证语法与可执行性。