RPC issues on Debian

Hi team,

I’m currently facing issue invoking nym-vpnc binary which I cannot narrow down, could anyone help? My setup was working before updating to the latest NYM builds (1.28 over 1.26).

root@host:~# /usr/bin/nym-vpnc -V
nym-vpnc 1.28.0
root@host:~# /usr/bin/nym-vpnd -V
nym-vpnd 1.28.0
root@host:~#
root@host:~# /usr/bin/nym-vpnc info
Error: Failed to create RPC client

Caused by:
    Authentication is required to access the daemon
root@host:~# /usr/bin/nym-vpnc diagnostic run
Error: Failed to create RPC client

Caused by:
    Authentication is required to access the daemon
root@host:~#

----

root@host:~# systemctl --system status nym-vpnd.service
* nym-vpnd.service - nym-vpnd daemon
     Loaded: loaded (/usr/lib/systemd/system/nym-vpnd.service; enabled; preset: enabled)
     Active: active (running) since Fri 2026-04-24 09:13:43 UTC; 4s ago
 Invocation: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
   Main PID: 807 (nym-vpnd)
      Tasks: 23 (limit: 308792)
     Memory: 24.4M (peak: 26.2M)
        CPU: 371ms
     CGroup: /system.slice/nym-vpnd.service
             `-807 /usr/bin/nym-vpnd -v run-as-service

Apr 24 09:13:43 cNYM systemd[1]: Started nym-vpnd.service - nym-vpnd daemon.

----

/var/log/apt/history.log:Upgrade: nym-vpnc:amd64 (1.26.0, 1.28.0), nym-vpnd:amd64 (1.26.0, 1.28.0), nym-vpn-app:amd64 (1.26.0, 1.28.0)

Whatever I’m asking to nym-vpnc spit the same output.
Anyone would have seen that before?

Thank you,
Regards

Looks like permissions/binary ownsership. Check what user is running the service with

cat /usr/lib/systemd/system/nym-vpnd.service

and then make sure that user has permission to access, start the nym vpn files in /usr/bin/. Likely the process needs to be root to start networking services. Check the file is owned by the user starting it in the service file.

Hi,

Thanks a lot for your help!

5.1M -rwxr-xr-x 1 root root 5.1M Apr 14 00:00 nym-vpnc
 61M -rwxr-xr-x 1 root root  61M Apr 14 00:00 nym-vpnd

the service unit looks fine as well TBH / manually statring the nym-vpnd daemon show’s no signs of alarming logs either.

cat /usr/lib/systemd/system/nym-vpnd.service
[Unit]
Description=nym-vpnd daemon
Before=network-online.target
StartLimitBurst=6
StartLimitIntervalSec=24
After=NetworkManager.service systemd-resolved.service

[Service]
User=root
Group=root
ExecStart=/usr/bin/nym-vpnd -v run-as-service
Restart=always
RestartSec=2

[Install]
WantedBy=multi-user.target

The .sock file is actually hit by nym-vpnc upon requests.

inotifywait -m /var/run/nym-vpn.sock
Setting up watches.
Watches established.
/var/run/nym-vpn.sock ATTRIB
/var/run/nym-vpn.sock DELETE_SELF
strace -e trace=openat,connect nym-vpnc diagnostic run 2>&1 | grep -i "sock\|run\|tmp"
connect(9, {sa_family=AF_UNIX, sun_path="/var/run/nym-vpn.sock"}, 24) = 0

I’m honestly out of ideas, if not to revert to 1.26.0 for a quick test / is that even possible? cannot find retro packages…

Thanks again

Older packages can be found on github: Releases · nymtech/nym-vpn-client · GitHub

Cheers, does that involves the nym-vpnd daemon as well ?

EDIT: yes it does

1 Like

Oki, reverting to 1.26.0 got me up again:

wget https://github.com/nymtech/nym-vpn-client/releases/download/nym-vpn-core-v1.26.0/nym-vpnc_1.26.0_amd64.deb
wget https://github.com/nymtech/nym-vpn-client/releases/download/nym-vpn-core-v1.26.0/nym-vpnd_1.26.0_amd64.deb
apt remove nym-vpnc
apt remove nym-vpnd
apt autoremove
dpkg -i nym-vpnd_1.26.0_amd64.deb
dpkg -i nym-vpnc_1.26.0_amd64.deb

and up:

nym-vpnc status
State: Connected wg to x.x.x.x:51822 [xxxxxxxxxxxxxxxxxxx] → x.x.x.x:51822 [xxxxxxxxxxxxxxxxxxxxxxxxx]

A glitch within 1.28.0 perhaps ?

Lemme know,
thanks again

to narrow things down / seems to have started from 1.27.0

dpkg -i nym-vpnd_1.27.0_amd64.deb
(Reading database ... 33026 files and directories currently installed.)
Preparing to unpack nym-vpnd_1.27.0_amd64.deb ...
Unpacking nym-vpnd (1.27.0) over (1.26.0) ...
Setting up nym-vpnd (1.27.0) ...

dpkg -i nym-vpnc_1.27.0_amd64.deb
(Reading database ... 33026 files and directories currently installed.)
Preparing to unpack nym-vpnc_1.27.0_amd64.deb ...
Unpacking nym-vpnc (1.27.0) over (1.26.0) ...
Setting up nym-vpnc (1.27.0) ...

systemctl stop nym-vpnc.service
systemctl stop nym-vpnd.service
systemctl start nym-vpnd.service
systemctl start nym-vpnc.service

nym-vpnc status
Error: Failed to create RPC client

Caused by:
    Authentication is required to access the daemon

I may miss an OS package perhaps, though on debian 13 up-to-date..

On newer NymVPN apps on Linux, you need to add device password to authenticate the connection between app and daemon. that’s likely what’s causing it.

Haa yes that sounds like well possible, would you have any documentation URL perhaps? Thanks

https://support.nym.com/hc/en-us/articles/45300085856017

We’ve this support article about the topic.

Excellent, working on 1.28.0 now

For Debian users:

# Install polkit (Debian 13 package names)
apt install polkitd pkexec

Thanks / perhaps an update of your KB may help, I saw that one but it is somewhat geared toward i3 users, i’m headless here, or oh well, SSH only.

Cheers

1 Like

I’ve hit the same problem. It’s a Debian 13 standaloneVM running in QubesOS 4.2.4. Version 1.26.0 of Nym works but I’m getting the RPC error on higher versions. Per @solarninja ‘s solution (install polkitd and pkexec) but it’s made no difference and all versions above 1.26.0 have the problem.

user@nym:~$ uname -a
Linux nym 6.18.19-1.qubes.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Mar 24 01:20:46 GMT 2026 x86_64 GNU/Linux
user@nym:~$ cat /etc/os-release
PRETTY_NAME=“Debian GNU/Linux 13 (trixie)”
NAME=“Debian GNU/Linux”
VERSION_ID=“13”
VERSION=“13 (trixie)”
VERSION_CODENAME=trixie
DEBIAN_VERSION_FULL=13.4
ID=debian
HOME_URL=“https://www.debian.org/”
SUPPORT_URL=“https://www.debian.org/support”
BUG_REPORT_URL=“https://bugs.debian.org/”
user@nym:~$ systemctl status nym-vpnd
● nym-vpnd.service - nym-vpnd daemon
Loaded: loaded (/usr/lib/systemd/system/nym-vpnd.service; enabled; preset: enabled)
Active: active (running) since Sat 2026-05-16 07:47:58 CEST; 12min ago
Invocation: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Main PID: 2321 (nym-vpnd)
Tasks: 22 (limit: 7680)
Memory: 21M (peak: 23.1M)
CPU: 575ms
CGroup: /system.slice/nym-vpnd.service
└─2321 /usr/bin/nym-vpnd -v run-as-service
user@nym:~$ nym-vpnc -V
nym-vpnc 1.28.0
user@nym:~$ nym-vpnd -V
nym-vpnd 1.28.0
user@nym:~$ dpkg -l polkitd pkexec
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name           Version      Architecture Description
++±==============-============-============-=============================================================
ii  pkexec         126-2        amd64        run commands as another user with polkit authorization
ii  polkitd        126-2        amd64        framework for managing administrative policies and privileges
user@nym:~$ nym-vpnc info
Error: Failed to create RPC client

Caused by:
Authentication is required to access the daemon

@salazar

Could you explain in a bit more detail what you mean by “On newer NymVPN apps on Linux, you need to add device password to authenticate the connection between app and daemon”? Clearly, just adding the polkitd and pkexec packages was insufficient on my Qubes VM.

EDIT: Just to clarify one point. I saw the 2026.6 announcement that states:

For Linux users: There is a new authentication protocol on Linux devices which requires you to install policykit-1-gnome.

with a link to https://support.nym.com/hc/en-us/articles/45300085856017-Running-NymVPN-authentication-on-Linux-with-i3. Like @solarninja my VM doesn’t have a graphics environment installed, eg GNOME; it’s command-line only. For some reason, on Debian, the package policykit-1-gnome is not available in the Debian 13 (trixie) repo; it’s only available in the 11, 12 and unstable (sid) repos.

The Debian repo has this to say about pkexec:

run commands as another user with polkit authorization

polkit is an application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes. It was previously named PolicyKit.

pkexec is a setuid program to allow certain users to run commands as root or as a different user, similar to sudo. Unlike sudo, it carries out authentication and authorization by sending a request to polkit, so it uses desktop environments’ familiar prompting mechanisms for authentication and uses polkit policies for authorization decisions.

By default, members of the ‘sudo’ Unix group can use pkexec to run any command after authenticating. The authorization rules can be changed by the local system administrator.

My user on the VM is a member of the sudo group:

user@nym:~$ groups
user sudo qubes

I am able to run sudo nym-vpnc status and it works. Being part of the sudo group, I am also able to run pkexec /usr/bin/nym-vpnc status and, with a bit of verbosity thrown in, it also works:

user@nym:~$ pkexec /usr/bin/nym-vpnc status
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
Authentication is needed to run `/usr/bin/nym-vpnc status’ as the super user
Authenticating as: user
==== AUTHENTICATION COMPLETE ====
State: Disconnected
user@nym:~$ /usr/bin/nym-vpnc status
Error: Failed to create RPC client

Caused by:
Authentication is required to access the daemon

EDIT 2: I appear to have found the source of the problem.

  1. The nym-vpnd executable dynamically creates a polkit policy file /usr/share/polkit-1/actions/com.nymvpn.vpnd.unix-access.policy (It is not installed as a component of the Debian package.) AFAICT, this policy requires the user to enter either their password or an admin password when nym-vpnc is run. Why? It seems to assume that a graphics environment exists, eg GNOME, that will create a pop-up window. It is unrealistic to assume that all environments running nym-vpn are graphical with a password logon.
  2. The rationale for this “security enhancement” hasn’t been clearly explained. and the support article confines itself to mentioning i3.
  3. The policy ignores the fact that my user has sudo privileges.
  4. pkexec does not seem to be used and removing it has no detrimental effect.
  5. As already mentioned above, package policykit-1-gnome doesn’t even exist in the Debian 13 repo.
  6. I wrote a workaround polkit policy to bypass this new policy. Such hacks shouldn’t be necessary. Getting to the bottom of this problem has also been a huge time sink.
1 Like

thank you for the thorough feedback. we’ll share it with the team and update the documentation regarding this.

Could you also find out what the rationale is for this “security enhancement”? If it’s to stop people who just happen to pass by your unattended computer from doing something they shouldn’t, this is imposing a guaranteed inconvenience to protect against a tiny hypothetical risk. If it’s been added for another reason, I’d be interested to know what that is.

I would just add that, given the large number of Linux distributions and environments out there, you should try to keep things as distribution/environment-agnostic as possible. Perhaps something simple like “if user is in the nym group, then they’re authorized” would suffice.