RSS

Troubleshooting ProtonVPN Linux cli EnableIPv6LeakProtectionError: Unable to add IPv6 leak protection connection/interface

protonvpn-cli connect report An unknown error has occured. Please ensure that you have internet connectivity. If the issue persists, please contact support. protonvpn-cli.log show error protonvpn_nm_lib.exceptions.EnableIPv6LeakProtectionError: Unable to add IPv6 leak protection connection/interface protonvpn.log show Error: Failed to add ‘pvpn-ipv6leak-protection’ connection: Insufficient privileges.

Environment

Linux OS: Debian 10 Buster 64 bit (Fresh install with default options).

$ uname -a
Linux debian10 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64 GNU/Linux

$ protonvpn-cli -v

ProtonVPN CLI v3.8.0 (protonvpn-nm-lib v3.3.2; proton-client v0.5.1)

Symptom

After login success, try to connect and got an unknown error:

$ protonvpn-cli login <username>

Login successfully

$ protonvpn-cli connect
Setting up ProtonVPN.

An unknown error has occured. Please ensure that you have internet connectivity.
If the issue persists, please contact support.

Troubleshooting

First use following command to view logs:

$ protonvpn-cli --get-logs

You can also view log files manually. logs store at ~/.cache/protonvpn/logs/:

$ ls ~/.cache/protonvpn/logs/
network_manager.service.log
protonvpn-cli.log
protonvpn-daemon.log
protonvpn-dbus-wrapper.log
protonvpn.log
protonvpn_reconnect.service.log

protonvpn-cli.log show following error:

cli_wrapper.py — ERROR — connect:243 — Unable to add IPv6 leak protection connection/interface
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/protonvpn_cli/cli_wrapper.py", line 160, in connect
    protocol=protocol
  File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/api.py", line 145, in setup_connection
    self._env.connection_backend.setup(**data)
  File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/connection_backend/nm_client/nm_client.py", line 81, in setup
    self._pre_setup_connection(kwargs.get("entry_ip"))
  File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/connection_backend/nm_client/nm_client.py", line 223, in _pre_setup_connection
    ipv6_lp.manage(KillSwitchActionEnum.ENABLE)
  File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/killswitch/ipv6_leak_protection.py", line 62, in manage
    self.add_leak_protection()
  File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/killswitch/ipv6_leak_protection.py", line 103, in add_leak_protection
    subprocess_command
  File "/usr/lib/python3/dist-packages/protonvpn_nm_lib/core/killswitch/ipv6_leak_protection.py", line 178, in run_subprocess
    raise exception(exception_msg)
protonvpn_nm_lib.exceptions.EnableIPv6LeakProtectionError: Unable to add IPv6 leak protection connection/interface

Continue check protonvpn.log show following error:

ipv6_leak_protection.py — INFO — add_leak_protection:75 — Adding IPv6 leak protection
ipv6_leak_protection.py — INFO — manage:54 — Manage IPV6: KillSwitchActionEnum.DISABLE
ipv6_leak_protection.py — INFO — get_status_connectivity_check:260 — Conn check available (0) - Conn check enabled (0)
ipv6_leak_protection.py — INFO — update_connection_status:219 — IPv6 status: {'pvpn-ipv6leak-protection': {<KillSwitchInterfaceTrackerEnum.EXISTS: 0>: False, <KillSwitchInterfaceTrackerEnum.IS_RUNNING: 1>: False}}
ipv6_leak_protection.py — INFO — remove_leak_protection:108 — Removing IPv6 leak protection
ipv6_leak_protection.py — INFO — update_connection_status:219 — IPv6 status: {'pvpn-ipv6leak-protection': {<KillSwitchInterfaceTrackerEnum.EXISTS: 0>: False, <KillSwitchInterfaceTrackerEnum.IS_RUNNING: 1>: False}}
ipv6_leak_protection.py — ERROR — run_subprocess:169 — Interface state tracker: {'pvpn-ipv6leak-protection': {<KillSwitchInterfaceTrackerEnum.EXISTS: 0>: False, <KillSwitchInterfaceTrackerEnum.IS_RUNNING: 1>: False}}
ipv6_leak_protection.py — ERROR — run_subprocess:175 — <class 'protonvpn_nm_lib.exceptions.EnableIPv6LeakProtectionError'>: CompletedProcess(args=['/usr/bin/nmcli', 'c', 'a', 'type', 'dummy', 'ifname', 'ipv6leakintrf0', 'con-name', 'pvpn-ipv6leak-protection', 'ipv6.method', 'manual', 'ipv6.addresses', 'fdeb:446c:912d:09da::/64', 'ipv6.gateway', 'fdeb:446c:912d:09da::1', 'ipv6.route-metric', '95', 'ipv6.dns-priority', '-1400', 'ipv6.ignore-auto-dns', 'yes', 'ipv6.dns', '::1'], returncode=4, stdout=b'', stderr=b"Error: Failed to add 'pvpn-ipv6leak-protection' connection: Insufficient privileges.\n"). Raising exception.

This tells us protonvpn-cli try to run nmcli but failed with Insufficient privileges.

The root cause is system not allowing the protonvpn-cli to manipulate NetworkManager via dbus.

To fix this issue, we need add a PolicyKit rule for the NetworkManager.

Use root to create a file name /etc/polkit-1/localauthority/50-local.d/org.freedesktop.NetworkManager.pkla, the content as below:

[nm-applet]
Identity=unix-user:<your username>
Action=org.freedesktop.NetworkManager.*
ResultAny=yes
ResultInactive=no
ResultActive=yes

Replace <your username> with your Linux username.

For multiple username:

Identity=unix-user:<username1>;unix-user:<username2>

Check PolicyKit Authentication Agent exist or not:

# ls /usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1
ls: cannot access '/usr/lib/policykit-1-gnome/polkit-gnome-authentication-agent-1': No such file or directory

If file does not exist, install it by apt-get install policykit-1-gnome:

# apt-get install policykit-1-gnome

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following NEW packages will be installed:
  policykit-1-gnome
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 68.2 kB of archives.
After this operation, 508 kB of additional disk space will be used.
Get:1 http://deb.debian.org/debian buster/main amd64 policykit-1-gnome amd64 0.105-7 [68.2 kB]
Fetched 68.2 kB in 0s (752 kB/s)
Selecting previously unselected package policykit-1-gnome.
(Reading database ... 133186 files and directories currently installed.)
Preparing to unpack .../policykit-1-gnome_0.105-7_amd64.deb ...
Unpacking policykit-1-gnome (0.105-7) ...
Setting up policykit-1-gnome (0.105-7) ...

If policykit-1-gnome does not exist, try to use apt-cache search PolicyKit Authentication Agent to get correct package name:

# apt-cache search PolicyKit Authentication Agent
lxqt-policykit - LXQt authentication agent for PolicyKit
lxpolkit - LXDE PolicyKit authentication agent
mate-polkit - MATE authentication agent for PolicyKit-1
mate-polkit-bin - MATE authentication agent for PolicyKit-1 (executable wrapper script)
mate-polkit-common - MATE authentication agent for PolicyKit-1 (common files)
libpolkit-agent-1-0 - PolicyKit Authentication Agent API
libpolkit-agent-1-dev - PolicyKit Authentication Agent API - development files
policykit-1-gnome - authentication agent for PolicyKit
polkit-kde-agent-1 - KDE dialogs for PolicyKit
ukui-polkit - UKUI authentication agent for PolicyKit-1

Then try to run protonvpn-cli connect again. You should be good to go, e.g.:

$ protonvpn-cli connect -r -p tcp
Setting up ProtonVPN.
Connecting to ProtonVPN on NL-FREE#1 with TCP.

Successfully connected to ProtonVPN.

$ nmcli connection show --active
NAME                      UUID                                  TYPE      DEVICE
proton0                   FC57AEA0-7F54-436B-AC7F-83442C021247  tun       proton0
ProtonVPN NL-FREE#1       B2D3B327-760B-41BA-94C3-9CB54E993E29  vpn       eth0
pvpn-ipv6leak-protection  9A8986CA-E98C-44FD-B06B-09E70ABD39B2  dummy     ipv6leakintrf0
Wired connection 1        1EBD7A5F-6D3E-47FE-AC12-B2846751D003  ethernet  eth0

References