search

NixOS / nixpkgs

Nix Packages collection & NixOS
MIT License
17.58k stars 13.73k forks source link

`expressvpn` is not able to connect #210439

Open MathiasSven opened 1 year ago

MathiasSven commented 1 year ago

Describe the bug

Expressvpn is unable to connect

Steps To Reproduce

Steps to reproduce the behavior:

  1. Add expressvpn to the included packages
  2. Activate the service services.expressvpn.enable = true;
  3. expressvpn activate
  4. expressvpn connect

Additional context

These are the error logs I get in either udp or lightway_udp. In lightway_udp:

2023-01-12T22:01:37.734+0000 Lightway: 1.23.2 Lightway Core: 1.4.1 WolfSSL: 5.2.0 libxenon: 1.2.0 libballoon: 1.3.2
2023-01-12T22:01:37.734+0000 Lightway will connect to 244.107.69.153:29000 using protocol: udp, cipher: aes, mtu: 1500
2023-01-12T22:01:37.734+0000 sndbuf: [212992 -> 212992]
2023-01-12T22:01:37.734+0000 rcvbuf: [212992 -> 212992]
2023-01-12T22:01:37.734+0000 Lightway is CONNECTING
2023-01-12T22:01:37.782+0000 Lightway Initial packet received
2023-01-12T22:01:37.835+0000 Nudging Lightway...
2023-01-12T22:01:37.878+0000 Link up - took 143.885373ms
2023-01-12T22:01:37.878+0000 Authenticating...
2023-01-12T22:01:37.940+0000 Attempting to create tun device '<automatic>'
2023-01-12T22:01:37.941+0000 tun device is up: tun0
2023-01-12T22:01:37.941+0000 Entered configuring state...
2023-01-12T22:01:37.941+0000 10.136.0.6 <----> 10.136.0.5 with DNS server 10.136.0.1 and MTU 1350
2023-01-12T22:01:37.941+0000 he_execute: starting /usr/sbin/expressvpnd --update-dns-config=static_resolv_conf
2023-01-12T22:01:37.954+0000 he_execute: process exited 1 (signal 0)
2023-01-12T22:01:37.954+0000 Error running up script
2023-01-12T22:01:37.954+0000 process_outside_packet: fatal error: HE_ERR_CALLBACK_FAILED
2023-01-12T22:01:37.954+0000 Lightway DISCONNECTING...
2023-01-12T22:01:37.954+0000 Lightway DISCONNECTED
2023-01-12T22:01:37.954+0000 he_execute: starting /usr/sbin/expressvpnd --update-dns-config=static_resolv_conf
2023-01-12T22:01:37.954+0000 he_execute: Received signal: 15
2023-01-12T22:01:37.954+0000 he_execute: sending SIGTERM/SIGBREAK to child 32219
2023-01-12T22:01:37.954+0000 he_execute: process exited 0 (signal 15)
2023-01-12T22:01:37.954+0000 Error running down script
2023-01-12T22:01:37.954+0000 Closing tun device...
2023-01-12T22:01:37.971+0000 Lightway DISCONNECTED (disconnect_and_stop).
2023-01-12T22:01:37.971+0000 Lightway STOPPED
2023-01-12T22:01:37.971+0000 Lightway FINISHED
Disconnected with error: HE_ERR_CALLBACK_FAILED

In udp:

Thu Jan 12 22:01:59 2023 WARNING: --keysize is DEPRECATED and will be removed in OpenVPN 2.6
Thu Jan 12 22:01:59 2023 OpenVPN 2.4.7 [git:production/4944e3cd8d730765] x86_64-unknown-linux-gnu [SSL (OpenSSL)] [EPOLL] [MH/PKTINFO] [AEAD] built on Mar 16 2022
Thu Jan 12 22:01:59 2023 library versions: OpenSSL 1.1.1n  15 Mar 2022
Thu Jan 12 22:01:59 2023 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:44809
Thu Jan 12 22:01:59 2023 WARNING: --ns-cert-type is DEPRECATED.  Use --remote-cert-tls instead.
Thu Jan 12 22:01:59 2023 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Thu Jan 12 22:01:59 2023 Outgoing Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jan 12 22:01:59 2023 Incoming Control Channel Authentication: Using 256 bit message hash 'SHA256' for HMAC authentication
Thu Jan 12 22:01:59 2023 TCP/UDP: Preserving recently used remote address: [AF_INET]244.107.69.90:15384
Thu Jan 12 22:01:59 2023 Socket Buffers: R=[212992->425984] S=[212992->425984]
Thu Jan 12 22:01:59 2023 UDP link local: (not bound)
Thu Jan 12 22:01:59 2023 UDP link remote: [AF_INET]244.107.69.90:15384
Thu Jan 12 22:01:59 2023 TLS: Initial packet from [AF_INET]244.107.69.90:15384, sid=45ef9104 4c29231b
Thu Jan 12 22:01:59 2023 WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this
Thu Jan 12 22:01:59 2023 VERIFY OK: depth=1, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=ExpressVPN CA, emailAddress=support@expressvpn.com
Thu Jan 12 22:01:59 2023 VERIFY OK: nsCertType=SERVER
Thu Jan 12 22:01:59 2023 VERIFY X509NAME OK: C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-11028-1a, emailAddress=support@expressvpn.com
Thu Jan 12 22:01:59 2023 VERIFY OK: depth=0, C=VG, ST=BVI, O=ExpressVPN, OU=ExpressVPN, CN=Server-11028-1a, emailAddress=support@expressvpn.com
Thu Jan 12 22:02:00 2023 Control Channel: TLSv1.3, cipher TLSv1.3 TLS_AES_256_GCM_SHA384, 2048 bit RSA
Thu Jan 12 22:02:00 2023 [Server-11028-1a] Peer Connection Initiated with [AF_INET]244.107.69.90:15384
Thu Jan 12 22:02:01 2023 SENT CONTROL [Server-11028-1a]: 'PUSH_REQUEST' (status=1)
Thu Jan 12 22:02:01 2023 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1,dhcp-option DNS 10.165.0.1,route 10.165.0.1,topology net30,ping 10,ping-restart 60,ifconfig 10.165.0.6 10.165.0.5,peer-id 0,cipher AES-256-GCM'
Thu Jan 12 22:02:01 2023 OPTIONS IMPORT: timers and/or timeouts modified
Thu Jan 12 22:02:01 2023 OPTIONS IMPORT: --ifconfig/up options modified
Thu Jan 12 22:02:01 2023 OPTIONS IMPORT: route options modified
Thu Jan 12 22:02:01 2023 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
Thu Jan 12 22:02:01 2023 OPTIONS IMPORT: peer-id set
Thu Jan 12 22:02:01 2023 OPTIONS IMPORT: adjusting link_mtu to 1628
Thu Jan 12 22:02:01 2023 OPTIONS IMPORT: data channel crypto options modified
Thu Jan 12 22:02:01 2023 Data Channel: using negotiated cipher 'AES-256-GCM'
Thu Jan 12 22:02:01 2023 NCP: overriding user-set keysize with default
Thu Jan 12 22:02:01 2023 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jan 12 22:02:01 2023 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Thu Jan 12 22:02:01 2023 TUN/TAP device tun0 opened
Thu Jan 12 22:02:01 2023 TUN/TAP TX queue length set to 100
Thu Jan 12 22:02:01 2023 /sbin/ip link set dev tun0 up mtu 1500
Thu Jan 12 22:02:01 2023 /sbin/ip addr add dev tun0 local 10.165.0.6 peer 10.165.0.5
Thu Jan 12 22:02:01 2023 /usr/sbin/expressvpnd --update-dns-config=static_resolv_conf tun0 1500 1556 10.165.0.6 10.165.0.5 init
DNS setting update type: up
DNS setting update type: up, completed with error: link /etc/resolv.conf /etc/resolv.conf.expressvpn-orig: read-only file system
2023/01/12 22:02:01 [I] updateDNSConfig: method="static_resolv_conf" script="up"
Thu Jan 12 22:02:01 2023 WARNING: Failed running command (--up/--down): external program exited with error status: 1
Thu Jan 12 22:02:01 2023 Exiting due to fatal error
Disconnected with error: vpn process terminated unexpectedly

The line: DNS setting update type: up, completed with error: link /etc/resolv.conf /etc/resolv.conf.expressvpn-orig: read-only file system makes be believe this is Nix related

Notify maintainers

@Yureien

Metadata

~ ✦2 ❯ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.1, NixOS, 23.05 (Stoat), 23.05pre438750.293a28df6d7`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.12.0`
 - channels(root): `"nixos"`
 - channels(mathiassven): `"home-manager"`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`
hellwolf commented 1 year ago

same for me, anyone has found a workaround?

avanderbergh commented 1 year ago

Here's what I get when trying to connect:

May 27 14:01:24 hermes expressvpnd[63286]: /etc/ OPEN ld.so.cache
May 27 14:01:24 hermes expressvpnd[64546]: cp: cannot create regular file '/host/etc/resolv.conf': No such file or directory
May 27 14:01:26 hermes NetworkManager[1212]: <warn>  [1685188886.5514] platform-linux: do-add-ip6-address[3: fe80::b20e:1416:828f:db6a]: failure 13 (Permission denied)
May 27 14:01:28 hermes NetworkManager[1212]: <warn>  [1685188888.5544] platform-linux: do-add-ip6-address[3: fe80::858b:230f:395e:2b82]: failure 13 (Permission denied)
May 27 14:01:30 hermes NetworkManager[1212]: <warn>  [1685188890.5569] platform-linux: do-add-ip6-address[3: fe80::c0fc:f07b:4586:3822]: failure 13 (Permission denied)
May 27 14:01:32 hermes NetworkManager[1212]: <warn>  [1685188892.5588] platform-linux: do-add-ip6-address[3: fe80::f86e:1d46:fe31:f74a]: failure 13 (Permission denied)
May 27 14:01:34 hermes NetworkManager[1212]: <warn>  [1685188894.5610] ipv6ll[4455ab5b2f3f4da8,ifindex=3]: changed: no IPv6 link local address to retry after Duplicate Address Detection failures (back off)
avanderbergh commented 1 year ago

@Yureien Any idea?

Yureien commented 1 year ago

@avanderbergh The package uses a hack to modify the DNS entries, since expressvpn directly modifies the /etc/resolv.conf file on Linux. For now, while I am debugging this (might take some time, don't have access to a x86-64 PC with Nix installed at the moment), you can do this:

You have to remove lines 51-55 in the nixpkgs/pkgs/applications/networking/expressvpn/default.nix file, these ones: https://github.com/NixOS/nixpkgs/blob/c0b553b619058a92aec8628a20695fc1f59b8c83/pkgs/applications/networking/expressvpn/default.nix#LL51-L55

      cp /host/etc/resolv.conf /etc/resolv.conf;
      while inotifywait /etc 2>/dev/null;
      do
        cp /etc/resolv.conf /host/etc/resolv.conf;
      done &

Keep in mind, though, that the DNS won't get updated.

SketchyStunts commented 1 year ago

Guess this is still a issue?

anotherdish commented 1 year ago

ya im also dealing with this issue as well. as of right now, my workaround solution is to use the "manual configuration" option of expressvpn, where you download the opvn files provided after logging into your account. Use this in combination with configuring OpenVPN for nix and you should be good to go

jakehamilton commented 1 year ago

Confirming that I'm also running into this issue. It seems like buildFHSEnv may have had some functionality change. The errors that I'm seeing in the journal have to do with not being able to access /host.

Removing the lines from the package like @Yureien suggested doesn't resolve the issue for me, it only avoids the errors thrown in the journal and Express VPN is still unable to connect.

ErrorNoInternet commented 1 year ago

Currently unable to set up NixOS because there isn't a VPN in nixpkgs that works in China (also can't use the OpenVPN configs from the ExpressVPN website because OpenVPN is easily detectable and blocked)

The ExpressVPN package got updated to v3.52.0, and now it seems like there is a "Failed to create tun device" error.

HuzaifaTP commented 7 months ago

ya im also dealing with this issue as well. as of right now, my workaround solution is to use the "manual configuration" option of expressvpn, where you download the opvn files provided after logging into your account. Use this in combination with configuring OpenVPN for nix and you should be good to go

Tested and working :D