New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Something adds a ppp0 route to the gateway making the connection fail #132
Comments
This seems like the same issue as #22 but my routing config is much simpler. It's just a simple wireless connection. Deleting that route makes the VPN not fail. |
Using uk.freel2tpvpn.com (i.e. 87.117.247.187) from https://www.freel2tpvpn.com/ , I have the following routes: Before VPN connection:
After VPN connection:
|
Similarly with other L2TP/IPsec servers I connect to including my workplace, there is no route that is equivalent to the following:
|
I have the same issue. Looks like this happens when VPN address and internal point-to-point addresses are the same:
|
That's very interesting. Seems like a weird VPN config if "Internal Point-to-Point Address" is the gateway address but maybe not invalid. So is it pppd doing the wrong thing then? Or are those lines from something else? |
I think pppd accepts this address from the remote peer via IPCP and then NetworkManager adds a route to it. |
OK, this is what happens on my system after connecting:
where 195.XX.XX.XX is the same address everywhere and it is also a VPN gateway address (and LNS address in terms of l2tp). |
Looks exactly like what happens with this VPN as well. Doesn't the VPN fail in less than a minute from this? At least here this makes the gateway not accessible and the link tears down after only a little bit. |
Yes, I need to remove that bad route, otherwise the VPN dies. |
Seems like exactly the same issue then. See the So is this a l2tp issue or a general network-manager issue then? |
The following patch works for me. Maybe this can be made optional via a checkbox in GUI, something like "Ignore remote peer address"?
This is how connection looks like after the patch:
and it works fine. |
is there any situation where this shouldn't be done? Seems like having an option for "bork my connection if the gateway asks". |
I think there are configurations where remote peer address acts as a gateway. However in my case I can just add routes like |
If the remote peer address that is supposed to act as the gateway is the same one that the VPN connects to in the first place that will never work. |
I'm not sure about adding a GUI option, ideally it should be with the rest of the routing options in the IPv4 settings which this VPN plug-in has no possibility of modifying the GUI widgets. The next likely place would be the PPP Options dialog box. The next question is how to the get the GUI setting to the nm-l2tp-ppd-plugin via the existing D-Bus interface. Any support for GUI changes would have to be backwards compatible with other GUI frontends (e.g. KDE plasma-nm, deepin, etc). Annoyingly all the other PPP NetworkManager VPN implementation have practically the same code for the |
I don't think a GUI option is needed. Just not adding the route if the IPs are the same should always be the correct behavior. Unless I'm missing something. |
The problem is that the nm-l2tp-ppd-plugin doesn't know what the gateway address is (as far as I can tell), so it makes it difficult to compare to the server side PTP address. So the question is how to the get the gateway address to the nm-l2tp-ppd-plugin via the existing D-Bus interface or some other means. I'm still thinking about it, but will be happy for any patch or GitHub pull request. |
Commit 95fdaa6 should hopefully fix this issue. Extract from the pppd man page :
I used I deleted some comments in this issue as they weren't adding anything and to make it easier to read the actual issue. This fix will be in the new NetworkManager-l2tp 1.8.4 which I hope to release within the next couple of weeks. |
I have re-created the NM connection for this VPN a couple of times this week, therefore As for turning it to on and to add the routes myself: from my point of view, it does not matter if I remove a single route or add another one. For me a solution would not require any changes to the routes after turning on the NM connection. It does not matter if I configure something else (NM, NM-l2tp, …). What is the |
Sorry didn't mean
|
Thanks, @dkosovic, for the clues! 🙏 It was quite easy to work this issue around, once I found the docs and tried a few configurations. Also note that setting So, the following command works for me: nmcli c add con-name "$con_name" type vpn vpn-type l2tp \
vpn.data "gateway=$vpn_ip, ipsec-enabled=yes, ipsec-psk=$psk, password-flags=0, user=$user" \
vpn.secrets "password=$pass" ipv4.routes "$vpn_ip/$cidr $router_ip" ipv4.never-default yes Update I rejoiced too soon. I enabled the wrong connection, therefore the command above still produces the default routes and the one with ifname set to $vpn_ip dev ppp0 proto kernel scope link src $remote_ip
$vpn_ip via $router_ip dev wlan0 proto static metric 50 # only this one is needed
$vpn_ip via $router_ip dev ppp0 proto static metric 50 # added by `ipv4.routes` |
Following the upstream issue i was able to create a workaround script that keeps that wrong route from beeing created (While still using I created the file #!/bin/sh
# This script is called with the following arguments:
# Arg Name
# $1 Interface name
# $2 The tty
# $3 The link speed
# $4 Local IP address for the interface
# $5 Peer IP address
# $6 Optional 'ipparam' parameter specified to pppd
logger Removing wrong vpn ip address on $1 for local $4 and peer $5.
ip addr del $4 peer $5 dev $1
It does take about 30 second after that script runs until the local ip adress on "ppp0" is up and the vpn is working in my case. I'm on Ubuntu 22. |
@dkosovic, I am not sure if I should open a new issue … Using Oct 21 12:12:03 hostname NetworkManager[780]: <info> [1666347123.0495] vpn[0x55570163e980,4ecb50e8-337d-4123-9643-d98ee724343e,"vpn_charvat_bardejov"]: starting l2tp
Oct 21 12:12:13 hostname NetworkManager[780]: <warn> [1666347133.0616] vpn[0x55570163e980,4ecb50e8-337d-4123-9643-d98ee724343e,"vpn_charvat_bardejov"]: failed to connect: 'Timeout was reached' I have no idea what’s going on. There was no change on the server-side nor in the config. It works on MS Windows. It used to work (albeit with additional |
@tukusejssirs, I've just installed Fedora 37 in a VM, and have NetworkManager-1.40.0-1.fc37, strongswan-5.9.8-1.fc37 and used the current NetworkManager-l2tp code in this repository, so similar versions to what you are using, but I'm still able to connect. I'm not sure what the issue you are having, might need to see more of the log output. |
@dkosovic, I use Arch Linux with Sway if that matters.
I can get you the logs, however, could you tell me how to access the logs you’re talking about please? |
@tukusejssirs might be best to follow up in a new issue as I suspect the issue you have might not be related to this issue The following will provide useful logs : sudo journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + SYSLOG_IDENTIFIER=pppd Arch Linux builds a number of experimental strongswan plugins that can be problematic, try disable loading them with: sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/bypass-lan.conf
sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/connmark.conf
sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/forecast.conf
sudo sed -i 's/load = yes/load = no/' /etc/strongswan.d/charon/sha3.conf You will also need to reboot as kernel modules used by some of the strongswan plugins might also be loaded. |
I have just noticed that removing a route is not required anymore. I have no idea what fixed the issue though. Currently, when I connect to VPN, it adds the following routes ( default dev ppp0 proto static scope link metric 50
1.2.3.4 dev ppp0 proto kernel scope link src 3.4.5.6
192.168.1.1 dev wlan0 proto static scope link metric 50
2.3.4.5 via 192.168.1.1 dev wlan0 proto static metric 50
|
For the benefit of others, @tukusejssirs are you sure you don't have a modified pppd script lying around which removes the problematic route? I was thinking I was going to have to modify the NetworkManager source code to not add the kernel generated route to the Ext GW if |
No, I didn’t create any In December 2022, I had to remove the extra route after connecting to the VPN and before SSH-ing into the server. Yesterday I tried doing that, but I could not connect the the server via SSH (connecting to VPN works as expected). Then I tried to not remove the extra route and all works as expected. I’ve just tried to reproduce the error on the extra route removal, but after I remove the extra route, I cannot connect to the server via SSH ( |
I've posted to the upstream NetworkManager issue# 946 that this routing issue might be resolved with NetworkManager-l2tp 1.20.8 and/or NetworkManager 1.40.8. Guess we'll get some feedback there if it resolves it for others. |
@dkosovic, one thing I’ve noticed that I lose my Internet connection (and sometimes ability to connect to a server reachable via the VPN) while I am connected to the VPN + connected via SSH to a server within reachable via the VPN. After I disconnect from the VPN, everything works as expected. Moreover, it prefers Maybe the VPN config is the culprit. Ideally, I want to access only the servers available only via the VPN via the VPN, everything else should not go via the VPN. If that is not possible when using a single network interface (like When I change Any idea how to make it work? Ideally, without providing the interface name all the time. Thanks for any clues! 🙏 Update I have read this forum topic/question. I can only connect to the VPN when Update 2 Just a note: right after I connect to the VPN, I can access the Internet, get a list of open ports via |
Do you still have the 4 problematic strongswan plugins loading disabled? i.e. :
two of those strongswan plugins definitely affect routing only when doing split-tunnelling VPN with NetworkManager >= 1.36.
On Arch Linux if I didn't disable those strongswan plugins when split tunnelling VPN was used, I would have a stable VPN connection for a number of minutes until until DHCP brought down the parent wired network. I did an Arch Linux bug report last year for strongswan: In that bug report I recommended the # do not load certain plugins by default that are known to have problems
for p in bypass-lan connmark forecast sha3; do
sed -i 's/load = yes/load = no/' "${pkgdir}/etc/strongswan.d/charon/${p}.conf"
done Guess it was never applied as no Arch Linux users confirmed it fixed their routing problem. Non Arch Linux specific, last week I helped someone with L2TP/IPsec issues who eventually got split tunnelling to work by routing the internal subnet through He mentions he had to disable IPv6 and change his client router subnet from |
No, I disabled then some months ago, based on your suggestion. Since then I have them disabled. I have just double-checked it. I’ve read all from top to bottom. My notes:
|
Sorry I don't have any real suggestions. I notice there are multiple L2TP kernel patches for the current kernel to fix race conditions: Maybe try a different kernel. |
Thanks, @dkosovic, for trying to help me! 🙏 Okay, I tried to boot Fedora Workstation 37 Live from USB (not in VM, but directly on my laptop) and test if the VPN connection is better on Fedora than on Arch Linux. Note: I am okay to modify the default Arch Linux kernel using DKMS and kernel parameters/flags, but I don’t really want to use different kernel. Thus if it works on Fedora, I might reconsider switching back to Fedora. However, it fails to connect. No connection is created, which is worse situation than on Arch Linux. Note that I haven’t installed Fedora on the drive, I just tested it in the live mode. I might install it somewhere and test it out that way, however, will it change anything? 🤔 # Install dependencies
sudo dnf -y install xl2tpd strongswan NetworkManager NetworkManager-l2tp NetworkManager-l2tp-gnome
# Restart Network Manager service
sudo systemctl restart --now NetworkManager
# I check if `strongswan` service is disabled (it was)
systemctl status strongswan
# Add NM connection
nmcli c add con-name "$con_name" type vpn vpn-type l2tp \
vpn.data "gateway=$vpn_ip, ipsec-enabled=yes, ipsec-psk=$psk, password-flags=0, user=$user" vpn.secrets "password=$pass"
# Connect to the VPN, which fails to connect (see `journalctl.log` at the end of this comment)
nmcli c up "$con_name"
# Disable IPv6 in the NM connection
nmcli c mod "$con_name" ipv6.method disabled
# Connect to the VPN, which fails to connect (same error as before disabling IPv6)
nmcli c up "$con_name" |
As I need to make this work ASAP, I have work the bug around using VPN Hotspot app (found via this website which have another, non-root solution) which requires rooted Android phone (which I have) and it is also available on F-Droid. I simply needed to:
Basically, I use my phone as a proxy, which could be done differently, however, we all have a phone at a hand, so it is a quite practical solution from my point of view. Nevertheless, I am still looking for a solution to make VPN connection fully working and stable on Arch Linux. |
On Fedora libreswan and strongswan can be installed at the same time unlike other Linux distros, if both are installed, Networkmanager-l2tp defaults to libreswan. Your logs indicate you are using libreswan (i.e., pluto daemon instead of strongswan's charon daemon). libreswan no longer supports the really weak DH2 modp1024 algorithm (except if rebuilt with the DH2 switch), for the main mode (phase 1) and quick mode (phase2) proposals. I suspect your VPN server is using modp1024 and it isn't proposing any stronger algorithms, so you get the no proposal chosen error. As you have strongswan already installed, you can switch to strongswan by removing libreswan with:
On Fedora I also recommend unblacklisting the L2TP kernel modules, see: which says to do : sudo sed -e '/blacklist l2tp_netlink/s/^b/#b/g' -i /etc/modprobe.d/l2tp_netlink-blacklist.conf
sudo sed -e '/blacklist l2tp_ppp/s/^b/#b/g' -i /etc/modprobe.d/l2tp_ppp-blacklist.conf |
Thanks, @dkosovic! Some notes on my new test on live Fedora 37:
New installation steps that work on Fedora 37 (without issue) and Arch Linux (with the issue that I cannot
|
All kernel modules that have been moved to the I only provided unblacklisting L2TP kernel module instructions that were enough for xl2tpd and kl2tpd. Some of the other L2TP kernel modules are for L2TPv3 which xl2tpd and kl2tpd don't implement. On Fedora xl2tpd can be started as a systemd service and those files are used with that service. Those xl2tpd files are neither required or used with NetworkManager-l2tp which starts its own instance of xl2tpd and points it to its own xl2tpd config files that are generated on the fly. You might like to reduce the MTU/MRU value in the PPP settings, it might help with the packet loss. The default is 1400, so try 1300, 1200, etc or whatever the VPN server was configured to use if you know. Sorry I've never tried comparing ping times, but suspect MTU/MRU value might affect it. I'm going to close this issue as someone else has confirmed the routing issue has been fixed : @tukusejssirs if you have any other issue, open a new issue. Also, thanks for being the first to point out this routing issue was fixed with the new NetworkManager and NetworkManager-l2tp packages. |
I’ll try this out.
Yeah, I’ve seen it. 😉
Fair enough. Sorry to start talking about other my issues not related to this issue, however, at first I thought it might be related. Just a quick question: do you think I should open a new issue for losing connection (sort of) on Arch Linux? Thank you very much for all your help and time! 🙏 |
Please do if you want to. Although I might not have the answer, I’m sure other Arch Linux users will find it useful. If it is a L2TP kernel issue, they tend to hit Arch Linux first, followed by the latest Fedora version. Hopefully it is just a MTU/MRU issue. You might also be able to work out the optimum MTU size by analysing the ping output. Do a Google search and you’ll find lots of examples. |
I configured a VPN using Ubuntu 19.10 and network-manager-l2tp 1.2.10. After struggling with enabling the correct phase1 and phase2 settings I now get a connection. That connection gets torn down after less than a minute.
Looking at the routing table I see that something adds a ppp0 route to the IP of the gateway I am connecting to. That breaks the communication to the gateway as that route is above the one that uses the correct wireless interface to make it continue to work. Any ideas of what could be happening?
The text was updated successfully, but these errors were encountered: