Connecting fails when running on Pixelbook with Crostini

[jerkmcjerkface]

I figured this maybe a first, but I'm trying to use this on my pixelbook, under Crostini.

me@penguin:$ sudo /usr/bin/openfortivpn -c '/home/me/configs/vpn_me.cfg' -vvvvvvvvv
DEBUG: Loaded config file "/home/me/configs/vpn_me.cfg".
VPN account password:
DEBUG: Config host = "vpnportal.company.com"
DEBUG: Config realm = ""
DEBUG: Config port = "443"
DEBUG: Config username = "me.name"
DEBUG: Config password = "********"
DEBUG: server_addr: x.x.x.x
DEBUG: server_port: 443
DEBUG: gateway_addr: x.x.x.x
DEBUG: gateway_port: 443
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Connected to gateway.
DEBUG: Cookie: SVPNCOOKIE=....
INFO: Authenticated.
DEBUG: Cookie: SVPNCOOKIE=...
INFO: Remote gateway has allocated a VPN.
DEBUG: server_addr: x.x.x.x
DEBUG: server_port: 443
DEBUG: gateway_addr: x.x.x.x
DEBUG: gateway_port: 443
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
DEBUG: pppd_read_thread
DEBUG: ssl_read_thread
DEBUG: if_config thread
DEBUG: ssl_write_thread
DEBUG: pppd_write thread
ERROR: read: Input/output error
INFO: Cancelling threads...
DEBUG: Waiting for pppd to exit...
DEBUG: waitpid: pppd exit status code 4
ERROR: pppd: Is not setuid-root and the invoking user is not root.
INFO: Terminated pppd.
INFO: Closed connection to gateway.
DEBUG: server_addr: x.x.x.x
DEBUG: server_port: 443
DEBUG: gateway_addr: x.x.x.x
DEBUG: gateway_port: 443
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Logged out.
ericcorp@penguin:~$

Now, I found another issue on the pppd error, and it looks like it's actually reporting lack of kernel support, but as far as I can tell, it should be supported, however it's running
Linux penguin 4.14.43-05062-g1048e72698de #1 SMP PREEMPT Thu May 31 11:00:23 PDT 2018 x86_64 GNU/Linux
And I can't quite tell if that supports pppd.

Curious if anyone has ran into this and has any input.

[DimitriPapadopoulos]

Clearly pppd doesn't work or isn't properly configured on Crostini:

 ERROR: pppd: Is not setuid-root and the invoking user is not root.

On a GNU/Linux machine:

$ ls -l /usr/sbin/pppd
-rwsr-xr-- 1 root dip 390888 janv. 29  2016 /usr/sbin/pppd

What do you see on Crostini?

[DimitriPapadopoulos]

About PPP support in the kernel, see:
9.2. Compiling PPP support into the kernel
8.1. I have compiled PPP support into the kernel, but...

[DimitriPapadopoulos]

In practice to find built-in modules:

$ cat /lib/modules/$(uname -r)/modules.builtin | grep ppp
kernel/drivers/net/ppp/ppp_generic.ko

or:

$ grep CONFIG_PPP /lib/modules/$(uname -r)/build/.config
CONFIG_PPP=y
.
.
.

[jerkmcjerkface]

for pppd:

ls -l /usr/sbin/pppd
-rwsr-xr-x 1 root dip 378600 Feb 25 17:28 /usr/sbin/pppd

then for the modules, there doesn't seem to be a /lib/modules folder, I installed kmod and it errors as well, lsmod is not available either. Maybe the way the container is presented prohibits checking the modules?

[jerkmcjerkface]

lsmod:
root@penguin:~# libkmod: ERROR ../libkmod/libkmod-module.c:1657 kmod_module_new_from_loaded: could not open /proc/modules: No such file or directory

[DimitriPapadopoulos]

What if you add yourself to the dip group? Shouldn't be needed since you're using sudo but you never know...

[jerkmcjerkface]

same error, the setuid-root one. probably the container doesn't support that kernel module yet. Maybe I can open up a ticket on the Crostini page?

[DennisLfromGA]

crostini is certainly different:

root@penguin:~# uname -a
Linux penguin 4.14.43-05062-g1048e72698de #1 SMP PREEMPT Thu May 31 11:00:23 PDT 2018 x86_64 GNU/Linux
root@penguin:~# 
root@penguin:~# ls -l /lib/modules/
total 0
drwxr-xr-x 1 root root 314 May 21 14:35 4.9.0-6-amd64

The command:

cat /lib/modules/4.9.0-6-amd64/modules.builtin.bin | grep ppp

Turns up empty and, in fact it's an empty file:

ls -l /lib/modules/4.9.0-6-amd64/modules.builtin.bin
-rw-r--r-- 1 root root 0 May 21 14:35 /lib/modules/4.9.0-6-amd64/modules.builtin.bin

But the command:

grep CONFIG_PPP /lib/modules/4.9.0-6-amd64/build/.config

Shows this:

CONFIG_PPP=m
CONFIG_PPP_BSDCOMP=m
CONFIG_PPP_DEFLATE=m
CONFIG_PPP_FILTER=y
CONFIG_PPP_MPPE=m
CONFIG_PPP_MULTILINK=y
CONFIG_PPPOATM=m
CONFIG_PPPOE=m
CONFIG_PPPOL2TP=m
CONFIG_PPP_ASYNC=m
CONFIG_PPP_SYNC_TTY=m

I don't know if that's enough or not but just reporting how Crostini is setup ATM.

-DennisLfromGA

[jerkmcjerkface]

I don't have a /lib/modules folder, weird.

root@penguin:# ls -l /lib
total 4
lrwxrwxrwx 1 root root 21 May 31 14:12 cpp -> /etc/alternatives/cpp
drwxr-xr-x 1 root root 84 Jun 14 09:24 ifupdown
drwxr-xr-x 1 root root 40 Jun 14 09:23 init
drwxr-xr-x 1 root root 60 Jun 14 09:24 lsb
drwxr-xr-x 1 root root 24 Jun 14 11:14 modprobe.d
drwxr-xr-x 1 root root 1306 May 31 01:26 systemd
drwxr-xr-x 1 root root 26 Dec 28 04:47 terminfo
drwxr-xr-x 1 root root 164 Jun 14 09:25 udev
drwxr-xr-x 1 root root 4254 Jun 14 13:06 x86_64-linux-gnu
root@penguin:~# grep -r PPP /lib
Binary file /lib/systemd/libsystemd-shared-232.so matches
Binary file /lib/x86_64-linux-gnu/security/pam_systemd.so matches
Binary file /lib/x86_64-linux-gnu/libsystemd.so.0.17.0 matches
Binary file /lib/x86_64-linux-gnu/libgcrypt.so.20.2.2 matches
Binary file /lib/x86_64-linux-gnu/libudev.so.1.6.10 matches

[DennisLfromGA]

@jerkmcjerkface,

That is weird...
I have not yet attempted to install 'openfortivpn' so I don't know if it would just work on my system or not.

Here are the details of mine currently -

---

CrOS -

Google Chrome | 68.0.3440.15 (Official Build) dev (64-bit)
Revision | 97fda87c8faca0ed36579987237d552dd92d1fcd-refs/branch-heads/3440@{#179}
Platform | 10718.13.0 (Official Build) dev-channel eve
Firmware Version | Google_Eve.9584.151.0
Customization ID | GOOGLE-EVE
ARC | 4817613

chrome://components: cros-termina - Version: 10739.0.0`

---

crosvm:termina -

(termina) chronos@localhost ~ $ uname -a
Linux localhost 4.14.43-05062-g1048e72698de #1 SMP PREEMPT Thu May 31 11:00:23 PDT 2018 x86_64 06/8e crosvmBestVM GNU/Linux

(termina) chronos@localhost ~ $ cat /etc/lsb-release 
CHROMEOS_RELEASE_BUILDER_PATH=tatl-full-tryjob/R69-10739.0.0-b2622948
GOOGLE_RELEASE=10739.0.2018_05_31_1127
CHROMEOS_DEVSERVER=http://swarm-cros-54.c.chromeos-bot.internal:8080
CHROMEOS_RELEASE_BOARD=tatl
CHROMEOS_RELEASE_BUILD_NUMBER=10739
CHROMEOS_RELEASE_BRANCH_NUMBER=0
CHROMEOS_RELEASE_CHROME_MILESTONE=69
CHROMEOS_RELEASE_PATCH_NUMBER=2018_05_31_1127
CHROMEOS_RELEASE_TRACK=buildbot-build
CHROMEOS_RELEASE_DESCRIPTION=10739.0.2018_05_31_1127 (Continuous Builder - Builder: N/A) tatl
CHROMEOS_RELEASE_NAME=Chromium OS
CHROMEOS_RELEASE_BUILD_TYPE=Continuous Builder - Builder: N/A
CHROMEOS_RELEASE_VERSION=10739.0.2018_05_31_1127
CHROMEOS_AUSERVER=http://swarm-cros-54.c.chromeos-bot.internal:8080/update

---

lxc container:penguin -

dennylock@penguin:~$ uname -a
Linux penguin 4.14.43-05062-g1048e72698de #1 SMP PREEMPT Thu May 31 11:00:23 PDT 2018 x86_64 GNU/Linux

dennylock@penguin:~$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux 9 (stretch)"
NAME="Debian GNU/Linux"
VERSION_ID="9"
VERSION="9 (stretch)"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

dennylock@penguin:~$ ls -l /lib/
total 4.0K
lrwxrwxrwx 1 root root   21 May  5 01:07 cpp -> /etc/alternatives/cpp
drwxr-xr-x 1 root root   56 May  4 01:26 ifupdown
drwxr-xr-x 1 root root   40 May  4 01:26 init
drwxr-xr-x 1 root root   60 May  4 01:26 lsb
drwxr-xr-x 1 root root   64 May 21 14:34 modprobe.d
drwxr-xr-x 1 root root   26 May 21 14:34 modules
drwxr-xr-x 1 root root 1.4K May 12 15:48 systemd
drwxr-xr-x 1 root root   26 Dec 28 04:47 terminfo
drwxr-xr-x 1 root root  284 May 12 15:49 udev
drwxr-xr-x 1 root root 4.9K May 22 12:56 x86_64-linux-gnu

---

Please let me know if you need any other details.

-DennisLfromGA

[DimitriPapadopoulos]

So far:

• PPP support is not-built in in the kernel but loadable as a module (CONFIG_PPP=m),
• the setuid bit of pppd is set by default but this doesn't help,
• the error message returned by pppd does not make sense or is not detailed enough.

I suggest we focus on PPP support independently of openfortivpn:

• I don't know how much Crostini is similar to a regular Linux distribution, but what about dmesg | grep -i ppp? Since PPP support does not seem to be compiled in the kernel, it shouldn't show anything anyway.
• Trying loading the Linux kernel ppp module: insmod ppp. Not available either?
  If the above fails miserably - I suspect it will - is there a Crostini forum to ask questions about PPP support?

[DimitriPapadopoulos]

PPP support on Crostini may not be ready yet. See for example pppd: change ownership of /dev/ppp from root:root to root:shill.

[DimitriPapadopoulos]

Have you had a look at system logs (wherever they are on Crostini)? What about pppd logs (see option --pppd-log)?

[jerkmcjerkface]

For my Pixelbook, it's a little different

Platform
10718.13.0 (Official Build) dev-channel eve
Firmware
Google_Eve.9584.151.0
Channel
Currently on dev
ARC Version
4817613
Blink
537.36 (@97fda87c8faca0ed36579987237d552dd92d1fcd)
V8
6.8.275.6

chronos@localhost /lib $ cat /etc/lsb-release 
CHROMEOS_ARC_ANDROID_SDK_VERSION=25
CHROMEOS_ARC_VERSION=4817613
CHROMEOS_AUSERVER=https://tools.google.com/service/update2
CHROMEOS_BOARD_APPID={01906EA2-3EB2-41F1-8F62-F0B7120EFD2E}
CHROMEOS_CANARY_APPID={90F229CE-83E2-4FAF-8479-E368A34938B1}
CHROMEOS_DEVSERVER=
CHROMEOS_RELEASE_APPID={01906EA2-3EB2-41F1-8F62-F0B7120EFD2E}
CHROMEOS_RELEASE_BOARD=eve-signed-mpkeys
CHROMEOS_RELEASE_BRANCH_NUMBER=13
CHROMEOS_RELEASE_BUILDER_PATH=eve-release/R68-10718.13.0
CHROMEOS_RELEASE_BUILD_NUMBER=10718
CHROMEOS_RELEASE_BUILD_TYPE=Official Build
CHROMEOS_RELEASE_CHROME_MILESTONE=68
CHROMEOS_RELEASE_DESCRIPTION=10718.13.0 (Official Build) dev-channel eve 
CHROMEOS_RELEASE_NAME=Chrome OS
CHROMEOS_RELEASE_PATCH_NUMBER=0
CHROMEOS_RELEASE_TRACK=dev-channel
CHROMEOS_RELEASE_VERSION=10718.13.0
DEVICETYPE=CHROMEBOOK
GOOGLE_RELEASE=10718.13.0

ericcorp@penguin:~$ uname -a
Linux penguin 4.14.43-05062-g1048e72698de #1 SMP PREEMPT Thu May 31 11:00:23 PDT 2018 x86_64 GNU/Linux

ericcorp@penguin:~$ cat /etc/os-release 
PRETTY_NAME="Debian GNU/Linux buster/sid"
NAME="Debian GNU/Linux"
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"

[DimitriPapadopoulos]

It looks like PPP might be missing from Crostini, or not be properly supported. If that's the case I'm afraid we cannot help much.

Meanwhile @DennisLfromGA has posted Openfortivpn pppd error under Crostini and the consensus seems to be:

you're out of luck until Google adds pppd or tun support to the kernel available in crostini. This is a huge bummer for me too, I ended up using sshuttle (which is excellent) as a VPN replacement.

Except sshuttle is not a replacement for openfortivpn or other VPNs as far as I can understand. It uses SSH and won't provide VPN connections to servers that are only reachable via VPN. It's helpful only if you have full control over the server.

Shouldn't we close this issue?