Jump to content
Not connected, Your IP: 18.222.20.30
canmom

Using Bluetit/Goldcrest, DNS settings are not restored on Ubuntu

Recommended Posts

Posted ... (edited)

Today, I switched from using Eddie to the AirVPN suite (due to various bugs and problems when running Eddie). My operating system Ubuntu 21.10 Impish, and I am using version 1.1.0 of the AirVPN suite for linux. I downloaded the compiled binaries and installed with the install.sh script.

However, after installation, I could not access the internet while not connected to AirVPN. I tried using goldcrest --recover-network, but this did not work very well:

sudo goldcrest --recover-network
2021-11-30 19:54:49 Reading run control directives from file /root/.config/goldcrest.rc
Goldcrest 1.1.0 - 4 June 2021

2021-11-30 19:54:49 Bluetit - AirVPN OpenVPN 3 Service 1.1.0 - 4 June 2021
2021-11-30 19:54:49 OpenVPN core 3.7 AirVPN linux x86_64 64-bit
2021-11-30 19:54:49 Bluetit does not need a network recovery.
2021-11-30 19:54:49 Bluetit session terminated

My best [edit: totally incorrect] guess is that this is because the network lock is on by default, so as soon as the bluetit daemon started, it enabled the network lock. According to the documentation, I should be able to disable the lock with the command

goldcrest network-lock off

However, when I run this command (whether as root or as the airvpn user), the result is "Error: profile off not found", e.g.:

$ goldcrest --network-lock off
2021-11-30 17:40:04 Reading run control directives from file /home/airvpn/.goldcrest.rc
Goldcrest 1.1.0 - 4 June 2021

ERROR: profile off not found

The same comes when running --network-lock with any other option.

After some investigation, the reason for this error appears to be that there is no handling for the --network-lock option defined in goldcrest.cpp. Instead, as far as I can tell, the error message appears to be associated with a fallback option on line 1831 which interprets the last command line argument as the name of an OpenVPN profile file, which does not exist.

I have tried setting network-lock to off in the config file /home/airvpn/.goldcrest.rc but, while it looks like this should be detected and passed to the dbus, it does not give me access to the internet when I'm not connected to AirVPN.

On further investigation it looks like I should instead be able bypass goldcrest entirely, and set networklock to off in /etc/airvpn/bluetit.rc. However, after doing this and restarting the bluetit daemon with systemd, I still cannot connect to the internet without connecting to an AirVPN server.

Is there any way I can permanently disable the network lock without reinstalling Eddie? Or, is there any other explanation for this behaviour if my diagnosis is off? [edit: it turned out to be a DNS problem, see below]

I've attached the systemd log for the bluetit daemon which should cover everything in this session from first installation. I am going to restart my computer in the hope that it may help. Please let me know if there is any additional diagnostic information I can provide!

bluetit.log

Edited ... by canmom
More accurate description of problem

Share this post


Link to post
4 hours ago, canmom said:

After some investigation, the reason for this error appears to be that there is no handling for the --network-lock option defined in goldcrest.cpp. Instead, as far as I can tell, the error message appears to be associated with a fallback option on line 1831 which interprets the last command line argument as the name of an OpenVPN profile file, which does not exist.


Do you have a /root/.config/goldcrest.rc file? Because Goldcrest essentially is unconfigured in this state (1. no runcontrol file, 2. runcontrol file but all commented out, 3. no arguments) and so expects configuration from a .ovpn profile. To use all the defaults, additionally use -O/--air-connect, then -N/--network-lock will take off as a config parameter.

NOT AN AIRVPN TEAM MEMBER. USE TICKETS FOR PROFESSIONAL SUPPORT.

LZ1's New User Guide to AirVPN « Plenty of stuff for advanced users, too!

Want to contact me directly? All relevant methods are on my About me page.

Share this post


Link to post
@canmom

Hello!

On top of what @OpenSourcerer wrote, we add for your future reference (if necessary) that Goldcrest and any other Bluetit client can't override various explicit Bluetit settings enforced by bluetit.rc.  The logic behind it is that bluetit.rc directives are defined exclusively by a superuser, while commands to Bluetit by a client may come from any user in the airvpn group. In this way the superuser may optionally limit what airvpn group users can do with the firewall and the network settings of the machine, enforce connections only to a certain set of servers, forbid traffic outside the tunnel in any case, and so on.

Kind regards
 

Share this post


Link to post
Posted ... (edited)

Thank you very much for the replies and explanations! I regret that I seem to have completely misdiagnosed the problem. I was able to connect directly to 1.1.1.1 (Cloudflare) without an AirVPN connection, so it appears the problem is with the DNS rather than the network lock. Once I realised that, I learned about resolv.conf, and how it's supposed to be populated by something called network-manager. I believe there was a warning about this being a potential issue with network-manager in the log.

I was able to resolve the problem by installing resolvconf while connected to the VPN, then disconnecting and running sudo dpkg-reconfigure resolvconf. I now seem to be able to connect to the internet without the VPN. However, if I reconnect to the VPN and then disconnect, I need to re-run this command to get internet again. I think this is probably a known problem or 'not in scope' judging by the warning in the log. Apologies, this all turned out to be very simple in the end - I just don't really know all the machinery inside my operating system... 😟

@OpenSourcerer, you are right that I don't get the same error when running the --network-lock off flag alongside --air-connect. So I guess I misunderstood how that parameter works. In retrospect, I can see that it would be tied to a specific session.

Edited ... by canmom

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...