Troubleshooting ProtonVPN Linux cli EnableIPv6LeakProtectionError: Unable to add IPv6 leak protection connection/interface
protonvpn-cli connect
report An unknown error has occured. Please ensure that you have internet connectivity. If the issue persists, please contact support. protonvpn-cli.log
show error protonvpn_nm_lib.exceptions.EnableIPv6LeakProtectionError: Unable to add IPv6 leak protection connection/interface protonvpn.log
show Error: Failed to add ‘pvpn-ipv6leak-protection’ connection: Insufficient privileges.Environment
Linux OS: Debian 10 Buster 64 bit (Fresh install with default options).
$ uname -a
Linux debian10 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux
$ protonvpn-cli -v
ProtonVPN CLI v3.8.0 (protonvpn-nm-lib v3.3.2; proton-client v0.5.1)
Symptom
After login success, try to connect
and got an unknown error:
$ protonvpn-cli login <username>
Login successfully
$ protonvpn-cli connect
Setting up ProtonVPN.
An unknown error has occurred. Please ensure that you have internet connectivity.
If the issue persists, please contact support.
Troubleshooting
First use following command to view logs:
$ protonvpn-cli --get-logs
You can also view log files manually. logs store at ~/.cache/protonvpn/logs/
:
$ ls ~/.cache/protonvpn/logs/
network_manager.service.log
protonvpn-cli.log
protonvpn-daemon.log
protonvpn-dbus-wrapper.log
protonvpn.log
protonvpn_reconnect.service.log
protonvpn-cli.log
show following error:
cli_wrapper.py — ERROR — connect:243 — Unable to add IPv6 leak protection connection/interface
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/protonvpn_cli/cli_wrapper.py", line 160, in connect
protocol=protocol
File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/api.py", line 145, in setup_connection
self._env.connection_backend.setup(**data)
File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/connection_backend/nm_client/nm_client.py", line 81, in setup
self._pre_setup_connection(kwargs.get("entry_ip"))
File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/connection_backend/nm_client/nm_client.py", line 223, in _pre_setup_connection
ipv6_lp.manage(KillSwitchActionEnum.ENABLE)
File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/killswitch/ipv6_leak_protection.py", line 62, in manage
self.add_leak_protection()
File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/killswitch/ipv6_leak_protection.py", line 103, in add_leak_protection
subprocess_command
File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/killswitch/ipv6_leak_protection.py", line 178, in run_subprocess
raise exception(exception_msg)
protonvpn_nm_lib.exceptions.EnableIPv6LeakProtectionError: Unable to add IPv6 leak protection connection/interface
Continue check protonvpn.log
show following error:
ipv6_leak_protection.py — INFO — add_leak_protection:75 — Adding IPv6 leak protection
ipv6_leak_protection.py — INFO — manage:54 — Manage IPV6: KillSwitchActionEnum.DISABLE
ipv6_leak_protection.py — INFO — get_status_connectivity_check:260 — Conn check available (0) - Conn check enabled (0)
ipv6_leak_protection.py — INFO — update_connection_status:219 — IPv6 status: {'pvpn-ipv6leak-protection': {<KillSwitchInterfaceTrackerEnum.EXISTS: 0>: False, <KillSwitchInterfaceTrackerEnum.IS_RUNNING: 1>: False}}
ipv6_leak_protection.py — INFO — remove_leak_protection:108 — Removing IPv6 leak protection
ipv6_leak_protection.py — INFO — update_connection_status:219 — IPv6 status: {'pvpn-ipv6leak-protection': {<KillSwitchInterfaceTrackerEnum.EXISTS: 0>: False, <KillSwitchInterfaceTrackerEnum.IS_RUNNING: 1>: False}}
ipv6_leak_protection.py — ERROR — run_subprocess:169 — Interface state tracker: {'pvpn-ipv6leak-protection': {<KillSwitchInterfaceTrackerEnum.EXISTS: 0>: False, <KillSwitchInterfaceTrackerEnum.IS_RUNNING: 1>: False}}
ipv6_leak_protection.py — ERROR — run_subprocess:175 — <class 'protonvpn_nm_lib.exceptions.EnableIPv6LeakProtectionError'>: CompletedProcess(args=['/usr/bin/nmcli', 'c', 'a', 'type', 'dummy', 'ifname', 'ipv6leakintrf0', 'con-name', 'pvpn-ipv6leak-protection', 'ipv6.method', 'manual', 'ipv6.addresses', 'fdeb:446c:912d:09da::/64', 'ipv6.gateway', 'fdeb:446c:912d:09da::1', 'ipv6.route-metric', '95', 'ipv6.dns-priority', '-1400', 'ipv6.ignore-auto-dns', 'yes', 'ipv6.dns', '::1'], returncode=4, stdout=b'', stderr=b"Error: Failed to add 'pvpn-ipv6leak-protection' connection: Insufficient privileges.\n"). Raising exception.
This tells us protonvpn-cli
try to run nmcli
but failed with Insufficient privileges
.
The root cause is system not allowing the protonvpn-cli
to manipulate NetworkManager via dbus.
To fix this issue, we need add a PolicyKit rule for the NetworkManager.
Use root
to create a file name /etc/polkit-1/localauthority/50-local.d/org.freedesktop.NetworkManager.pkla
, the content as below:
[nm-applet]
Identity=unix-user:<your username>
Action=org.freedesktop.NetworkManager.*
ResultAny=yes
ResultInactive=no
ResultActive=yes
Replace <your username>
with your Linux username.
For multiple username:
Identity=unix-user:<username1>;unix-user:<username2>
Check PolicyKit Authentication Agent exist or not:
# ls /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
ls: cannot access '/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1': No such file or directory
If file does not exist, install it by apt-get install policykit-1-gnome
:
# apt-get install policykit-1-gnome
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
policykit-1-gnome
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 68.2 kB of archives.
After this operation, 508 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian buster/main amd64 policykit-1-gnome amd64 0.105-7 [68.2 kB]
Fetched 68.2 kB in 0s (752 kB/s)
Selecting previously unselected package policykit-1-gnome.
(Reading database ... 133186 files and directories currently installed.)
Preparing to unpack .../policykit-1-gnome_0.105-7_amd64.deb ...
Unpacking policykit-1-gnome (0.105-7) ...
Setting up policykit-1-gnome (0.105-7) ...
If policykit-1-gnome
does not exist, try to use apt-cache search PolicyKit Authentication Agent
to get correct package name:
# apt-cache search PolicyKit Authentication Agent
lxqt-policykit - LXQt authentication agent for PolicyKit
lxpolkit - LXDE PolicyKit authentication agent
mate-polkit - MATE authentication agent for PolicyKit-1
mate-polkit-bin - MATE authentication agent for PolicyKit-1 (executable wrapper script)
mate-polkit-common - MATE authentication agent for PolicyKit-1 (common files)
libpolkit-agent-1-0 - PolicyKit Authentication Agent API
libpolkit-agent-1-dev - PolicyKit Authentication Agent API - development files
policykit-1-gnome - authentication agent for PolicyKit
polkit-kde-agent-1 - KDE dialogs for PolicyKit
ukui-polkit - UKUI authentication agent for PolicyKit-1
Then try to run protonvpn-cli connect
again. You should be good to go, e.g.:
$ protonvpn-cli connect -r -p tcp
Setting up ProtonVPN.
Connecting to ProtonVPN on NL-FREE#1 with TCP.
Successfully connected to ProtonVPN.
$ nmcli connection show --active
NAME UUID TYPE DEVICE
proton0 FC57AEA0-7F54-436B-AC7F-83442C021247 tun proton0
ProtonVPN NL-FREE#1 B2D3B327-760B-41BA-94C3-9CB54E993E29 vpn eth0
pvpn-ipv6leak-protection 9A8986CA-E98C-44FD-B06B-09E70ABD39B2 dummy ipv6leakintrf0
Wired connection 1 1EBD7A5F-6D3E-47FE-AC12-B2846751D003 ethernet eth0
Update: Alternative simpler solution
Angel (big thanks) tells me from The Debian administrator’s handbook Configuring the Network section :
To avoid having to manually connect or disconnect the corresponding network interfaces, administrators installed the network-manager package on these roaming machines. This software enables a user to easily switch from one network to another using a small icon displayed in the notification area of their graphical desktop. Clicking on this icon displays a list of available networks (both wired and wireless), so they can simply choose the network they wish to use. The program saves the configuration for the networks to which the user has already connected, and automatically switches to the best available network when the current connection drops.
In order to do this, the program is structured in two parts: a daemon running as root handles activation and configuration of network interfaces and a user interface controls this daemon. PolicyKit handles the required authorizations to control this program and Debian configured PolicyKit in such a way so that members of the netdev group can add or change Network Manager connections.
Base on this info:
- PolicyKit handles the required authorizations to control this program and Debian configured
- PolicyKit in such a way so that members of the
netdev
group can add or change Network Manager connections.
That is, in Debian/Ubuntu the following could also work:
$ sudo usermod -G netdev -a `whoami`
References
- NetworkManager Insufficient privileges
- ProtonVPN linux-cli
- The Debian administrator’s handbook Configuring the Network section
OmniLock - Block / Hide App on iOS
Block distractive apps from appearing on the Home Screen and App Library, enhance your focus and reduce screen time.
DNS Firewall for iOS and Mac OS
Encrypted your DNS to protect your privacy and firewall to block phishing, malicious domains, block ads in all browsers and apps