VPN not working under linux

[libfitz]

Expected behavior:

The connection to the VPN via Network Manager is established and is working.

Actual Behavior:

The connection to the VPN via Network Manager is established, but is not working.

Steps to Reproduce:

1. Provision a fresh Streisand instance to an existing server (I've done this from an Ubuntu server VM).
2. Follow the steps suggested in the generated documentation and set up an OpenVPN connection via Network Manager.
3. After the setup is finished, try connecting. Network Manager will say that the connection has been made; however, it doesn't actually work.

The client OS is Fedora 29, Cinnamon edition, kernel 4.20.6, Network Manager v.1.12.6, OpenVPN plugin v.1.8.8. Streisand is provisioned to Scaleway.

I've noticed the difference in the routes created (xxx is my home network, hidden just in case). If the connection is made manually via sudo openvpn --config <file>.ovpn:

0.0.0.0/1 via 10.8.0.9 dev tun0 
default via 10.xxx.xxx.155 dev wlp2s0 proto dhcp metric 600 
10.8.0.0/24 via 10.8.0.9 dev tun0 
10.8.0.9 dev tun0 proto kernel scope link src 10.8.0.10 
10.xxx.xxx.0/24 dev wlp2s0 proto kernel scope link src 10.xxx.xxx.220 metric 600 
51.158.67.55 via 10.xxx.xxx.155 dev wlp2s0 
128.0.0.0/1 via 10.8.0.9 dev tun0 

If the connection is made via Network Manager (either with GUI or via nmcli connection up):

default via 10.8.0.5 dev tun0 proto static metric 50 
default via 10.xxx.xxx.155 dev wlp2s0 proto dhcp metric 600 
10.8.0.0/24 via 10.8.0.5 dev tun0 proto static metric 50 
10.8.0.5 dev tun0 proto kernel scope link src 10.8.0.6 metric 50 
10.xxx.xxx.0/24 dev wlp2s0 proto kernel scope link src 10.xxx.xxx.220 metric 600 
10.xxx.xxx.155 dev wlp2s0 proto static scope link metric 600 
51.158.67.55 via 10.xxx.xxx.155 dev wlp2s0 proto static metric 600 

I didn't try editing them manually since I have no idea how.

The DNS server, as reported by systemd-resolve --status or nmcli dev show, is always my router.

P.S. None of the OpenVPN config files work with the official Android app (same symptoms: connected, but not working). I have an older Streisand instance, 0272b14f38c40df4b8af33691e09711176b3a4b1, where everything is fine, however, it doesn't work with this one. But this is probably good for another issue.

Diagnostics

Ansible Information

• Ansible version: 2.6.5
• Ansible system: Linux
• Host OS: Ubuntu
• Host OS version: 18.10
• Python interpreter: python
• Python version: 2.7.15+

  Streisand Information

• Streisand Git revision: d23c9eaff1f579aced70a354710f7d307922e5ce
• Streisand Git clone has untracked changes: no
• Genesis role: existing-server
• Custom SSH key: False

  Enabled Roles

• Shadowsocks enabled: True
• Wireguard enabled: True
• OpenVPN enabled: True
• stunnel enabled: True
• Tor enabled: False
• Openconnect enabled: True
• TinyProxy enabled: True
• SSH forward user enabled: True
• Configured number of VPN clients: 20

[antmak]

The same thing. The steps in the generated docs are wrong for linux client

[ericswpark]

Might be related to #1519 that I just opened, also failing to connect on Ubuntu Server on a freshly-provisioned box.

[neowisard]

Install on local server Ubuntu 16.04. The same thing. Work with android, but don't work any Ubuntu desktop. (18.10, 17.10). connected, ping to servers -100% packet loss, dns loss.

[JamesHagerman]

I ran into this same issue. 18.04 using the OpenVPN network manager plugin from the official apt repos. (I haven't compiled it myself. I think it lives here though: https://gitlab.gnome.org/GNOME/NetworkManager-openvpn).

Using openvpn directly from the command line worked if I commented out the route in the .opvn file (using a ; for a comment)!

Without removing that route, it threw a cryptic error:

RTNETLINK answers: File exists
Sat Jun 15 12:55:36 2019 ERROR: Linux route add command failed: external program exited with error status: 2

And no traffic would pass correctly until I ctrl-c'd the openvpn command.

I dug a fair amount into trying to sort out the correct metric values but as far as I can tell, this is mostly an issue with how that Network Manager plugin configures routes. I was not able to get the VPN working using that plugin.

To help others dig, here are some useful commands that the nmcli provides to understand more about a connection. I don't know how all of these are managed using the GUI, but maybe there's something here...

nmcli connection show  # Lists all the connections NM knows about
nmcli connection show <name of connection>  # Lists a bunch of parameters about that connection
nmcli connection modify streisand ipv4.route-metric 0  # My attempt to fix the route metrics
nmcli connection modify streisand-aws ipv4.route-metric -1  # Resetting my failed attempt

I'm just going to use the modified *.opvn file for now. I'm sick of fighting that stupid Network Manager.

Note: I didn't test DNS leakage! That setting in the server isn't accepted by the openvpn client (windows only I guess?) So double check that!

[JamesHagerman]

Once this is sorted out, a PR to update the Ubuntu Network Manager directions (even if that means nmcli commands) still may provide people the gooey GUI goodness Network Manager can provide.

While I'm at it, I'll add this reference that could be help unwind this issue: https://docs.ubuntu.com/core/en/stacks/network/network-manager/docs/routing-tables

These are the NM connections values that look promising to dig into:

ipv4.gateway:
ipv4.routes:
ipv4.route-metric:

Edit: I also found one reference to setting ipv4.dns-priority -42 if there are DNS issues over the VPN, but that doesn't seem to be a priority at this point since no traffic can even hit the server.

[artkpv]

Have this issue also. Works using OpenVPN in command line. Not working using Network Manager. Fresh install on Google Cloud. Arch Linux. How to fix?

~/ ip route
default via 10.8.0.9 dev tun0 proto static metric 50 
default via 192.168.31.1 dev wlo1 proto dhcp metric 600 
10.8.0.0/24 via 10.8.0.9 dev tun0 proto static metric 50 
10.8.0.9 dev tun0 proto kernel scope link src 10.8.0.10 metric 50 
3.xx.xx.xx via 192.168.31.1 dev wlo1 proto static metric 600 
192.168.31.0/24 dev wlo1 proto kernel scope link src 192.168.31.13 metric 600 
192.168.31.1 dev wlo1 proto static scope link metric 600 

~/ nmcli --version
nmcli tool, version 1.20.4-1

~/ nmcli
Streisand VPN connection
        master wlo1, VPN, ip4 default
        inet4 10.8.0.10/32
        route4 10.8.0.0/24
        route4 0.0.0.0/0
        route4 10.8.0.9/32

tun0: connected to tun0
        "tun0"
        tun, sw, mtu 1500
        inet4 10.8.0.10/32
        route4 10.8.0.9/32
        route4 10.8.0.0/24
        route4 0.0.0.0/0
        inet6 ..
        route6 ff00::/8
        route6 fe80::/64

wlo1: connected to rain_5G
        "Intel Wireless-AC 9560"
        wifi (iwlwifi), ..., hw, mtu 1500
        inet4 192.168.31.13/24
        route4 0.0.0.0/0
        route4 3.xx.xx.xx/32
        route4 192.168.31.1/32
        route4 192.168.31.0/24
        inet6 .../64
        route6 fe80::/64
        route6 ff00::/8

p2p-dev-wlo1: disconnected
        "p2p-dev-wlo1"
        wifi-p2p, hw

eno2: unavailable
        "Intel Ethernet"
        ethernet (e1000e), ...., hw, mtu 1500

lo: unmanaged
        "lo"
        loopback (unknown), 00:00:00:00:00:00, sw, mtu 65536

DNS configuration:
        servers: 10.8.0.1
        interface: tun0
        type: vpn

        servers: 192.168.31.1
        interface: wlo1

[dewiestr]

Hi,

I had similar issues with my streisand setup on scaleway. Ping was working but I had a lot of packets dropped (75%) and dns lookups weren't really working 100% of the time. From https://www.scaleway.com/en/docs/installing-wireguard-vpn-linux/, I figured I needed the following lines in the /etc/wireguard/wg0.conf file:

PostUp = sysctl -w net.ipv4.ip_forward=1; iptables -A FORWARD -i %i -j ACCEPT; iptables -t nat -A POSTROUTING -o ens2 -j MASQUERADE PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -t nat -D POSTROUTING -o ens2 -j MASQUERADE

For any other protocol, I feel it might be the same thing that is missing...