Unable to connect any VPN for a few days now

DromundKaas · April 29, 2021, 10:20am

I am usually always connected to a VPN when using the net, for anything (browsing, Twitch, Gaming). However, for a few days now I am unable to connect to any VPN endpoint, and I am unsure why.

My inxi:

[dromundkaas@Pure ~]$ inxi -Fxzd
System:    Kernel: 5.11.16-arch1-1 x86_64 bits: 64 compiler: gcc v: 10.2.0 Desktop: KDE Plasma 5.21.4 Distro: EndeavourOS 
           base: Arch Linux 
Machine:   Type: Desktop Mobo: Micro-Star model: MAG B550 TOMAHAWK (MS-7C91) v: 2.0 serial: <filter> UEFI: American Megatrends 
           v: A.40 date: 10/29/2020 
CPU:       Info: 8-Core model: AMD Ryzen 7 5800X bits: 64 type: MT MCP arch: Zen 3 rev: 0 cache: L2: 4 MiB 
           flags: avx avx2 lm nx pae sse sse2 sse3 sse4_1 sse4_2 sse4a ssse3 svm bogomips: 121640 
           Speed: 2061 MHz min/max: 2200/3800 MHz boost: enabled Core speeds (MHz): 1: 2061 2: 2055 3: 2056 4: 2056 5: 1784 
           6: 3610 7: 2054 8: 2056 9: 2051 10: 2061 11: 2059 12: 2065 13: 2125 14: 2056 15: 3599 16: 2051 
Graphics:  Device-1: NVIDIA GA104 [GeForce RTX 3070] vendor: CardExpert driver: nvidia v: 465.24.02 bus-ID: 2b:00.0 
           Display: x11 server: X.Org 1.20.11 driver: loaded: nvidia resolution: 1: 1920x1080~144Hz 2: 1920x1080~144Hz 
           OpenGL: renderer: NVIDIA GeForce RTX 3070/PCIe/SSE2 v: 4.6.0 NVIDIA 465.24.02 direct render: Yes 
Audio:     Device-1: NVIDIA vendor: CardExpert driver: snd_hda_intel v: kernel bus-ID: 2b:00.1 
           Device-2: Advanced Micro Devices [AMD] Starship/Matisse HD Audio vendor: Micro-Star MSI driver: snd_hda_intel 
           v: kernel bus-ID: 2d:00.4 
           Device-3: SteelSeries ApS SteelSeries Arctis 7 type: USB driver: hid-generic,snd-usb-audio,usbhid bus-ID: 1-6:5 
           Sound Server-1: ALSA v: k5.11.16-arch1-1 running: yes 
           Sound Server-2: JACK v: 0.125.0 running: no 
           Sound Server-3: PulseAudio v: 14.2 running: yes 
           Sound Server-4: PipeWire v: 0.3.26 running: no 
Network:   Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet vendor: Micro-Star MSI driver: r8168 
           v: 8.048.03-NAPI port: e000 bus-ID: 06:00.0 
           IF: enp6s0 state: up speed: 1000 Mbps duplex: full mac: <filter> 
           Device-2: Realtek RTL8125 2.5GbE vendor: Micro-Star MSI driver: N/A port: d000 bus-ID: 2a:00.0 
Drives:    Local Storage: total: 4.59 TiB used: 1.44 TiB (31.3%) 
           ID-1: /dev/nvme0n1 vendor: Seagate model: XPG GAMMIX S11 Pro size: 1.86 TiB temp: 38.9 C 
           ID-2: /dev/sda type: USB vendor: Western Digital model: WD30EZRX-00D8PB0 size: 2.73 TiB 
           Message: No Optical or Floppy data was found. 
Partition: ID-1: / size: 1.83 TiB used: 1.44 TiB (78.5%) fs: btrfs dev: /dev/nvme0n1p2 
           ID-2: /boot/efi size: 299.4 MiB used: 836 KiB (0.3%) fs: vfat dev: /dev/nvme0n1p1 
           ID-3: /home size: 1.83 TiB used: 1.44 TiB (78.5%) fs: btrfs dev: /dev/nvme0n1p2 
Swap:      ID-1: swap-1 type: partition size: 34.48 GiB used: 0 KiB (0.0%) dev: /dev/nvme0n1p3 
Sensors:   System Temperatures: cpu: 37.9 C mobo: N/A gpu: nvidia temp: 48 C 
           Fan Speeds (RPM): N/A gpu: nvidia fan: 0% 
Info:      Processes: 338 Uptime: 5h 38m Memory: 31.34 GiB used: 4.9 GiB (15.6%) Init: systemd Compilers: gcc: 10.2.0 
           Packages: 1218 Shell: Bash v: 5.1.4 inxi: 3.3.03

I have had the same VPN vendor for almost a year now, and the connection I was using stopped working. Here’s a full journalctl for when I try to connect using the KDE buildin network manager:

Apr 29 12:02:15 Pure NetworkManager[539]: <info>  [1619690535.0200] audit: op="connection-activate" uuid="3f9433be-2823-4cf3-b8f8-2048bda47367" name="FullyRouted-Germany" pid=126296 uid=1000 result="success"
Apr 29 12:02:15 Pure kernel: audit: type=1111 audit(1619690535.016:136): pid=539 uid=0 auid=4294967295 ses=4294967295 msg='op=connection-activate uuid=3f9433be-2823-4cf3-b8f8-2048bda47367 name="FullyRouted-Germany" pid=126296 uid=1000 result=success exe="/usr/bin/NetworkManager" hostname=? addr=? terminal=? res=success'
Apr 29 12:02:15 Pure NetworkManager[539]: <info>  [1619690535.0226] vpn-connection[0x556d952462c0,3f9433be-2823-4cf3-b8f8-2048bda47367,"FullyRouted-Germany",0]: Started the VPN service, PID 126456
Apr 29 12:02:15 Pure NetworkManager[539]: <info>  [1619690535.0273] vpn-connection[0x556d952462c0,3f9433be-2823-4cf3-b8f8-2048bda47367,"FullyRouted-Germany",0]: Saw the service appear; activating connection
Apr 29 12:02:15 Pure kded5[4040]: plasma-nm: Unhandled VPN connection state change:  2
Apr 29 12:02:15 Pure kded5[4040]: plasma-nm: Unhandled VPN connection state change:  3
Apr 29 12:02:15 Pure NetworkManager[539]: <info>  [1619690535.0376] vpn-connection[0x556d952462c0,3f9433be-2823-4cf3-b8f8-2048bda47367,"FullyRouted-Germany",0]: VPN plugin: state changed: starting (3)
Apr 29 12:02:15 Pure NetworkManager[539]: <info>  [1619690535.0376] vpn-connection[0x556d952462c0,3f9433be-2823-4cf3-b8f8-2048bda47367,"FullyRouted-Germany",0]: VPN connection: (ConnectInteractive) reply received
Apr 29 12:02:15 Pure nm-openvpn[126460]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Apr 29 12:02:15 Pure nm-openvpn[126460]: WARNING: file '/home/dromundkaas/.local/share/networkmanagement/certificates/FullyRouted-Germany_DromundKaas.key' is group or others accessible
Apr 29 12:02:15 Pure nm-openvpn[126460]: OpenVPN 2.5.2 [git:makepkg/23ae78e657052748+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021
Apr 29 12:02:15 Pure nm-openvpn[126460]: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Apr 29 12:02:15 Pure nm-openvpn[126460]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Apr 29 12:02:15 Pure nm-openvpn[126460]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 29 12:02:15 Pure nm-openvpn[126460]: TCP/UDP: Preserving recently used remote address: [AF_INET]84.16.240.160:443
Apr 29 12:02:15 Pure nm-openvpn[126460]: UDP link local: (not bound)
Apr 29 12:02:15 Pure nm-openvpn[126460]: UDP link remote: [AF_INET]84.16.240.160:443
Apr 29 12:02:15 Pure nm-openvpn[126460]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Apr 29 12:03:15 Pure NetworkManager[539]: <warn>  [1619690595.0423] vpn-connection[0x556d952462c0,3f9433be-2823-4cf3-b8f8-2048bda47367,"FullyRouted-Germany",0]: VPN connection: connect timeout exceeded.
Apr 29 12:03:15 Pure nm-openvpn-serv[126456]: Connect timer expired, disconnecting.
Apr 29 12:03:15 Pure nm-openvpn[126460]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 29 12:03:15 Pure nm-openvpn[126460]: TLS Error: TLS handshake failed
Apr 29 12:03:15 Pure nm-openvpn[126460]: SIGTERM received, sending exit notification to peer
Apr 29 12:03:15 Pure NetworkManager[539]: <warn>  [1619690595.0439] vpn-connection[0x556d952462c0,3f9433be-2823-4cf3-b8f8-2048bda47367,"FullyRouted-Germany",0]: VPN plugin: failed: connect-failed (1)
Apr 29 12:03:15 Pure nm-openvpn[126460]: Converting soft SIGUSR1 received during exit notification to SIGTERM
Apr 29 12:03:15 Pure NetworkManager[539]: <info>  [1619690595.0440] vpn-connection[0x556d952462c0,3f9433be-2823-4cf3-b8f8-2048bda47367,"FullyRouted-Germany",0]: VPN plugin: state changed: stopping (5)
Apr 29 12:03:15 Pure nm-openvpn[126460]: SIGTERM[soft,exit-with-notification] received, process exiting
Apr 29 12:03:15 Pure NetworkManager[539]: <info>  [1619690595.0441] vpn-connection[0x556d952462c0,3f9433be-2823-4cf3-b8f8-2048bda47367,"FullyRouted-Germany",0]: VPN plugin: state changed: stopped (6)
Apr 29 12:03:15 Pure kded5[4040]: "Keine derartige Schnittstelle »org.freedesktop.DBus.Properties« des Objekts im Pfad /org/freedesktop/NetworkManager/ActiveConnection/3"
Apr 29 12:03:15 Pure kdeconnectd[4159]: "Keine derartige Schnittstelle »org.freedesktop.DBus.Properties« des Objekts im Pfad /org/freedesktop/NetworkManager/ActiveConnection/3"
Apr 29 12:03:15 Pure plasmashell[4102]: file:///usr/share/plasma/plasmoids/org.kde.plasma.notifications/contents/ui/NotificationPopup.qml:116:15: QML QQuickItem: Binding loop detected for property "height"
Apr 29 12:03:19 Pure kwin_x11[4044]: qt.qpa.xcb: QXcbConnection: XCB error: 3 (BadWindow), sequence: 55472, resource id: 33554866, major code: 15 (QueryTree), minor code: 0

So I am thinking, it is possible that the connections have changed. I log into my vendors site, download the current OpenVPN configuration files and import a server near me, using their tutorial for reference. Here’s the log for the new/current configuration files:

Apr 29 12:09:30 Pure kernel: audit: type=1111 audit(1619690970.131:138): pid=539 uid=0 auid=4294967295 ses=4294967295 msg='op=connection-activate uuid=3af1b9bd-2cdd-4a95-b7f6-fb9ec5095420 name="DE-Frankfurt-UDP" pid=129179 uid=1000 result=success exe="/usr/bin/NetworkManager" hostname=? addr=? terminal=? res=success'
Apr 29 12:09:30 Pure NetworkManager[539]: <info>  [1619690970.1394] vpn-connection[0x556d952464d0,3af1b9bd-2cdd-4a95-b7f6-fb9ec5095420,"DE-Frankfurt-UDP",0]: Started the VPN service, PID 129318
Apr 29 12:09:30 Pure NetworkManager[539]: <info>  [1619690970.1433] vpn-connection[0x556d952464d0,3af1b9bd-2cdd-4a95-b7f6-fb9ec5095420,"DE-Frankfurt-UDP",0]: Saw the service appear; activating connection
Apr 29 12:09:30 Pure kded5[4040]: plasma-nm: Unhandled VPN connection state change:  3
Apr 29 12:09:30 Pure NetworkManager[539]: <info>  [1619690970.1533] vpn-connection[0x556d952464d0,3af1b9bd-2cdd-4a95-b7f6-fb9ec5095420,"DE-Frankfurt-UDP",0]: VPN plugin: state changed: starting (3)
Apr 29 12:09:30 Pure NetworkManager[539]: <info>  [1619690970.1533] vpn-connection[0x556d952464d0,3af1b9bd-2cdd-4a95-b7f6-fb9ec5095420,"DE-Frankfurt-UDP",0]: VPN connection: (ConnectInteractive) reply received
Apr 29 12:09:30 Pure nm-openvpn[129322]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.
Apr 29 12:09:30 Pure nm-openvpn[129322]: WARNING: file '/home/dromundkaas/.local/share/networkmanagement/certificates/DE-Frankfurt-UDP/private.key' is group or others accessible
Apr 29 12:09:30 Pure nm-openvpn[129322]: OpenVPN 2.5.2 [git:makepkg/23ae78e657052748+] x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 21 2021
Apr 29 12:09:30 Pure nm-openvpn[129322]: library versions: OpenSSL 1.1.1k  25 Mar 2021, LZO 2.10
Apr 29 12:09:30 Pure nm-openvpn[129322]: WARNING: No server certificate verification method has been enabled.  See http://openvpn.net/howto.html#mitm for more info.
Apr 29 12:09:30 Pure nm-openvpn[129322]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Apr 29 12:09:30 Pure nm-openvpn[129322]: TCP/UDP: Preserving recently used remote address: [AF_INET]84.16.240.160:443
Apr 29 12:09:30 Pure nm-openvpn[129322]: UDP link local: (not bound)
Apr 29 12:09:30 Pure nm-openvpn[129322]: UDP link remote: [AF_INET]84.16.240.160:443
Apr 29 12:09:30 Pure nm-openvpn[129322]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Apr 29 12:10:30 Pure nm-openvpn-serv[129318]: Connect timer expired, disconnecting.
Apr 29 12:10:30 Pure NetworkManager[539]: <warn>  [1619691030.0780] vpn-connection[0x556d952464d0,3af1b9bd-2cdd-4a95-b7f6-fb9ec5095420,"DE-Frankfurt-UDP",0]: VPN connection: connect timeout exceeded.
Apr 29 12:10:30 Pure nm-openvpn[129322]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Apr 29 12:10:30 Pure nm-openvpn[129322]: TLS Error: TLS handshake failed
Apr 29 12:10:30 Pure nm-openvpn[129322]: SIGTERM received, sending exit notification to peer
Apr 29 12:10:30 Pure nm-openvpn[129322]: Converting soft SIGUSR1 received during exit notification to SIGTERM
Apr 29 12:10:30 Pure nm-openvpn[129322]: SIGTERM[soft,exit-with-notification] received, process exiting
Apr 29 12:10:30 Pure NetworkManager[539]: <warn>  [1619691030.0791] vpn-connection[0x556d952464d0,3af1b9bd-2cdd-4a95-b7f6-fb9ec5095420,"DE-Frankfurt-UDP",0]: VPN plugin: failed: connect-failed (1)
Apr 29 12:10:30 Pure NetworkManager[539]: <info>  [1619691030.0791] vpn-connection[0x556d952464d0,3af1b9bd-2cdd-4a95-b7f6-fb9ec5095420,"DE-Frankfurt-UDP",0]: VPN plugin: state changed: stopping (5)
Apr 29 12:10:30 Pure NetworkManager[539]: <info>  [1619691030.0791] vpn-connection[0x556d952464d0,3af1b9bd-2cdd-4a95-b7f6-fb9ec5095420,"DE-Frankfurt-UDP",0]: VPN plugin: state changed: stopped (6)
Apr 29 12:10:30 Pure NetworkManager[539]: <info>  [1619691030.0824] vpn-connection[0x556d952464d0,3af1b9bd-2cdd-4a95-b7f6-fb9ec5095420,"DE-Frankfurt-UDP",0]: VPN service disappeared

Hm, it seems like the same problem. Maybe somehow I cannot connect to the used endpoints? Let me try that:

traceroute to 84.16.240.160 (84.16.240.160), 30 hops max, 60 byte packets
 1  _gateway (192.168.178.1)  0.307 ms  0.405 ms  0.514 ms
 2  192.0.0.1 (192.0.0.1)  9.957 ms  9.645 ms  9.943 ms
 3  62.214.36.185 (62.214.36.185)  10.335 ms  10.636 ms  10.630 ms
 4  62.214.37.130 (62.214.37.130)  19.916 ms 62.214.37.134 (62.214.37.134)  14.452 ms 62.214.37.130 (62.214.37.130)  20.396 ms
 5  po-13.bb01.fra-13.leaseweb.net (31.31.36.96)  14.136 ms  14.333 ms  17.399 ms
 6  et-53-1.agg01.fra-10.leaseweb.net (31.31.34.50)  18.086 ms  16.909 ms  17.669 ms
 7  ae-101.br01.fra-10.de.leaseweb.net (31.31.38.145)  17.366 ms  25.775 ms  18.428 ms
 8  po-2.ce12.fra-10.de.leaseweb.net (178.162.223.219)  12.545 ms  15.782 ms  13.569 ms
 9  * 84.16.240.160 (84.16.240.160)  16.713 ms  16.901 ms

No, a clean way to there. I try a raw connection to the port:

[dromundkaas@Pure ~]$ telnet 84.16.240.160 443
Trying 84.16.240.160...
telnet: Unable to connect to remote host: Verbindungsaufbau abgelehnt

Hm, connection refused. Now I’m kind of at my limit debugging VPN network connection issues. Would I expect to be dropped off from port 443 in this way when I connect raw to it, because it expects a certificate delivered? It seems so, because the timeout I get from the network manager takes 60 seconds, while the telnet exits immediately. I’ve tried multiple endpoints of this vendor, and all log the same way I posted above.

Maybe anyone has an idea if any changes to any VPN related packages might cause this behavior. Any help would be appreciated immensely.

jonathon · April 29, 2021, 10:28am

This means the remote server is refusing the connection. Unless you have been messing around with local firewalls, this is not a local issue (especially if you can connect to port 443 normally, i.e. browse websites using HTTPS).

Might be worth trying to contact the vendor for support? For example, have their endpoint IP addresses changed?

otherbarry · April 29, 2021, 11:10am

What changed a few days ago? Be specific.

How are you connecting?

Network Manager VPN connection? If so which DE?

VPN provider App? If so, AUR package or provider download?

Openvpn was updated to 2.5.2-1 recently, if you are using a provider app it may need rebuilding / updating against the new version.

As @jonathon said contact your vpn provider, most have first line chat support these days.

DromundKaas:

Apr 29 12:02:15 Pure nm-openvpn[126460]: DEPRECATED OPTION: --cipher set to 'AES-256-CBC' but missing in --data-ciphers (AES-256-GCM:AES-128-GCM). Future OpenVPN version will ignore --cipher for cipher negotiations. Add 'AES-256-CBC' to --data-ciphers or change --cipher 'AES-256-CBC' to --data-ciphers-fallback 'AES-256-CBC' to silence this warning.

Is your cipher set to AES-256-CBC?

DromundKaas · April 29, 2021, 12:35pm

Hi,

thanks for taking the time. What changed a few days ago I cannot specifically say, it’s not like I’m running a journal for everything that happens to my computer. I continued my subscription to the VPN service the day before, and I’ve already contacted them for the chance that this could be the problem. I usually update packages using yay whenever there’s at least 30 packages to update, which is usually every few days.

I have tested the connection both using the integrated network manager application that comes with KDE Plasma, and using OpenVPN on the command line. I’m not using any application from the VPN provider.

The last message you quoted comes from directly using the OpenVPN configuration files on the command line using openvpn, so it’s part of the delivered configurations from the provider.

I0F · April 29, 2021, 1:03pm

Are you sure you have up to date configuration files from OpenVPN? Maybe they changed, when you continued your subscription.

DromundKaas · April 29, 2021, 1:09pm

Hi,

thanks for replying. That was actually the problem. Although I downloaded the new configuration a day after resubscribing, downloading them today I see differences in the OVPN configuration files and the connections are successful.

Cheers!

system · May 1, 2021, 1:10pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.