RSS

Troubleshooting ProtonVPN Linux cli EnableIPv6LeakProtectionError: Unable to add IPv6 leak protection connection/interface

protonvpn-cli connect report An unknown error has occured. Please ensure that you have internet connectivity. If the issue persists, please contact support. protonvpn-cli.log show error protonvpn_nm_lib.exceptions.EnableIPv6LeakProtectionError: Unable to add IPv6 leak protection connection/interface protonvpn.log show Error: Failed to add ‘pvpn-ipv6leak-protection’ connection: Insufficient privileges.

Environment

Linux OS: Debian 10 Buster 64 bit (Fresh install with default options).

$ uname -a
Linux debian10 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux

$ protonvpn-cli -v

ProtonVPN CLI v3.8.0 (protonvpn-nm-lib v3.3.2; proton-client v0.5.1)

Symptom

After login success, try to connect and got an unknown error:

$ protonvpn-cli login <username>

Login successfully

$ protonvpn-cli connect
Setting up ProtonVPN.

An unknown error has occurred. Please ensure that you have internet connectivity.
If the issue persists, please contact support.

Troubleshooting

First use following command to view logs:

$ protonvpn-cli --get-logs

You can also view log files manually. logs store at ~/.cache/protonvpn/logs/:

$ ls ~/.cache/protonvpn/logs/
network_manager.service.log
protonvpn-cli.log
protonvpn-daemon.log
protonvpn-dbus-wrapper.log
protonvpn.log
protonvpn_reconnect.service.log

protonvpn-cli.log show following error:

cli_wrapper.py — ERROR — connect:243 — Unable to add IPv6 leak protection connection/interface
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/protonvpn_cli/cli_wrapper.py", line 160, in connect
    protocol=protocol
  File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/api.py", line 145, in setup_connection
    self._env.connection_backend.setup(**data)
  File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/connection_backend/nm_client/nm_client.py", line 81, in setup
    self._pre_setup_connection(kwargs.get("entry_ip"))
  File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/connection_backend/nm_client/nm_client.py", line 223, in _pre_setup_connection
    ipv6_lp.manage(KillSwitchActionEnum.ENABLE)
  File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/killswitch/ipv6_leak_protection.py", line 62, in manage
    self.add_leak_protection()
  File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/killswitch/ipv6_leak_protection.py", line 103, in add_leak_protection
    subprocess_command
  File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/killswitch/ipv6_leak_protection.py", line 178, in run_subprocess
    raise exception(exception_msg)
protonvpn_nm_lib.exceptions.EnableIPv6LeakProtectionError: Unable to add IPv6 leak protection connection/interface

Continue check protonvpn.log show following error:

ipv6_leak_protection.py — INFO — add_leak_protection:75 — Adding IPv6 leak protection
ipv6_leak_protection.py — INFO — manage:54 — Manage IPV6: KillSwitchActionEnum.DISABLE
ipv6_leak_protection.py — INFO — get_status_connectivity_check:260 — Conn check available (0) - Conn check enabled (0)
ipv6_leak_protection.py — INFO — update_connection_status:219 — IPv6 status: {'pvpn-ipv6leak-protection': {<KillSwitchInterfaceTrackerEnum.EXISTS: 0>: False, <KillSwitchInterfaceTrackerEnum.IS_RUNNING: 1>: False}}
ipv6_leak_protection.py — INFO — remove_leak_protection:108 — Removing IPv6 leak protection
ipv6_leak_protection.py — INFO — update_connection_status:219 — IPv6 status: {'pvpn-ipv6leak-protection': {<KillSwitchInterfaceTrackerEnum.EXISTS: 0>: False, <KillSwitchInterfaceTrackerEnum.IS_RUNNING: 1>: False}}
ipv6_leak_protection.py — ERROR — run_subprocess:169 — Interface state tracker: {'pvpn-ipv6leak-protection': {<KillSwitchInterfaceTrackerEnum.EXISTS: 0>: False, <KillSwitchInterfaceTrackerEnum.IS_RUNNING: 1>: False}}
ipv6_leak_protection.py — ERROR — run_subprocess:175 — <class 'protonvpn_nm_lib.exceptions.EnableIPv6LeakProtectionError'>: CompletedProcess(args=['/usr/bin/nmcli', 'c', 'a', 'type', 'dummy', 'ifname', 'ipv6leakintrf0', 'con-name', 'pvpn-ipv6leak-protection', 'ipv6.method', 'manual', 'ipv6.addresses', 'fdeb:446c:912d:09da::/64', 'ipv6.gateway', 'fdeb:446c:912d:09da::1', 'ipv6.route-metric', '95', 'ipv6.dns-priority', '-1400', 'ipv6.ignore-auto-dns', 'yes', 'ipv6.dns', '::1'], returncode=4, stdout=b'', stderr=b"Error: Failed to add 'pvpn-ipv6leak-protection' connection: Insufficient privileges.\n"). Raising exception.

This tells us protonvpn-cli try to run nmcli but failed with Insufficient privileges.

The root cause is system not allowing the protonvpn-cli to manipulate NetworkManager via dbus.

To fix this issue, we need add a PolicyKit rule for the NetworkManager.

Use root to create a file name /etc/polkit-1/localauthority/50-local.d/org.freedesktop.NetworkManager.pkla, the content as below:

[nm-applet]
Identity=unix-user:<your username>
Action=org.freedesktop.NetworkManager.*
ResultAny=yes
ResultInactive=no
ResultActive=yes

Replace <your username> with your Linux username.

For multiple username:

Identity=unix-user:<username1>;unix-user:<username2>

Check PolicyKit Authentication Agent exist or not:

# ls /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
ls: cannot access '/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1': No such file or directory

If file does not exist, install it by apt-get install policykit-1-gnome:

# apt-get install policykit-1-gnome

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  policykit-1-gnome
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 68.2 kB of archives.
After this operation, 508 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian buster/main amd64 policykit-1-gnome amd64 0.105-7 [68.2 kB]
Fetched 68.2 kB in 0s (752 kB/s)
Selecting previously unselected package policykit-1-gnome.
(Reading database ... 133186 files and directories currently installed.)
Preparing to unpack .../policykit-1-gnome_0.105-7_amd64.deb ...
Unpacking policykit-1-gnome (0.105-7) ...
Setting up policykit-1-gnome (0.105-7) ...

If policykit-1-gnome does not exist, try to use apt-cache search PolicyKit Authentication Agent to get correct package name:

# apt-cache search PolicyKit Authentication Agent
lxqt-policykit - LXQt authentication agent for PolicyKit
lxpolkit - LXDE PolicyKit authentication agent
mate-polkit - MATE authentication agent for PolicyKit-1
mate-polkit-bin - MATE authentication agent for PolicyKit-1 (executable wrapper script)
mate-polkit-common - MATE authentication agent for PolicyKit-1 (common files)
libpolkit-agent-1-0 - PolicyKit Authentication Agent API
libpolkit-agent-1-dev - PolicyKit Authentication Agent API - development files
policykit-1-gnome - authentication agent for PolicyKit
polkit-kde-agent-1 - KDE dialogs for PolicyKit
ukui-polkit - UKUI authentication agent for PolicyKit-1

Then try to run protonvpn-cli connect again. You should be good to go, e.g.:

$ protonvpn-cli connect -r -p tcp
Setting up ProtonVPN.
Connecting to ProtonVPN on NL-FREE#1 with TCP.

Successfully connected to ProtonVPN.

$ nmcli connection show --active
NAME                      UUID                                  TYPE      DEVICE
proton0                   FC57AEA0-7F54-436B-AC7F-83442C021247  tun       proton0
ProtonVPN NL-FREE#1       B2D3B327-760B-41BA-94C3-9CB54E993E29  vpn       eth0
pvpn-ipv6leak-protection  9A8986CA-E98C-44FD-B06B-09E70ABD39B2  dummy     ipv6leakintrf0
Wired connection 1        1EBD7A5F-6D3E-47FE-AC12-B2846751D003  ethernet  eth0

Update: Alternative simpler solution

Angel (big thanks) tells me from The Debian administrator’s handbook Configuring the Network section :

To avoid having to manually connect or disconnect the corresponding network interfaces, administrators installed the network-manager package on these roaming machines. This software enables a user to easily switch from one network to another using a small icon displayed in the notification area of their graphical desktop. Clicking on this icon displays a list of available networks (both wired and wireless), so they can simply choose the network they wish to use. The program saves the configuration for the networks to which the user has already connected, and automatically switches to the best available network when the current connection drops.

In order to do this, the program is structured in two parts: a daemon running as root handles activation and configuration of network interfaces and a user interface controls this daemon. PolicyKit handles the required authorizations to control this program and Debian configured PolicyKit in such a way so that members of the netdev group can add or change Network Manager connections.

Base on this info:

  • PolicyKit handles the required authorizations to control this program and Debian configured
  • PolicyKit in such a way so that members of the netdev group can add or change Network Manager connections.

That is, in Debian/Ubuntu the following could also work:

$ sudo usermod -G netdev -a `whoami`

References

OmniLock - Block / Hide App on iOS

Block distractive apps from appearing on the Home Screen and App Library, enhance your focus and reduce screen time.

DNS Firewall for iOS and Mac OS

Encrypted your DNS to protect your privacy and firewall to block phishing, malicious domains, block ads in all browsers and apps

Ad