search

ProtonVPN / linux-cli

Official ProtonVPN Linux app (CLI)
https://protonvpn.com/download-linux
GNU General Public License v3.0
335 stars 43 forks source link

[openSUSE] ProtonVPN asks for root password several times before every connection #42

Open Dyrimon opened 3 years ago

Dyrimon commented 3 years ago

OS: openSUSE Tumbleweed ProtonVPN version: ProtonVPN CLI v3.7.2 (protonvpn-nm-lib v3.3.2; proton-client v0.5.1) Desktop: KDE Plasma 5

Before starting every connection (whether by cli or gui) ProtonVPN asks for root password, and that is 5-6 times! I have to enter sudo password for NetworkManager, pvpn-killswitch, pvpn-ipv6leak-protection, the final server that it connects to and couple more times for NetworkManager. The following dialog box shows up every time I switch or start a new connection.

Screenshot_20210729_160418

calexandru2018 commented 3 years ago

Hey @Dyrimon

First to set the correct expectations, we currently don't support openSUSE. Regardless, this issue seems to be mostly due to polkit rules, that's why you're being prompted. You have to manually tweak them (although I don't know why since most distros are already tweaked and generally have no issues)

Dyrimon commented 3 years ago

I'm aware of not supporting openSUSE, and this was installed from a community repository. The client works fine as expected. But polkit is continuously asking me password. I'm assuming this is related to kwallet but I don't know how to make it automatic. This might be related to https://github.com/ProtonVPN/linux-app/issues/13#issue-927727591

calexandru2018 commented 3 years ago

Your is a different issue. Check this: https://github.com/ProtonVPN/linux-cli/issues/4#issuecomment-856004316

Dyrimon commented 3 years ago

I also tried using pam_kwallet to automatically unlocking kwallet following the article from archwiki

Dyrimon commented 3 years ago

Your is a different issue. Check this: #4 (comment)

I don't know how this relates to my issue. I've no issues with ipv6leaks and so have no idea what rules to change in polkit

calexandru2018 commented 3 years ago

@Dyrimon i think you need to read the archwiki properly. It is stated that:

kwallet-pam is not compatible with GnuPG keys, the KDE Wallet must use the standard blowfish encryption.

The wallet cannot be unlocked when using autologin. <- reason why you might be prompted The wallet cannot be unlocked when using a fingerprint reader to login . <- reason why you might be prompted The wallet must be named kdewallet (default name). It does not unlock any other wallet(s). . <- reason why you might be prompted If using KDE, one may want to disable Close when last application stops using it in KDE Wallet settings to prevent the wallet from being closed after each usage (WiFi-passphrase unlock, etc.). . <- possible reason It may be needed to remove the default created wallet first, thus removing all stored entries. <- possible solution If the kwallet Migration Assistant asks for a password after every login, rename or delete the ~/.kde4/share/apps/kwallet folder.

edit:

this relates to my issue. I've no issues with ipv6leaks and so have no idea what rules to change in polkit

If you look at the screenshot you provided me, it's due to polkit that you're getting that prompt (and possible kde wallet configuration).

Dyrimon commented 3 years ago

Yes, but none of the limitations of pam is present in my issue. I do not autologin, nor a fingerprint scanner, wallet name is kdewallet and thats the only one. Close when last application... is already disabled. I tried removing the default wallet and creating another naming kdewallet but no use. the wallet folder doesn't exist in ~/.kde4/share/apps/

Dyrimon commented 3 years ago

here is my /etc/pam.d/sddm config

#%PAM-1.0
auth     include        common-auth
auth     optional       pam_kwallet5.so
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
session  optional       pam_kwallet5.so auto_start
session  optional       pam_keyinit.so revoke force
Dyrimon commented 3 years ago

@calexandru2018 I've solved this by taking a leaf out of DasCapschen's book and just allowed everything related to org.freedesktop.NetworkManager unrestricted access in /etc/polkit-1/rules.d/90-default-privs.rules:

'org.freedesktop.NetworkManager.checkpoint-rollback':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.enable-disable-connectivity-check':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.enable-disable-network':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.enable-disable-statistics':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.enable-disable-wifi':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.enable-disable-wimax':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.enable-disable-wwan':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.network-control':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.reload':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.settings.modify.global-dns':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.settings.modify.hostname':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.settings.modify.own':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.settings.modify.system':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.sleep-wake':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.wifi.scan':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.wifi.share.open':
            [ 'yes', 'yes', 'yes' ],
        'org.freedesktop.NetworkManager.wifi.share.protected':
            [ 'yes', 'yes', 'yes' ],

I don't know if this will severely weaken my system or not, but frankly I don't care. Either it's polkit's fault or pvpn's fault but I'm too tired to bother with this any more.

calexandru2018 commented 3 years ago

Hey @Dyrimon

That severely weakens your system. I'll leave you the output of my configs so that you can check it out: cat /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy output can be found here

Edit: basically what matters there is that your defaults match my defaults for all those actions. (don't mind the description in all those languages)

BenD780x9 commented 3 years ago

I have this problem too in my Fedora 34

calexandru2018 commented 3 years ago

@BenD780x9 refer to the post I mentioned above please.

Dyrimon commented 3 years ago

Hey @Dyrimon

That severely weakens your system. I'll leave you the output of my configs so that you can check it out: cat /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy output can be found here

Edit: basically what matters there is that your defaults match my defaults for all those actions. (don't mind the description in all those languages)

Unfortunately your solution doesn't work for me. I've to go back to the "open door" approach. Problem is after every polkit update the rules are reverting back to the default one

absolutez3 commented 2 years ago

@calexandru2018 on Fedora 34 kill switch doesn't seem to work on my laptop but does work on my desktop.

dummy is installed

kwallet is blowfish

for testing purposes I allowed all actions from org.freedesktop.NetworkManager.* which was reflected on 'nmcli general permissions'

Your /usr/share/polkit-1/actions/org.freedesktop.NetworkManager.policy is the exact same as mine

absolutez3 commented 2 years ago

protonvpn-dbus-wrapper.log protonvpn.log protonvpn-cli.log protonvpn-daemon.log @calexandru2018 logs from ~/.cache/protonvpn/logs

mrcbax commented 2 years ago

The official client should be forking the community client (which works perfectly and bypasses NetworkManager). This NetworkManager integration is hot trash.

Observing the same issues on ArchLinux. One of the "supported" linux options.

The dependency tree is too large:

There are many linux distros that will not have these items installed. And some that don't support them at all. Not to mention the whole anti-monolithic (anti-systemd) group of distros.

It feels like Windows/MacOS/Android developers who are used to a homogeneous environment are programming this application.

Dyrimon commented 2 years ago

There are many linux distros that will not have these items installed. And some that don't support them at all. Not to mention the whole anti-monolithic (anti-systemd) group of distros.

It feels like Windows/MacOS/Android developers who are used to a homogeneous environment are programming this application.

i agree, I think a properly packaged flatpak will solve this dependency problem and give broader access to "unofficial distributions".

pahaze commented 1 year ago

Since this is still open and I have no clue if a fix was found for others, I just came across this issue today but found a fix. I don't know if it's considered "hacky", but it works.

Add the user to the wheel group

sudo usermod -a -G wheel my_user

Create /etc/polkit-1/rules.d/20-protonvpn.rules

sudo touch /etc/polkit-1/rules.d/20-protonvpn.rules

Edit the file with your file editor and paste contents below

SUDO_EDITOR=kate sudoedit /etc/polkit-1/rules.d/20-protonvpn.rules

Contents of /etc/polkit-1/rules.d/20-protonvpn.rules

polkit.addRule(function(action, subject) {
    if (subject.isInGroup("wheel")) {
        return polkit.Result.YES;
    }
});

Restart and now it works! I would have tried to put this in a wiki, but there isn't one in either the linux-cli or linux-app repo.

Waddlen commented 1 year ago

The answer above by @pahaze is on the right track, but I think as-written it would give the user to ability to execute any command as admin with no password prompt, which is way beyond the scope of just letting protonvpn edit your network settings.

Here is what I did to resolve this on Tumbleweed, following these instructions from the arch wiki https://wiki.archlinux.org/title/NetworkManager#Set_up_PolicyKit_permissions

Create network group (my system didn't have one)

sudo groupadd network

Add your user to the network group

sudo gpasswd -a YOURUSER network

Create a file sudo nano /etc/polkit-1/rules.d/50-org.freedesktop.NetworkManager.rules with the contents:

polkit.addRule(function(action, subject) {
  if (action.id.indexOf("org.freedesktop.NetworkManager.") == 0 && subject.isInGroup("network")) {
    return polkit.Result.YES;
  }
});

This should allow any user in the network group to use NetworkManager without being prompted for admin credentials. Works on my machine ™

Cheers.

pahaze commented 1 year ago

I see, I didn't know it could do that as on my machines, all it does is allow me to edit network settings without a password. Everything else still needs a password, but I dunno. 🤔