PIA stuck connecting on Ubuntu 17.10

edited December 3 in Linux VPN Setup Posts: 7
This is a fresh Ubuntu install along with any updates the release. PIA is stuck Connecting and never succeeds. When I look in the looks I see various connection refused errors.

From pia_manager.log
[2017-12-03T03:53:23.586Z] <debug> #28789/9018500 |OpenvpnManager| Connecting to OpenVPN^@
[2017-12-03T03:53:23.586Z] <debug> #28789/9018500 |OpenvpnManager| #<Errno::ECONNREFUSED: Connection refused - connect(2)>
/home/svasan/.pia_manager/pia_manager/openvpn_manager.rb:1334:in `initialize'
/home/svasan/.pia_manager/pia_manager/openvpn_manager.rb:1334:in `open'
/home/svasan/.pia_manager/pia_manager/openvpn_manager.rb:1334:in `block (2 levels) in cmd'
/home/svasan/.pia_manager/pia_manager/pia_common.rb:314:in `timeout'
/home/svasan/.pia_manager/pia_manager/openvpn_manager.rb:1332:in `block in cmd'
<internal:prelude>:10:in `synchronize'
/home/svasan/.pia_manager/pia_manager/openvpn_manager.rb:1328:in `cmd'
/home/svasan/.pia_manager/pia_manager/openvpn_manager.rb:1295:in `block (2 levels) in wait_management'
/home/svasan/.pia_manager/pia_manager/openvpn_manager.rb:1293:in `loop'
/home/svasan/.pia_manager/pia_manager/openvpn_manager.rb:1293:in `block in wait_management'
/home/svasan/.pia_manager/pia_manager/pia_common.rb:314:in `timeout'
/home/svasan/.pia_manager/pia_manager/openvpn_manager.rb:1292:in `wait_management'
/home/svasan/.pia_manager/pia_manager/openvpn_manager.rb:42:in `block (3 levels) in resume_from_old_state'
/home/svasan/.pia_manager/pia_manager/openvpn_manager.rb:189:in `ipv6leak_ignore_disconnect'
/home/svasan/.pia_manager/pia_manager/openvpn_manager.rb:41:in `block (2 levels) in resume_from_old_state'^@

From  pia_nw.log
[2017-12-03T03:53:26.082Z] <error> |daemon| Command error {"code":"ECONNREFUSED","errno":"ECONNREFUSED","syscall":"connect","address":"127.0.0.1","port":31743}
[2017-12-03T03:53:26.082Z] <info> |daemon| Command failed {"cmd":"status","params":{}}
[2017-12-03T03:53:26.082Z] <debug> |daemon| Giving up
[2017-12-03T03:53:26.083Z] <error> |error| Error: connect ECONNREFUSED 127.0.0.1:31743
    at Object.exports._errnoException (util.js:890:11)
    at exports._exceptionWithHostPort (util.js:913:20)
    at TCPConnectWrap.afterConnect [as oncomplete] (net.js:1061:14)
[2017-12-03T03:53:26.083Z] <debug> |status| Error getting subscription {"code":"ECONNREFUSED","errno":"ECONNREFUSED","syscall":"connect","address":"127.0.0.1","port":31743}




openvpn.log is empty. And no openvpn pid file 

This is using version p75 which is the same I have on another Ubuntu 17.10 where it works fine. (This machine is a new install of 17.10)

Any ideas on whats going on and how to fix?

Thanks

Post edited by pia_user_2357 on

Comments

  • edited December 4 Posts: 7
    Ah, ok. Yes, the home directory is encrypted (and isn't on the working Ubuntu 17.10 install). Thanks for the quick response Max-P.

    I still see the same issue though after following those instructions. I moved .pia_manager out $HOME and into /opt.  (The full install is not encrypted. Just my home dir).

    Anything else I should try?

    EDIT: Rephrase. Also, I did a fresh install of pia just to be sure and moved it to /opt. Didn't help.
    Post edited by pia_user_2357 on
  • edited December 4 Posts: 5
    I seem to be having a similar problem however none of my file-system is encrypted. (Although I have tried the /opt method)
    I'm using Ubuntu 17.10 (PIA v75)

    Before I've even attempted to connect to the VPN pia_manager.log is getting filled with these errors.
    https://gist.github.com/anonymous/a3e1ba5b4dcd591d38ce556bdcac259c

    Then here is the log once I attempt to connect (includes previous errors)
    https://gist.github.com/anonymous/a47eed4108d549e161eed3859351ffe1

    openvpn.log is always empty

    If I run ~/.pia_manager/pia_manager/run.sh and attempt to connect it just says "security error", and when I exit the application it displays these errors

    security error
    security error
    security error
    #### this is where I exit the application ####
    iptables v1.6.1: can't initialize iptables table `filter': Permission denied (you must be root)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.6.1: can't initialize iptables table `filter': Permission denied (you must be root)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.6.1: can't initialize iptables table `filter': Permission denied (you must be root)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.6.1: can't initialize iptables table `filter': Permission denied (you must be root)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.6.1: can't initialize iptables table `filter': Permission denied (you must be root)
    Perhaps iptables or your kernel needs to be upgraded.
    Post edited by dang on
  • Posts: 298
    openvpn needs privileges, so does iptables. did your file manipulations drop a suid bit somewhere?
  • Posts: 5
    martouf said:
    openvpn needs privileges, so does iptables. did your file manipulations drop a suid bit somewhere?
    I just tried the following commands with no change
    $ sudo chown $USER -R ~/.pia_manager
    $ sudo chmod 777 -R ~/.pia_manager

    I may have misunderstood what you mean.
  • Posts: 298
    you have.

    that would be chmod u+s root.owned.executable.file or chmod 4751 root.owned.executable.file

    what you did is equivalently chmod 0777 user.owned.executable.file
    (do not set g+w nor o+rw on a root owned suid file - it is quite unwise)

    see https://en.wikipedia.org/wiki/Setuid
  • Posts: 5
    martouf said:
    you have.

    that would be chmod u+s root.owned.executable.file or chmod 4751 root.owned.executable.file

    what you did is equivalently chmod 0777 user.owned.executable.file
    (do not set g+w nor o+rw on a root owned suid file - it is quite unwise)

    see https://en.wikipedia.org/wiki/Setuid
    Ah ok, I've done that and the error has changed.
    Below is the log from running ~/.pia_manager/pia_manager/run.sh (Just to clarify I have kill-switch off, I don't know why it should be trying to do anything with that.)

    kill: (4090): No such process
    pia_nw: no process found
    ip6tables: No chain/target/match by that name.
    ip6tables: No chain/target/match by that name.
    ip6tables: No chain/target/match by that name.
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    net.ipv6.conf.lo.disable_ipv6 = 1
    security error
    ip6tables: No chain/target/match by that name.
    ip6tables: No chain/target/match by that name.
    net.ipv6.conf.all.disable_ipv6 = 0
    net.ipv6.conf.default.disable_ipv6 = 0
    net.ipv6.conf.lo.disable_ipv6 = 0
    ip6tables: No chain/target/match by that name.
    ip6tables: No chain/target/match by that name.
    ip6tables: No chain/target/match by that name.
    net.ipv6.conf.all.disable_ipv6 = 1
    net.ipv6.conf.default.disable_ipv6 = 1
    net.ipv6.conf.lo.disable_ipv6 = 1
    security error
    ip6tables: No chain/target/match by that name.
    ip6tables: No chain/target/match by that name.
    net.ipv6.conf.all.disable_ipv6 = 0
    net.ipv6.conf.default.disable_ipv6 = 0
    net.ipv6.conf.lo.disable_ipv6 = 0

    iptables v1.6.1: Couldn't load target `PIA_KILLSWITCH_OUTPUT_RULES':No such file or directory

    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.6.1: Couldn't load target `PIA_KILLSWITCH_OUTPUT_RULES':No such file or directory

    Try `iptables -h' or 'iptables --help' for more information.
    iptables v1.6.1: Couldn't load target `PIA_KILLSWITCH_OUTPUT_RULES':No such file or directory

    Try `iptables -h' or 'iptables --help' for more information.
    iptables: No chain/target/match by that name.
    iptables: No chain/target/match by that name.
    pia_nw: no process found
  • Posts: 403
    Yeah, the way PIA uses the SUID binary in a way that's still secure tends to be a bit weird. You definitely broke the PIA installation by doing the chmod/chown however. I would highly recommend just deleting the whole ~/.pia_manager directory and reinstall from the installer first and leave the files alone.

    If it still doesn't work there's likely something wrong with your /tmp mount or the filesystem your home directory lives on. The SUID binary is necessary for PIA to operate otherwise it won't escalate privileges properly. If the SUID launcher detects anything it doesn't like that could potentially allow the user to edit the root code, it immediately aborts with "security error". So you're failing an integrity check and we need to find out why.
  • Posts: 5
    Max-P said:
    Yeah, the way PIA uses the SUID binary in a way that's still secure tends to be a bit weird. You definitely broke the PIA installation by doing the chmod/chown however. I would highly recommend just deleting the whole ~/.pia_manager directory and reinstall from the installer first and leave the files alone.

    If it still doesn't work there's likely something wrong with your /tmp mount or the filesystem your home directory lives on. The SUID binary is necessary for PIA to operate otherwise it won't escalate privileges properly. If the SUID launcher detects anything it doesn't like that could potentially allow the user to edit the root code, it immediately aborts with "security error". So you're failing an integrity check and we need to find out why.
    Hmm, mine suddenly started working when I turned my computer on today, thanks for helping.

    Since you mentioned /tmp it's probably relevant that to reduce writes to my SSD I have a separate HDD partition mounted at /tmp, since I've started using this setup I've reinstalled my operating system multiple times, I suspect the permissions have been corrupted over time.

    When I reinstall my system in the future I'll wipe the /tmp partition to hopefully fix any conflicts.
  • edited December 6 Posts: 7
    Hi Max-P,

    As mentioned in my edit above from yesterday, I did try a fresh install. There are two reports here. dang  reported the other failure and has been trying out chmod/chown above. I haven't. I have the encrypted fs, and following your previous message moved the install to /opt but that didn't help. I've tried a fresh install too.

    My steps for the fresh install (I tried again):
    # Make sure PIA is closed.
    
    $ cd /opt
    $ sudo rm -rf pia_manager/
    
    $ cd
    $ rm -f .pia_manager
    $ rm -f pia.sh 
    
    $ cd Downloads/
    $ rm -f pia-v75-installer-linux.sh 
    $ tar xvzf pia-v75-installer-linux.tar.gz 
    $ ./pia-v75-installer-linux.sh 
    Extracting files...
    Installing dependencies...
    Running: sudo apt-get install -y libxss1 libappindicator1 gconf2 net-tools
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    libappindicator1 is already the newest version (12.10.1+17.04.20170215-0ubuntu2).
    libxss1 is already the newest version (1:1.2.2-1).
    net-tools is already the newest version (1.60+git20161116.90da8a0-1ubuntu1).
    gconf2 is already the newest version (3.2.6-4ubuntu1).
    0 upgraded, 0 newly installed, 0 to remove and 42 not upgraded.
    Installation complete!
    
    # PIA opens up. Didn't login; just exited the app.
    
    $ cd ..
    $ sudo rm -rf /opt/pia_manager
    $ sudo mv ~/.pia_manager /opt/pia_manager
    $ ln -s /opt/pia_manager/ ~/.pia_manager
    
    

    Permissions of /opt/pia_manager: drwxr-xr-x (owner:group is my user and group)
    Permissions of openvpn_launcher.64: -rwsrwxr-x (owner is root; group is my group)

    Both are the defaults from the install. I didn't change them.

    At this point, run ~/.pia.sh; put in username/password. PIA still gets stuck connecting.

    I do get the 'security error' by running the command for openvpn_launcher.64 from pia_manager.log on the commandline. Though no logs to pin point what it is complaining about. It would help if that error was more descriptive. :)

    What else do I check for?

    EDIT:  /tmp permissions: drwxrwxrwt and my home dir permissions: drwx------
    Post edited by pia_user_2357 on
  • Posts: 298
    members of your user group can neither 'r' nor 'x' your home directory..  the parent dir of ~/.pia_manager ... hmm.
  • edited December 7 Posts: 5
    Damnit!

    Started happening again shortly after saying it was working, tried loads of stuff and no success, time to try a fresh install I guess...
    --
    Formatted my /tmp partition, deleted configuration files on my home partition (.config, .cache, .local etc, basically everything except documents & media), formatted system partition, reinstalled Ubuntu, installed PIA, didn't work...
    --
    Going to try disabling my tmp partition... I'll update
    --
    Didn't work, going to try disabling my home partition, eek!
    --
    Worked when I disabled home partition, I'll investigate!
    --
    Wow I feel like a world-class ball sack... home partition was mounted with nosuid mount option...
    Post edited by dang on
  • Posts: 298
    well, now, there's yer problem riieet there...  :-P
  • Posts: 403
    Wow I feel like a world-class ball sack... home partition was mounted with nosuid mount option...

    Ha, happens to the best of us. In all fairness, /home isn't quite meant to contain suid root binaries in the user's home directory and PIA really shouldn't be installing there... It only does so for legacy reasons and it will be fixed, but we're kinda stuck with it for now.

    Glad you got it working!
  • Posts: 298
    not so stuck you can't properly install the suid binary in /opt/privateinternetaccess/sbin and then put symbolic links in /home/username
  • edited December 8 Posts: 7
    Hi martouf,

    I don't believe I messed with the home dir permissions. (Its only been a week or so since the install though its possible that I messed it up and forgot. But I don't see any chmod for this in my history for this and it seems to go all the way back.)

    If you expected this to be 0755, is it possible that this is mounted this way by ecryptfs?

    I can try changing it but have another question: since pia/openvpn are both running either as me or root do the group permissions matter?

    EDIT : Yea, looks like thats from ecryptfs per the answer https://askubuntu.com/questions/82538/is-my-encrypted-home-folder-open-to-other-users-when-i-am-logged-in (unless it changed after that I guess :) )
    Post edited by pia_user_2357 on
  • Posts: 298
    i'm not sure what to make of your recent message, @pia_user_2357
    are you in the same situation as dang? encrypted home dir? home filesystem mounted with nosuid option?
  • edited December 9 Posts: 7
    You responded to my comment on Dec 5 above pointing out that the home dir has no r/w permissions for my group.  (Maybe you thought that was from dang?) I was replying to that. As mentioned that may be from the way encryptfs mounts the home dir.

    I started this thread and do have a encrypted home directory and I did try the /opt method pointed out by @Max-P. @dang has a similar problem but does *not* have an encrytped filesystem per his first message.

    I detailed my steps above in my Dec 5th message - I have an encrypted home dir; have tried moving pia install to /opt with no success; folder permissions are listed.

    hth to clear any confusion. Any help to debug is appreciated. It would be nice if the openvpn_launcher binary actually printed out what check is failing instead of just saying security error.
    Post edited by pia_user_2357 on
  • edited December 10 Posts: 7
    Well, nevermind. It works today. The setup is the same as on Dec 5th - encrypted home dir, pia installed in /opt with ~/.pia_manager symlinked to /opt/pia_manager, the various permissions listed all the same as mentioned above.

    I didn't reinstall pia since or change anything else for it except I did edit the .desktop file today to point directly to /opt/pia_manager. But it works either way now and also via ~/pia.sh which is using the symlink.

    So don't know whats different. I did a restart in the last couple of days after some updates. It could be the updates changed something else that was related or maybe I needed a restart after the pia reinstall?

    In any case, pia works for me too now.

    Post edited by pia_user_2357 on
  • Posts: 298
    that's good news!  glad to hear of it
Sign In or Register to comment.