meta data for this page

This is an old revision of the document!

Networking HowTos

Configure Mobile Data

If your correct provider settings do not show up in Settings » Mobile » Mobile Data » Access Points, you can add a new one with the [+] button. Add a network name and your APN, e.g. Name: 3 internet APN: The correct settings depend on your provider.

Connection sharing/Tethering

Sharing mobile data through wifi hotspot

Run and create new hotspot connections with SSID `Pinephone` and Password `HotspotPassword`:

sudo nmcli device wifi hotspot ifname wlan0 con-name Hotspot ssid Pinephone  password HotspotPassword

Stop the hotspot from NetworkManager. To restart your hotspot you can use the 3 dots menu “Connect to hidden network”

Sharing internet from your PC via USB

Set up ip-forwarding on your PC and configure your USB ethernet device's IP:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward
sudo iptables -A POSTROUTING -t nat  -s -j MASQUERADE
sudo iptables -P FORWARD ACCEPT
sudo ip addr add dev $USB_INTERFACE

where you should replace $USB_INTERFACE by the name of your interface (e.g enp7s0u1c2 or usb0)

You might need to set the correct DNS server in /etc/resolv.conf:

nameserver $LOCAL_DNS_IP

where you should replace $LOCAL_DOMAIN by your local domain (e.g local) and $LOCAL_DNS_IP by a valid DNS server (e.g or


By default, Mobian has no listening services on any internet port and a firewall is not necessary. However when you install services, such as openssh, web servers and whatever, you might want to lock down your device using a firewall.

Mobian can use any firewall that is supported by Debian. Debian is currently introducing nftables and fades out iptables, but the latter still works (using nftables under the hood). One easy to use firewall is the uncomplicated firewall (UFW). It can be installed with sudo apt install ufw and can be enabled on a terminal with sudo ufw enable. Be careful though, when doing this over a SSH connection, you will lock yourself out :).

On my Mobian I got an error message ip6tables-restore v1.8.7 (nf_tables): Couldn't load match `rt':No such file or directory, which is most likely due to the not included kernel module (CONFIG_NFT_RT) but the firewall still worked fine.

Useful status output can be gathered by sudo ufw status and sudo ufw status verbose. Other useful commands are “ufw allow ssh” (check /etc/ufw/applications.d/ which applications are possible) or manually allow ports.

NOTE: If you prefer graphical apps, the package gufw allows to configure the firewall via a graphical application. (gufw crashes on start! WHY?)

Network overlap with

When connecting a Mobian device to a computer via USB-C, Mobian is configured to use the IP address, in the subnet This can cause an issue if Mobian is also connected to a wifi network which utilizes a subnet within the same subnet. The configuration of the USB connection could be changed to use a different or smaller subnet, or a more specific route can be configured for the wifi connection to account for this special case. Here is how to add a persistent more specific route.

  1. Connect the Mobian device via USB-C to a computer, and SSH into it (see Connect via USB-C and SSH)
  2. Connect the Mobian device to the desired wifi network
  3. Identify the name of the wifi network in Network Manager
    • $ nmcli connection
      NAME               UUID                                  TYPE      DEVICE 
      USB                a3ee13d7-85ce-4386-8ba9-419a67309692  ethernet  usb0   
      wifi-network-name  bfe0a288-f193-4eeb-ba00-7d6f15ec27f6  wifi      wlan0
  4. Add a more specific route for the destination network, using the wifi network's name and gateway IP address
    • $ sudo nmcli connection modify wifi-network-name +ipv4.routes "" +ipv4.route-metric 25
    • - This is the destination network, swap in whatever the desired network is
    • - This is the gateway to use for that network, in this case it's the wifi network's gateway.
    • wifi-network-name - This is the name of the wifi network.
  5. Reload the connection configuration
    • $ sudo nmcli connection reload wifi-network-name
  6. It should now be possible to route packets to the destination network successfully over the wifi connection, instead of using the USB-C network connection.
    • The route table should look something similar to this:
    • $ ip route
      default via dev wlan0 proto dhcp metric 25 dev usb0 proto kernel scope link src metric 25 via dev wlan0 proto static metric 25 dev wlan0 proto kernel scope link src metric 25



Wireguard works well with mobian, although no graphical configuration is integrated.

In a terminal, enter the following command: apt install –no-install-recommends wireguard-tools. You can now use the wg-quick command to manage WireGuard tunnels.

Fortunately, NetworkManager, which manages network connections in mobian has automatic wireguard support natively built in, and it can be configured on the terminal! See this blogpost for details on how to set up wireguard support in NetworkManager.

Note: If there are still problems, it has been reported that the IPv6 configuration in wireguard can cause trouble and needs to be removed (see same issue linked to earlier). (Please update if this changes)

Always-On VPN

VPN functionality will be added to Gnome-Control-Center in the future, but for now you can configure this via nmcli. This guide will explain how to import an OpenVPN connection, and then configure other connections to require it as a “secondary”.

1. Add OpenVPN support for NetworkManager by running sudo apt install network-manager-openvpn.

2. Import your OpenVPN .ovpn file by running sudo nmcli connection import type openvpn file {yourovpnfile.ovpn}

3. Until this is integrated with gnome-keyring, you must store your username and password in the .nmconnection file (currently insecure due to lack of disk encryption, which is coming in the future as well). Edit your VPN config in /etc/NetworkManager/system-connections, where the file is {youropenvpnfilename}.nmconnection. Change the password-flags to 0. At the bottom of the [vpn] block, add username={your username}. Then, below the [vpn] block, add the following:

password={your vpn password}

4. Obtain the UUID of your VPN connection by running sudo nmcli con show {your vpn connection name}; the UUID is the second line.

5. In the same directory, you can now modify any connection, including your cellular one, to bring up and require the VPN connection by adding this to the end of the [connection] block: secondaries={UUID}; (dont forget the trailing semi-colon).

6. Restart NetworkManager with sudo systemctl restart NetworkManager for the changes to take effect.


Randomizing MAC address

If you want to dynamically use a different MAC address for your Wifi card (MAC spoofing), NetworkManager has everyting built in. The default value “randomization during Wi-Fi scanning” (wifi.scan-rand-mac-address=yes) changes the wifis MAC address when searching for available access points as to be less recognizable and trackable (and is therefore recommendable in general).

Create and edit the file: /etc/NetworkManager/conf.d/wifi_rand_mac.conf

# "yes" is already the default for scanning

# Randomize MAC for every ethernet connection
# Generate a random MAC for each WiFi and associate the two permanently.

Depending on whether you want random MAC addresses for your ethernet connections (basically everything connected via USB) or the built in wifi, change the above settings. Possible useful values are random (create a new one on every connection), stable (create a random one and keep it), preserve (don't change anything, this is the default).

Last, restart NetworkManager:

 sudo systemctl restart NetworkManager.service

Check this useful GNOME blog post for more details. If this solution does not work well for you, there is the package macchanger to achive the same.