Jump to content
Not connected, Your IP: 3.147.89.50
Johnny 5 Bronson

ping: sendmsg: Operation not permitted

Recommended Posts

Ubuntu 20.04.3 running on Virtualbox 6.1
Installed the AirVPN CLI Suite, configured /etc/airvpn/bluetit.rc as below.
It connected to the VPN fine the first time, then after rebooting I could not resolve DNS or ping an external IP. I can ping local (192.168.1.x) no problem. I have flushed iptables and disabled ufw.
Stopping the bluetit service allows me to ping external IPs, but still will not resolve DNS.

# airconnectatboot                      <off|quick|server|country>
airconnectatboot country
# networklockpersist            <on|iptables|nftables|pf|off>
networklockpersist on
# airusername                           <airvpn_username>
airusername ####
# airpassword                           <aivpn_password>
airpassword ####
# airkey                                        <airvpn_user_key>
# airserver                                     <airvpn_server_name>
# aircountry                            <airvpn_country_name>
aircountry Canada
# airproto                                      <udp|tcp>
# airport                                       <port>
# aircipher                                     <cipher_name>
# airipv6                                       <on|off>
# air6to4                                       <on|off>
# manifestupdateinterval        <minutes>
# airwhiteserverlist            <server list>
# airblackserverlist            <server list>
# airwhitecountrylist           <server list>
# airblackcountrylist           <server list>
# country                                       <ISO code>
country US
# remote                                        <ip|url list>
# proto                                         <udp|tcp>
# port                                          <port>
# tunpersist                            <yes|no>
# cipher                                        <cipher_names>
# maxconnretries                        <number>
# tcpqueuelimit                         <value>
# ncpdisable                            <yes|no>
# networklock                           <on|iptables|nftables|pf|off>
# ignorednspush                         <yes|no>
# timeout                                       <seconds>
# compress                                      <yes|no|asym>
# tlsversionmin                         <disabled|default|tls_1_x>
# proxyhost                                     <ip|url>
# proxyport                                     <port>
# proxyusername                         <username>
# proxypassword                         <password>
# proxybasic                            <yes|no>
 
$ sudo goldcrest --bluetit-stats
2021-09-25 06:04:18 Reading run control directives from file /root/.goldcrest.rc
Goldcrest 1.1.0 - 4 June 2021

2021-09-25 06:04:18 Bluetit - AirVPN OpenVPN 3 Service 1.1.0 - 4 June 2021
2021-09-25 06:04:18 OpenVPN core 3.7 AirVPN linux x86_64 64-bit
2021-09-25 06:04:19 Bluetit is connected to VPN
2021-09-25 06:04:19 ----------------------
2021-09-25 06:04:19 Connected to OpenVPN server 
2021-09-25 06:04:19 Connection time: 00:16:03
2021-09-25 06:04:19 Transferred data: In 0 bytes, Out 0 bytes
2021-09-25 06:04:19 Current rate: In 0 bit/s, Out 0 bit/s
2021-09-25 06:04:19 Maximum rate: In 0 bit/s, Out 0 bit/s
 
$ sudo ifconfig
enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.28  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 fe80::a00:27ff:fe05:5df9  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:05:5d:f9  txqueuelen 1000  (Ethernet)
        RX packets 4610  bytes 1059500 (1.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4240  bytes 583080 (583.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 28  bytes 3521 (3.5 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 28  bytes 3521 (3.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
$ ping google.com
ping: google.com: Temporary failure in name resolution
$ ping 142.250.189.14
PING 142.250.189.14 (142.250.189.14) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
^C
--- 142.250.189.14 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms

Share this post


Link to post
@JBronson

Hello!

Can you please check your system DNS settings while Bluetit is not running and while it is running?

ICMP packets for IP addresses outside the local network are correctly blocked by persistent Network Lock enforced by networklockpersist. An option to consider is that Bluetit fails the connection during the bootstrap. Although Bluetit answers to bluetit-stats with "Bluetit is connected to VPN", it is clearly belied by ifconfig output which does not show any tun interface in your system. Please make sure that VM kernel tun support is available, check Bluetit log and feel free to send it to us:
 
sudo journalctl | grep bluetit

Kind regards
 

Share this post


Link to post
$ cat /etc/resolv.conf 
#
# Created by AirVPN. Do not edit.
#
# Your resolv.conf file is temporarily backed up in /etc/airvpn/resolv.conf.airvpnbackup
# To restore your resolv.conf file you need to log in as root
# and execute the below command from the shell:
#
# mv /etc/airvpn/resolv.conf.airvpnbackup /etc/resolv.conf
#

nameserver 10.7.58.1
/etc/airvpn/resolv.conf.airvpnbackup is an empty file. Turning bluetit on & off doesn't result in any change to /etc/resolve.conf
$ sudo cat /etc/netplan/00-installer-config.yaml 
# This is the network config written by 'subiquity'
network:
  ethernets:
    enp0s3:
      dhcp4: true
  version: 2
The output of "sudo journalctl | grep bluetit" is attached.

Regarding VM kernel support for tun:
/dev/net/tun exists.
$ grep tun /var/log/kern.log 
Sep 25 03:32:46 mostfantasticfox kernel: [    1.052297] tun: Universal TUN/TAP device driver, 1.6
Sep 25 04:53:29 mostfantasticfox kernel: [    0.931561] tun: Universal TUN/TAP device driver, 1.6
Sep 25 05:22:13 mostfantasticfox kernel: [    0.907906] tun: Universal TUN/TAP device driver, 1.6
Sep 25 05:30:39 mostfantasticfox kernel: [    0.930226] tun: Universal TUN/TAP device driver, 1.6
Not sure if there's a better way to check.

Thanks!

journalctl-bluetit.log

Share this post


Link to post
@JBronson

Hello!

The 1st problem was here:
Sep 25 05:19:21 mostfantasticfox bluetit[2260]: Bluetit is already running or did not exit gracefully on its last run or has been killed. Exiting
Sep 25 05:20:23 mostfantasticfox bluetit[2164]: Requested method "bluetit_status -> Bluetit is connected to VPN"

Bluetit was in a dirty status and refused to proceed. However, when queried about the status it replied with the wrong message "connected to VPN". This is a bug we need to fix, thank you for having found it out, which explains why no tun interface was up when Bluetit misleadingly reported it was connected to the VPN.

Later on, Bluetit does not detect anymore a dirty status but the nameserver remained set to a VPN DNS address, which is inaccessible from outside the VPN. Maybe you have tried to recover the network settings manually and you forgot to restore DNS? We ask because suddenly Bluetit does not detect anymore a dirty status and refuses to perform a network recovery:
Sep 25 05:33:09 mostfantasticfox bluetit[1648]: Requested method "recover_network -> "
Sep 25 05:33:09 mostfantasticfox bluetit[1648]: Requested method "Bluetit does not need a network recovery."

Therefore, the subsequent connection attempts are doomed:
Sep 25 05:28:21 mostfantasticfox bluetit[1441]: Allowing system DNS 10.7.58.1 to pass through the network filter
Sep 25 05:28:31 mostfantasticfox bluetit[1441]: WARNING: Cannot resolve ca3.vpn.airdns.org (Temporary failure in name resolution)
and Bluetit enters an infinite loop of re-connection attempts which don't succeed for the same reason.

In order to resolve the issue, please make sure that Bluetit has exited cleanly and is not running, then manually modify DNS settings. Pick your favorite, publicly accessible, nameservers.

Kind regards
 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...