I’ve hit the same problem. It’s a Debian 13 standaloneVM running in QubesOS 4.2.4. Version 1.26.0 of Nym works but I’m getting the RPC error on higher versions. Per @solarninja ‘s solution (install polkitd and pkexec) but it’s made no difference and all versions above 1.26.0 have the problem.
user@nym:~$ uname -a
Linux nym 6.18.19-1.qubes.fc37.x86_64 #1 SMP PREEMPT_DYNAMIC Tue Mar 24 01:20:46 GMT 2026 x86_64 GNU/Linux
user@nym:~$ cat /etc/os-release
PRETTY_NAME=“Debian GNU/Linux 13 (trixie)”
NAME=“Debian GNU/Linux”
VERSION_ID=“13”
VERSION=“13 (trixie)”
VERSION_CODENAME=trixie
DEBIAN_VERSION_FULL=13.4
ID=debian
HOME_URL=“https://www.debian.org/”
SUPPORT_URL=“https://www.debian.org/support”
BUG_REPORT_URL=“https://bugs.debian.org/”
user@nym:~$ systemctl status nym-vpnd
● nym-vpnd.service - nym-vpnd daemon
Loaded: loaded (/usr/lib/systemd/system/nym-vpnd.service; enabled; preset: enabled)
Active: active (running) since Sat 2026-05-16 07:47:58 CEST; 12min ago
Invocation: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Main PID: 2321 (nym-vpnd)
Tasks: 22 (limit: 7680)
Memory: 21M (peak: 23.1M)
CPU: 575ms
CGroup: /system.slice/nym-vpnd.service
└─2321 /usr/bin/nym-vpnd -v run-as-service
user@nym:~$ nym-vpnc -V
nym-vpnc 1.28.0
user@nym:~$ nym-vpnd -V
nym-vpnd 1.28.0
user@nym:~$ dpkg -l polkitd pkexec
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
++±==============-============-============-=============================================================
ii pkexec 126-2 amd64 run commands as another user with polkit authorization
ii polkitd 126-2 amd64 framework for managing administrative policies and privileges
user@nym:~$ nym-vpnc info
Error: Failed to create RPC client
Caused by:
Authentication is required to access the daemon
@salazar
Could you explain in a bit more detail what you mean by “On newer NymVPN apps on Linux, you need to add device password to authenticate the connection between app and daemon”? Clearly, just adding the polkitd and pkexec packages was insufficient on my Qubes VM.
EDIT: Just to clarify one point. I saw the 2026.6 announcement that states:
For Linux users: There is a new authentication protocol on Linux devices which requires you to install policykit-1-gnome.
with a link to https://support.nym.com/hc/en-us/articles/45300085856017-Running-NymVPN-authentication-on-Linux-with-i3. Like @solarninja my VM doesn’t have a graphics environment installed, eg GNOME; it’s command-line only. For some reason, on Debian, the package policykit-1-gnome is not available in the Debian 13 (trixie) repo; it’s only available in the 11, 12 and unstable (sid) repos.
The Debian repo has this to say about pkexec:
run commands as another user with polkit authorization
polkit is an application-level toolkit for defining and handling the policy that allows unprivileged processes to speak to privileged processes. It was previously named PolicyKit.
pkexec is a setuid program to allow certain users to run commands as root or as a different user, similar to sudo. Unlike sudo, it carries out authentication and authorization by sending a request to polkit, so it uses desktop environments’ familiar prompting mechanisms for authentication and uses polkit policies for authorization decisions.
By default, members of the ‘sudo’ Unix group can use pkexec to run any command after authenticating. The authorization rules can be changed by the local system administrator.
My user on the VM is a member of the sudo group:
user@nym:~$ groups
user sudo qubes
I am able to run sudo nym-vpnc status and it works. Being part of the sudo group, I am also able to run pkexec /usr/bin/nym-vpnc status and, with a bit of verbosity thrown in, it also works:
user@nym:~$ pkexec /usr/bin/nym-vpnc status
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
Authentication is needed to run `/usr/bin/nym-vpnc status’ as the super user
Authenticating as: user
==== AUTHENTICATION COMPLETE ====
State: Disconnected
user@nym:~$ /usr/bin/nym-vpnc status
Error: Failed to create RPC client
Caused by:
Authentication is required to access the daemon
EDIT 2: I appear to have found the source of the problem.
- The nym-vpnd executable dynamically creates a polkit policy file /usr/share/polkit-1/actions/com.nymvpn.vpnd.unix-access.policy (It is not installed as a component of the Debian package.) AFAICT, this policy requires the user to enter either their password or an admin password when nym-vpnc is run. Why? It seems to assume that a graphics environment exists, eg GNOME, that will create a pop-up window. It is unrealistic to assume that all environments running nym-vpn are graphical with a password logon.
- The rationale for this “security enhancement” hasn’t been clearly explained. and the support article confines itself to mentioning i3.
- The policy ignores the fact that my user has sudo privileges.
- pkexec does not seem to be used and removing it has no detrimental effect.
- As already mentioned above, package policykit-1-gnome doesn’t even exist in the Debian 13 repo.
- I wrote a workaround polkit policy to bypass this new policy. Such hacks shouldn’t be necessary. Getting to the bottom of this problem has also been a huge time sink.