mimosa67 1 Posted ... I've been using AirVPN with no problems for some time, running on a router. But when I try and set it up on my desktop instead, it won't connect. Using Network Manager, giving it the .ovpn file to "Import as a saved VPN configuration", it authenticates ok and appears to be connected, but is not in fact. When I try manually by doing sudo openvpn Air*.ovpn the connection fails after authentication with the following messages: Tue Jul 26 07:29:44 2016 ROUTE_GATEWAY XXXXXXXX Tue Jul 26 07:29:44 2016 TUN/TAP device tun0 opened Tue Jul 26 07:29:44 2016 TUN/TAP TX queue length set to 100 Tue Jul 26 07:29:44 2016 do_ifconfig, tt->ipv6=0, tt->did_ifconfig_ipv6_setup=0 Tue Jul 26 07:29:44 2016 /usr/sbin/ip link set dev tun0 up mtu 1500 Tue Jul 26 07:29:44 2016 Linux ip link set failed: could not execute external program Tue Jul 26 07:29:44 2016 Exiting due to fatal error There is no "ip" application on my system or in the Slackware repositories. However, I get the same error with another VPN provider when connecting on the command line, but their service works (intermittently) with Network Manager's openvpn plugin. If openvpn is run without root privileges, the connection fails just before: Tue Jul 26 07:39:05 2016 ROUTE_GATEWAY XXXXXXXXXXX Tue Jul 26 07:39:05 2016 ERROR: Cannot ioctl TUNSETIFF tun: Operation not permitted (errno=1) Tue Jul 26 07:39:05 2016 Exiting due to fatal error Apparently, the non-existent "ip" application requires root privileges. The other VPN provider fails in exactly the same way without them, so this is not a problem specific to the provider, it is something to do with my Linux setup. The failure to connect using the NM GUI is quite possibly entirely unrelated. Ideally, I'd like to be able to do it both ways. EDIT Here is some more output, this time from NM to syslog: Jul 26 08:38:16 darkstar nm-openvpn[4174]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts Jul 26 08:38:18 darkstar nm-openvpn[4174]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558' Jul 26 08:38:18 darkstar nm-openvpn[4174]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo' Jul 26 08:38:31 darkstar nm-openvpn[4174]: write to TUN/TAP : Invalid argument (code=22) Jul 26 08:39:01 darkstar last message repeated 3 times Jul 26 08:39:41 darkstar last message repeated 4 times Quote Share this post Link to post
NaDre 157 Posted ... ...There is no "ip" application on my system or in the Slackware repositories.... I used to love Slackware. Haven't used it in a long time now though. "/sbin/ip" is part of "iproute2". Slackware seems to have a package for it: http://packages.slackware.com/?r=slackware-current&p=iproute2-4.4.0-i586-1.txz Quote Share this post Link to post
mimosa67 1 Posted ... Thank you! I was just wondering if it was one of those. That's really useful to know, this is not the first time I've been stumped by the expectation ip would be on my system. Quote Share this post Link to post
mimosa67 1 Posted ... Now I've got another problem, though - a DNS leak. I've already tried disallowing IPV6 with sysctl, but it doesn't help. I'm not really sure what more information might be helpful. Quote Share this post Link to post
zhang888 1066 Posted ... What is the resolver address in your /etc/resolv.conf? Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
mimosa67 1 Posted ... I'm not sure what that is, but here's the whole thing: # Generated by NetworkManager search VodafoneMobile.wifivodafonemobile.api nameserver 192.168.0.1 #that is the interface to the router Looks suspicious, doesn't it? I was using Network Manager earlier (and indeed, would love to know how to connect to AirVPN that way, too). Quote Share this post Link to post
zhang888 1066 Posted ... You have to make a new entry, which should be placed on top, with:nameserver 10.4.0.1 You can then leave 192.168.0.1 as a backup when not connected to VPN.In Linux, the nameservers will be queried according to their order in resolv.conf. Quote Hide zhang888's signature Hide all signatures Occasional moderator, sometimes BOFH. Opinions are my own, except when my wife disagrees. Share this post Link to post
mimosa67 1 Posted ... Zhang, thanks, that immediately plugged the leak, without even the need to reconnect. But I would like to understand a bit better what I have done here. What is that IP? Is it linked specifically to AirVPN, or would it work with any VPN provider to stop the leak? And how did Vodafone (whose 3G service I am currently using as a stopgap) manage to get that in there? If I deleted it, would I be unable to connect to their service? When testing for DNS leaks, sometimes I see e.g. Google servers, is this ok or is that a leak too? That is, do I just want to not see any results from my own ISP, and anything else is ok? On www.dnsleaktest.com, it says something that seems to suggest the opposite (only the VPN's server is ok): If you are connected to a VPN service and ANY of the servers listed above are not provided by the VPN service then you have a DNS leak and are choosing to trust the owners of the above servers with your private data. I tried using 208.67.222.222 (OpenDNS server) instead of 10.4.0.1, would that also be effective? I will read up on nameserver, DNS and resolv.conf, but I would still be very grateful for any pointers you can give me. Quote Share this post Link to post
Staff 10014 Posted ... Hello, there are no DNS leaks in GNU/Linux. If your system queries for example OpenDNS while the system is connected to some VPN server, the DNS queries will be anyway tunneled up to the VPN servers, before going to OpenDNS servers. Nothing to do with DNS leaks which plague systems with incomplete DNS implementation (for example WIndows). However, and obviously, if your system sends the queries to the router DNS server, then the handling of such queries becomes a matter of the router, which may "forward" them out in clear text to the DNS set in the router itself. Again, this is not a GNU/Linux DNS leak. About the bonuses you get by using VPN DNS please see https://airvpn.org/specs Kind regards Quote Share this post Link to post
NaDre 157 Posted ... I'm not sure what that is, but here's the whole thing: # Generated by NetworkManager search VodafoneMobile.wifivodafonemobile.api nameserver 192.168.0.1 #that is the interface to the router Looks suspicious, doesn't it? I was using Network Manager earlier (and indeed, would love to know how to connect to AirVPN that way, too). You have to make a new entry, which should be placed on top, with:nameserver 10.4.0.1 You can then leave 192.168.0.1 as a backup when not connected to VPN.In Linux, the nameservers will be queried according to their order in resolv.conf. You may want to look at this too: https://airvpn.org/topic/9608-how-to-accept-dns-push-on-linux-systems-with-resolvconf/?p=10827 There seems to be an openresolv package for Slackware here: https://slackbuilds.org/repository/14.2/network/openresolv/ Things like DHCP clients (or Network Manager) are inclined to modify /etc/resolv.conf. So manual entries can get lost. Also, if you change your method of connection to AirVPN, the IP for the AirVPN DNS server changes from 10.4.0.1. Quote Share this post Link to post
mimosa67 1 Posted ... NaDre, thanks, something like that looks useful. I wish I could just get it to work in Network Manager, though, using the NM openvpn plugin. When I connect without AirVPN, but with AirVPN's DNS server at the top of resolv.conf, ipleak.com shows my IP address as being located in a government ministry in Whitehall: http://ipleak.com/ip-address-lookup/148.252.128.119 Is that something to do with using a 3G connection, or does it mean the government is spying on me just because I used AirVPN's DNS server? Quote Share this post Link to post
NaDre 157 Posted ... ...When I connect without AirVPN, but with AirVPN's DNS server at the top of resolv.conf, ipleak.com shows my IP address as being located in a government ministry in Whitehall:... AirVPN operates a leak test site too. If you get funny results with that then staff here may be able to offer an explanation: https://ipleak.net/ Quote Share this post Link to post
mimosa67 1 Posted ... NaDre, thanks once again, that's a useful tool. It also gives that same IP, but locates it in Manchester rather than London, mentioning my 3G provider rather than a government ministry. I wonder which is correct? DNS results are associated with openDNS rather than the AirVPN one, which presumably only works if you are coming through the VPN. Here is my current /etc/resolv.conf: $ cat /etc/resolv.conf # AirVPN UDP nameserver nameserver 10.4.0.1 # OpenDNS IPv4 nameservers nameserver 208.67.222.222 #nameserver 208.67.220.220 # Generated by NetworkManager search VodafoneMobile.wifivodafonemobile.api nameserver 192.168.0.1 I will definitely look into a script like the one discussed above, that you posted a link to from the Arch wiki. Quote Share this post Link to post