Using Bluetit/Goldcrest, DNS settings are not restored on Ubuntu

[canmom 0]

Today, I switched from using Eddie to the AirVPN suite (due to various bugs and problems when running Eddie). My operating system Ubuntu 21.10 Impish, and I am using version 1.1.0 of the AirVPN suite for linux. I downloaded the compiled binaries and installed with the install.sh script.

However, after installation, I could not access the internet while not connected to AirVPN. I tried using goldcrest --recover-network, but this did not work very well:

sudo goldcrest --recover-network
2021-11-30 19:54:49 Reading run control directives from file /root/.config/goldcrest.rc
Goldcrest 1.1.0 - 4 June 2021

2021-11-30 19:54:49 Bluetit - AirVPN OpenVPN 3 Service 1.1.0 - 4 June 2021
2021-11-30 19:54:49 OpenVPN core 3.7 AirVPN linux x86_64 64-bit
2021-11-30 19:54:49 Bluetit does not need a network recovery.
2021-11-30 19:54:49 Bluetit session terminated

My best [edit: totally incorrect] guess is that this is because the network lock is on by default, so as soon as the bluetit daemon started, it enabled the network lock. According to the documentation, I should be able to disable the lock with the command

goldcrest network-lock off

However, when I run this command (whether as root or as the airvpn user), the result is "Error: profile off not found", e.g.:

$ goldcrest --network-lock off
2021-11-30 17:40:04 Reading run control directives from file /home/airvpn/.goldcrest.rc
Goldcrest 1.1.0 - 4 June 2021

ERROR: profile off not found

The same comes when running --network-lock with any other option.

After some investigation, the reason for this error appears to be that there is no handling for the --network-lock option defined in goldcrest.cpp. Instead, as far as I can tell, the error message appears to be associated with a fallback option on line 1831 which interprets the last command line argument as the name of an OpenVPN profile file, which does not exist.

I have tried setting network-lock to off in the config file /home/airvpn/.goldcrest.rc but, while it looks like this should be detected and passed to the dbus, it does not give me access to the internet when I'm not connected to AirVPN.

On further investigation it looks like I should instead be able bypass goldcrest entirely, and set networklock to off in /etc/airvpn/bluetit.rc. However, after doing this and restarting the bluetit daemon with systemd, I still cannot connect to the internet without connecting to an AirVPN server.

Is there any way I can permanently disable the network lock without reinstalling Eddie? Or, is there any other explanation for this behaviour if my diagnosis is off? [edit: it turned out to be a DNS problem, see below]

I've attached the systemd log for the bluetit daemon which should cover everything in this session from first installation. I am going to restart my computer in the hope that it may help. Please let me know if there is any additional diagnostic information I can provide!

bluetit.log

Edited ... by canmom
More accurate description of problem

[OpenSourcerer 1435]

4 hours ago, canmom said:

After some investigation, the reason for this error appears to be that there is no handling for the --network-lock option defined in goldcrest.cpp. Instead, as far as I can tell, the error message appears to be associated with a fallback option on line 1831 which interprets the last command line argument as the name of an OpenVPN profile file, which does not exist.

Do you have a /root/.config/goldcrest.rc file? Because Goldcrest essentially is unconfigured in this state (1. no runcontrol file, 2. runcontrol file but all commented out, 3. no arguments) and so expects configuration from a .ovpn profile. To use all the defaults, additionally use -O/--air-connect, then -N/--network-lock will take off as a config parameter.

[Staff 9972]

@canmom

Hello!

On top of what @OpenSourcerer wrote, we add for your future reference (if necessary) that Goldcrest and any other Bluetit client can't override various explicit Bluetit settings enforced by bluetit.rc.  The logic behind it is that bluetit.rc directives are defined exclusively by a superuser, while commands to Bluetit by a client may come from any user in the airvpn group. In this way the superuser may optionally limit what airvpn group users can do with the firewall and the network settings of the machine, enforce connections only to a certain set of servers, forbid traffic outside the tunnel in any case, and so on.

Kind regards
 

[canmom 0]

Thank you very much for the replies and explanations! I regret that I seem to have completely misdiagnosed the problem. I was able to connect directly to 1.1.1.1 (Cloudflare) without an AirVPN connection, so it appears the problem is with the DNS rather than the network lock. Once I realised that, I learned about resolv.conf, and how it's supposed to be populated by something called network-manager. I believe there was a warning about this being a potential issue with network-manager in the log.

I was able to resolve the problem by installing resolvconf while connected to the VPN, then disconnecting and running sudo dpkg-reconfigure resolvconf. I now seem to be able to connect to the internet without the VPN. However, if I reconnect to the VPN and then disconnect, I need to re-run this command to get internet again. I think this is probably a known problem or 'not in scope' judging by the warning in the log. Apologies, this all turned out to be very simple in the end - I just don't really know all the machinery inside my operating system... 😟

@OpenSourcerer, you are right that I don't get the same error when running the --network-lock off flag alongside --air-connect. So I guess I misunderstood how that parameter works. In retrospect, I can see that it would be tied to a specific session.

Edited ... by canmom