VPN doesn't start when using systemd / gui without sudo (Arch Linux / AirVPN)

[zanieb]

Perhaps I'm just misunderstanding how the service is supposed to work, but enabling the systemd unit and rebooting does not result in a VPN connection. I've had no problems with the GUI and I expected the service would just load the config and run at boot.

Log

2019-01-24 13:34:45,881 - INFO - Dbus-service successfully initialized
2019-01-24 13:34:45,893 - DEBUG - Failed to save current iptables rules
2019-01-24 13:34:45,944 - INFO - iptables: flushed existing rules
2019-01-24 13:34:45,966 - INFO - iptables: deactivated firewall
2019-01-24 13:34:45,970 - INFO - Disabled ipv6

Service status

mz@mzxps:~/ > sudo systemctl status qomui  
● qomui.service - qomui
   Loaded: loaded (/usr/lib/systemd/system/qomui.service; disabled; vendor preset: disabled)
   Active: active (running) since Thu 2019-01-24 13:34:45 CST; 6min ago
 Main PID: 4192 (qomui-service)
    Tasks: 3 (limit: 4915)
   Memory: 40.8M
   CGroup: /system.slice/qomui.service
           └─4192 /usr/bin/python /usr/bin/qomui-service

Jan 24 13:34:45 mzxps systemd[1]: Starting qomui...
Jan 24 13:34:45 mzxps systemd[1]: Started qomui.
Jan 24 13:34:45 mzxps env[4192]: openvpn: no process found
Jan 24 13:34:45 mzxps env[4192]: net.ipv6.conf.all.disable_ipv6 = 1

-- After starting the gui manually
Jan 24 13:42:18 mzxps env[4192]: Error: argument "bypass_qomui" is wrong: invalid table ID

When I launch the GUI, the log contains no mention of connecting to Dbus service (I've changed the log level to DEBUG and am getting other debug messages)

mz@mzxps:~/ > cat /usr/share/qomui/qomui.log | grep Dbus
2019-01-24 13:59:37,580 - INFO - Dbus-service successfully initialized
2019-01-24 13:59:44,354 - INFO - Dbus-service successfully initialized

[corrad1nho]

Hi, the systemd-service doesn't actually establish connections by itself, it only listens to commands from qomui-gui or qomui-cli and manages basic configurations such as the firewall. Since you apparently haven't activated the firewall, though, the log is all but empty.

[zanieb]

Thanks for the quick response!

Okay, what's the benefit of running it as a service? Also, why doesn't the GUI log that it's connecting to the service as it should?

[corrad1nho]

Okay, what's the benefit of running it as a service?

For security reasons, I want to avoid running the gui process with root privileges that are needed for using OpenVPN for example. Those commands are exposed and handled by qomui-service. Systemd is used for convenience so you can easily control and enable it as a system service. It's not actually needed, though. Of course, I could have also achieved that by simply starting qomui-service as a second process once you launch the gui but then you'd always have to enter your password to start qomui.
You only have to enter your password when you change the configuration. Otherwise, the firewall for example could be disabled without root privileges.

Also, why doesn't the GUI log that it's connecting to the service as it should?

Yes, I forgot to add a log message for that. But actually, qomui-gui won't start without the service being active. The service also handles logging, so qomui failing to launch because it can't communicate with the service won't actually be logged.

If you have any further questions or remarks, I'd be happy to hear those!

[zanieb]

For security reasons, I want to avoid running the gui process with root privileges that are needed for using OpenVPN for example. Those commands are exposed and handled by qomui-service. Systemd is used for convenience so you can easily control and enable it as a system service. It's not actually needed, though. Of course, I could have also achieved that by simply starting qomui-service as a second process once you launch the gui but then you'd always have to enter your password to start qomui.
You only have to enter your password when you change the configuration. Otherwise, the firewall for example could be disabled without root privileges.

Great that makes a lot of sense! You should add something about that to the readme :)

Yes, I forgot to add a log message for that. But actually, qomui-gui won't start without the service being active. The service also handles logging, so qomui failing to launch because it can't communicate with the service won't actually be logged.

Ah okay, I was expecting to see the message here:

qomui/qomui/qomui_gui.py

Line 107 in 2fbc416

self.logger.debug('Successfully connected to qomui-service via DBus')

[corrad1nho]

Moved the log message, so it will now appear in the log given that the service is actually running. Thanks for your suggestions!

[zanieb]

I actually still have to run the gui as admin even when the service is enabled/running or I get a permission error when trying to open the socket.

[corrad1nho]

You are not supposed to start qomui-gui as root/admin. What kind of permission error are you getting exactly? Does it refer to dbus?

[zanieb]

The service is running and I start the gui as user

mz@mzxps:~/ > sudo systemctl status qomui
● qomui.service - qomui
   Loaded: loaded (/usr/lib/systemd/system/qomui.service; enabled; vendor preset: disabled)
   Active: active (running) since Wed 2019-02-06 01:29:31 CST; 10h ago
 Main PID: 512 (qomui-service)
    Tasks: 2 (limit: 4915)
   Memory: 156.2M
   CGroup: /system.slice/qomui.service
           └─512 /usr/bin/python /usr/bin/qomui-service

Feb 06 01:29:29 mzxps systemd[1]: Starting qomui...
Feb 06 01:29:31 mzxps systemd[1]: Started qomui.
Feb 06 01:29:31 mzxps env[512]: openvpn: no process found
Feb 06 01:29:31 mzxps env[512]: net.ipv6.conf.all.disable_ipv6 = 1
Feb 06 01:30:21 mzxps env[512]: net.ipv6.conf.all.disable_ipv6 = 1
Feb 06 01:30:24 mzxps env[512]: RTNETLINK answers: No such file or directory
Feb 06 01:33:14 mzxps env[512]: RTNETLINK answers: No such file or directory
Feb 06 11:26:49 mzxps env[512]: RTNETLINK answers: No such file or directory
Feb 06 11:57:44 mzxps env[512]: net.ipv6.conf.all.disable_ipv6 = 1
mz@mzxps:~/ > qomui-gui&

The log for connection in the GUI has a code 99 socket error, if I do not 'cancel' the attempt to connect, the repeated connection attempts cause qomui-gui to hang and I have to kill the process.

2019-02-06 12:00:56,825 - INFO - Connecting to Grumium....
2019-02-06 12:00:56,838 - DEBUG - New thread for OpenVPN process started
2019-02-06 12:00:56,839 - INFO - ipv6 stack not available
2019-02-06 12:00:56,840 - INFO - iptables: created rule for *****
2019-02-06 12:00:56,841 - DEBUG - No pre script defined for Airvpn
2019-02-06 12:00:56,842 - DEBUG - Temporary config file(s) for requested server written
2019-02-06 12:00:56,843 - INFO - Establishing new OpenVPN tunnel
2019-02-06 12:00:56,850 - INFO - Establishing connection to Grumium
2019-02-06 12:00:56,852 - DEBUG - OpenVPN pid: 6664
2019-02-06 12:00:56,864 - INFO - OpenVPN: OpenVPN 2.4.6 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Apr 24 2018
2019-02-06 12:00:56,864 - INFO - OpenVPN: library versions: OpenSSL 1.1.1a  20 Nov 2018, LZO 2.10
2019-02-06 12:00:56,865 - INFO - OpenVPN: Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-02-06 12:00:56,865 - INFO - OpenVPN: Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-02-06 12:00:56,865 - INFO - OpenVPN: Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
2019-02-06 12:00:56,866 - INFO - OpenVPN: Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
2019-02-06 12:00:56,866 - INFO - OpenVPN: TCP/UDP: Preserving recently used remote address: [AF_INET6]****
2019-02-06 12:00:56,866 - INFO - OpenVPN: Socket Buffers: R=[212992->212992] S=[212992->212992]
2019-02-06 12:00:56,866 - INFO - OpenVPN: UDPv6 link local: (not bound)
2019-02-06 12:00:56,866 - INFO - OpenVPN: UDPv6 link remote: [AF_INET6]*****
2019-02-06 12:00:56,866 - INFO - OpenVPN: write UDPv6: Cannot assign requested address (code=99)
2019-02-06 12:00:58,950 - INFO - OpenVPN: write UDPv6: Cannot assign requested address (code=99)

Running the gui with admin rights resolves the issues.

[zanieb]

After further testing, if I don't run the gui as with sudo, I cannot download/update provider information either. It just hangs and needs to be killed, no errors displayed.

[corrad1nho]

After further testing, if I don't run the gui as with sudo, I cannot download/update provider information either. It just hangs and needs to be killed, no errors displayed.

Can you try the following:

1. Stop the service: sudo systemctl stop qomui
2. Run the service directly from a terminal: sudo qomui-service
3. Start the gui from a second terminal: qomui-gui

Post the output of both when you are trying to download/update provider configs here.

Running the gui with admin rights resolves the issues.

It seems you have disabled ipv6 on your system but are using an ipv6 OpenVPN config (this line: "OpenVPN: write UDPv6: Cannot assign requested address (code=99)"). This cannot work. I don't recommend disabling ipv6 as it can causes issues. The firewall takes care of possible ipv6 leaks. If that's not the case, please post the content of /usr/share/qomui/temp.ovpn after an unsuccessful connection attempt.

[zanieb]

mz@mzxps:~/ > sudo systemctl stop qomui     
mz@mzxps:~/ > sudo systemctl status qomui   
● qomui.service - qomui
   Loaded: loaded (/usr/lib/systemd/system/qomui.service; enabled; vendor preset: disabled)
   Active: inactive (dead) since Wed 2019-02-06 16:20:33 CST; 1min 38s ago
  Process: 512 ExecStart=/usr/bin/env qomui-service (code=killed, signal=TERM)
 Main PID: 512 (code=killed, signal=TERM)

Feb 06 15:13:13 mzxps env[512]: net.ipv6.conf.all.disable_ipv6 = 1
Feb 06 15:13:14 mzxps env[512]: RTNETLINK answers: No such file or directory
Feb 06 15:13:41 mzxps env[512]: net.ipv6.conf.all.disable_ipv6 = 0
Feb 06 15:13:41 mzxps env[512]: RTNETLINK answers: No such file or directory
Feb 06 15:13:50 mzxps env[512]: net.ipv6.conf.all.disable_ipv6 = 0
Feb 06 15:13:58 mzxps env[512]: RTNETLINK answers: No such file or directory
Feb 06 16:20:33 mzxps systemd[1]: Stopping qomui...
Feb 06 16:20:33 mzxps systemd[1]: qomui.service: Main process exited, code=killed, status=15/TERM
Feb 06 16:20:33 mzxps systemd[1]: qomui.service: Succeeded.
Feb 06 16:20:33 mzxps systemd[1]: Stopped qomui.
mz@mzxps:~/ > sudo qomui-service&           
mz@mzxps:~/ > killall qomui-service
qomui-service(18951): Operation not permitted
qomui-service: no process found
mz@mzxps:~/ > sudo qomui-service&      
[2] 19300
mz@mzxps:~/ > openvpn: no process found
net.ipv6.conf.all.disable_ipv6 = 0
mz@mzxps:~/ > qomui-gui&
[3] 19310
QLayout: Attempting to add QLayout "" to QomuiGui "Form", which already has a layout
RTNETLINK answers: No such file or directory
mz@mzxps:~/ > 

When I attempt to download the provider config, the program hangs without output. (the progress bar freezes)

I do not have ipv6 disabled (except by qomui). I can't get the non-admin qomui to display providers anymore since I deleted the AirVPN config while trying to debug so I can't get the contents after the unsuccessful connection.

I tried reinstalling and all the issues persist. Can you give instructions to delete all config data?

[zanieb]

After deleting all the config info and reinstalling I was able to download the provider information without a problem. When I try to save the config information (the 'save' button on that page) I get the following

mz@mzxps:~/ > qomui-gui
QLayout: Attempting to add QLayout "" to QomuiGui "Form", which already has a layout
==== AUTHENTICATING FOR org.freedesktop.policykit.exec ====
Authentication is needed to run `/usr/bin/python' as the super user
Authenticating as: mz
Password: 
polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie
==== AUTHENTICATION FAILED ====
Error executing command as another user: Not authorized

This incident has been reported.

I tried this many times. The gui always freezes after this.

The provider information does seem to save though, because it is present when I open the gui a second time. However, I still cannot connect to the server without admin privileges.

Edit:
The failed authentication seems to be because I don't have a policykit gui? See
NixOS/nixpkgs#18012
The workaround provided there allows the authentication to succeed but the gui still hangs.

[zanieb]

Okay, at this point I can get a non-admin gui to connect to the server, the gui hangs for about 2 minutes during the connection (which does not happen when I have admin rights) but eventually comes back and works!

Additionally, even after installing a polkit agent gui, the qomui gui hangs after authentication.

[corrad1nho]

I tried reinstalling and all the issues persist. Can you give instructions to delete all config data?

Delete these two directories: "/usr/share/qomui" & "~/.qomui"

After deleting all the config info and reinstalling I was able to download the provider information without a problem. When I try to save the config information (the 'save' button on that page) I get the following

Have you rebooted or reinitialized dbus? This may help. Otherwise, there might be an issue with Qomui's policy file. Can you post its content: "/usr/share/dbus-1/system.d/org.qomui.service.conf" Or as you suggest there is something wrong with polkit. I'll try to investigate this issue but I never encountered this behavior on any machine I tested Qomui on or got polkit authentication requests.

[zanieb]

Delete these two directories: "/usr/share/qomui" & "~/.qomui"

Yeah, I've done that and rebooted multiple times.

Otherwise, there might be an issue with Qomui's policy file. Can you post its content: "/usr/share/dbus-1/system.d/org.qomui.service.conf" Or as you suggest there is something wrong with polkit. I'll try to investigate this issue but I never encountered this behavior on any machine I tested Qomui on or got polkit authentication requests.

mz@mzxps:~/ > cat /usr/share/dbus-1/system.d/org.qomui.service.conf     
<!DOCTYPE busconfig PUBLIC                                         
 "-//freedesktop//DTD D-BUS Bus Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">

<busconfig>
    <policy context="default">
        <allow send_destination="org.qomui.service" log="true"/>
        <allow receive_sender="org.qomui.service" log="true"/>
    </policy>                 
    <policy user="root">        
        <allow own="org.qomui.service"/>
        <allow send_type="method_call" log="true"/>
    </policy>                                                                        
</busconfig>   

Thanks for your help, I'm pretty confused by it myself. Happy to try any debugging or changes you can recommend, I'm quite proficient in python and have been looking at the code and don't see why it would hang after a successful authentication.

I am confused that you wouldn't get polkit authentication requests when you call pkexec to save config changes?

[corrad1nho]

I am confused that you wouldn't get polkit authentication requests when you call pkexec to save config changes?

Me, too. But I suspect the reason is that Qomui is trying to call the service via D-Bus on launch and it's somehow denied by polkit. The policy looks fine, though. Which distribution/DE are you using currently? Could you try installing a graphical polkit agent as described in the Arch Wiki for example.

polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie

This line is strange. It suggests that no polkit agent is running at all. Have you tried running an arbitrary command with pkexec from console such as "pkexec ls"?

Edit: Alternatively you could try to write a custom policy in "/etc/polkit-1/rules.d/49-qomui_nopasswd.rule". I put an example on pastebin.

[zanieb]

I am confused that you wouldn't get polkit authentication requests when you call pkexec to save config changes?

Me, too. But I suspect the reason is that Qomui is trying to call the service via D-Bus on launch and it's somehow denied by polkit. The policy looks fine, though. Which distribution/DE are you using currently? Could you try installing a graphical polkit agent as described in the Arch Wiki for example.

I'm using Arch with i3, everything up to date. I installed the gnome polkit agent as described in that wiki a while ago. I am not getting polkit requests when launching the gui, just when saving the config. The log demonstrates successful connection to the dbus service.

polkit-agent-helper-1: error response to PolicyKit daemon: GDBus.Error:org.freedesktop.PolicyKit1.Error.Failed: No session for cookie

This line is strange. It suggests that no polkit agent is running at all. Have you tried running an arbitrary command with pkexec from console such as "pkexec ls"?
That error was before I had the polkit agent, sorry for the confusion. After installing the agent, I no longer get an error but the GUI hangs until killed after successful(?) authentication. The same applies when I set up a polkit agent via terminal linked to the qomui-gui pid, there I witness successful authentication.

To summarize my current issues

• qomui-gui takes a long time to complete operations when run without sudo, these operations include downloading provider information and connection to a server. The GUI hangs while these operations run. These delays are not present when run with sudo.
• qomui-gui does not allow the saving of configuration information when run without sudo, after successful polkit authentication the GUI hangs until the process is killed

Edit: Alternatively you could try to write a custom policy in "/etc/polkit-1/rules.d/49-qomui_nopasswd.rule". I put an example on pastebin.

I was looking into that as well, I don't think it will change anything but I'll try it later today.

[corrad1nho]

Sorry, I somehow missed that edit where you described that you already tried installing a polkit agent.

qomui-gui takes a long time to complete operations when run without sudo, these operations include downloading provider information and connection to a server. The GUI hangs while these operations run. These delays are not present when run with sudo.

To me that sounds like a D-Bus issue; possibly, authentication via polkit takes a long time even if successful eventually. The operations you mention all require communication via D-Bus. If the gui hangs that could indicate that the D-Bus call is blocking the event loop. That it works smoothly with sudo confirms this as you are automatically authenticated in that case. I'm not quite sure how to troubleshoot this exactly, but I'll try setting up an Arch/i3 installation to replicate this problem.

qomui-gui does not allow the saving of configuration information when run without sudo, after successful polkit authentication the GUI hangs until the process is killed

Does the graphical polkit agent ever come up or are you using this workaround?

[zanieb]

Sorry, I somehow missed that edit where you described that you already tried installing a polkit agent.

qomui-gui takes a long time to complete operations when run without sudo, these operations include downloading provider information and connection to a server. The GUI hangs while these operations run. These delays are not present when run with sudo.

To me that sounds like a D-Bus issue; possibly, authentication via polkit takes a long time even if successful eventually. The operations you mention all require communication via D-Bus. If the gui hangs that could indicate that the D-Bus call is blocking the event loop. That it works smoothly with sudo confirms this as you are automatically authenticated in that case. I'm not quite sure how to troubleshoot this exactly, but I'll try setting up an Arch/i3 installation to replicate this problem.

I'll investigate this as well.

qomui-gui does not allow the saving of configuration information when run without sudo, after successful polkit authentication the GUI hangs until the process is killed

Does the graphical polkit agent ever come up or are you using this workaround?

The agent gui appears and works as intended, but after it closes the qomui gui hangs.

[zanieb]

While the GUI is frozen during connection, the VPN connection is functional e.g. I can visit ipleak and see my AirVPN server. It is only the GUI that is blocking.

Additionally, it appears if I wait long enough sometimes the configuration will save.

The polkit rules file does not change anything, I even still get a prompt for a password when saving the config. I presume this because the rules file you wrote is for the service and the gui is the one making the config save call? If I dismiss the request qomui-gui also hangs.

[corrad1nho]

Update: Just did a minimal installation of Arch/i3. Here's what I found:

• Indeed, without any graphical polkit agent installed applying configuration changes is not possible.
• I tried polkit-kde-agent and it worked flawlessly.
• Also, Qomui was downloading and connecting to servers without any hiccups, it wasn't freezing at all even before I installed the polkit agent.

Now, I'm quite clueless to be honest.

[zanieb]

I would have been surprised if it was i3 that was causing the problems. Also quite clueless. I'll pursue it on my own a bit more and see what I can find.