-
Notifications
You must be signed in to change notification settings - Fork 140
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenVPN 3 Linux does not work with glib2-2.76 and newer (ArchLinux, Ubuntu 23+, Fedora 38+) #171
Comments
I see I would try to sort out the |
How is openvpn related to homed? |
That's the question. But there might be some dependency chains here which impacts the privilege drop in OpenVPN 3 Linux somewhere. Also, please increase the log levels a bit. As root, run these lines:
If you have used
Or add ensure you have This will enable a lot more debug details. |
Done. Also the user has enabled homed.
Typically the user starts with the command: Logs --since -5m
|
I'm puzzled your log is still quite scarce. So lets try to start these background services manually. You will need more terminals here. Ensure all the
You may swap out |
vpnLog.txt kernel: 6.2.6-arch1-1 Notable responses to starting the stack manually:
Also, I was unable to run the backend starter with a log file, the
For completion here is the output of trying to run the backend with the log file:
|
This one indicates that there is another process already holding that bus name (
Oh, sorry. It should be
This is a really odd issue. It begins to smell like the D-Bus policies are not properly installed. And this is probably the root cause of why you can't get the session started. Is it long time since you rebooted your system - in regards to when you installed/upgraded OpenVPN 3 Linux? |
I've restarted several times. I also have the program on several machines each with independent installs of arch (don't judge...). Openvpn seems to work with older kernels, though right now the certificate for the older kernel that I have available is expired, so I cannot install on my nth machine. Prior to this, my other machines were working fine, then the update and now they are all failing with the same error. I don't want to jump to saying it's a kernel bug though. I'll check busctl and report back This is the output of busctl with grep for vpn:
it looks like no vpn services are running. I ran a capture of the bus stream when trying to connect, but after ditching all of the private material there wasn't much too see. I don't know much about dbus policies. I'm looking into that, but I'm getting the same error on isolated systems, as well as the OP. Are these policies set with kernel updates? -- I performed several kernel rollbacks as well as installing different versions of openvpn via tags and still the same error. (These steps included system restarts as well) |
Okay, I'll try to install Arch somewhere and try it out myself. This is just too much surprising. |
Just a very quick update. I've been able to reproduce the issue on what I believe is a fairly up-to-date Arch installation. There is a crash in the |
I think glib2 2.76.0 (updated at 3/11) is not compatible with openvpn3. https://github.com/archlinux/svntogit-packages/commits/packages/glib2/trunk
|
Thanks, @isac322! This matches very well the same I see. Unfortunately debugging glib2 is painful, but needed now. |
Thank you all. I was able to get openvpn3 to work again by downgrading glib2 to 2.74.6. Will keep an eye on this thread. If there's anything I can do to help, I'm happy to. |
Thanks for all of the help. I'm going to point the Arch forum here to see if we can get some assistance with glib2 library. I really appreciate all the help! |
Downgrading to |
That seems odd. Can you please provide the output for EDIT: this is the wrong forum for troubleshooting the above. Please start a thread in the Arch Linux forums with the output of the above, and I'm sure someone with some more knowledge than me can help further. |
Oh, I'm sorry, that wasn't meant as an ask for troubleshooting, but as a warning to anyone who tries to downgrade to be prepared to restore the glib2 version in case that what happened to me, happens to them ;) |
There has been a change in glib in how a NULL The following patch, prevents the service client crashing, but connections don't get established, so it's not the whole story. I suspect that the use of contexts may need revisiting, but I have little knowledge of glib, so this could be a red herring. diff --git a/src/client/openvpn3-service-client.cpp b/src/client/openvpn3-service-client.cpp
index bff67ba..cfcf3ff 100644
--- a/src/client/openvpn3-service-client.cpp
+++ b/src/client/openvpn3-service-client.cpp
@@ -1689,8 +1689,12 @@ void start_client_thread(pid_t start_pid,
backend_service.DisableSocketProtect(disable_socket_protect);
backend_service.Setup();
+
// Main loop
- GMainLoop *main_loop = g_main_loop_new(NULL, FALSE);
+ GMainContext *client_context = g_main_context_new();
+ g_main_context_push_thread_default(client_context);
+
+ GMainLoop *main_loop = g_main_loop_new(client_context, FALSE);
g_unix_signal_add(SIGINT, stop_handler, main_loop);
g_unix_signal_add(SIGTERM, stop_handler, main_loop);
g_unix_signal_add(SIGHUP, stop_handler, main_loop);
@@ -1698,6 +1702,8 @@ void start_client_thread(pid_t start_pid,
g_main_loop_run(main_loop);
usleep(500);
g_main_loop_unref(main_loop);
+ g_main_context_pop_thread_default(client_context);
+ g_main_context_unref(client_context);
} |
Thank you so much, @sw1nn, for digging up these details! I will definitely dig into this and put this in the scope for the v21 release. When I have a fix available in the git tree, I will ensure this ticket gets updated! |
The downgrade works to be able to use OpenVPN. However, I get problems with Firefox (or other GTK applications). So it's only a temporary workaround. |
it is possible to downgrade glib2, connect the VPN, then upgrade glib2 back to the original version to allow other apps to run correctly. Obviously this is only practical if you are not starting and stopping the vpn a lot. FYI, I tried wrapping the invocations of the various OpenVPN dbus-services in a script that set LD_PRELOAD to point to a local copy of glib2.74.6, but this didn't work. I wonder if perhaps the problem is not actually in openvpn, but rather in dbus (perhaps caused by the way that OpenVPN call it). |
This is my approach so far. Only, unfortunately, I have to change VPNs very often, so of course this can't be a permanent state.
That's a good question ... which I can't answer, unfortunately. :) |
This week has been too busy to dig into this, but I'll try to do that next week. We need to fix the glib2 integration anyhow. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
I can observe the same issue on Fedora 38 beta $ sudo dnf list --installed | grep glib2
geocode-glib2.x86_64 3.26.4-3.fc38 @updates-testing
glib2.i686 2.76.1-1.fc38 @fedora
glib2.x86_64 2.76.1-1.fc38 @fedora
glib2-devel.x86_64 2.76.1-1.fc38 @fedora
pulseaudio-libs-glib2.x86_64 16.1-4.fc38 @fedora |
I have the same issue here, and downgrading Glib2 as a temporary solution also works. I also found several people are moving from Openbox to Ice WM just because the Glib2 update made Openbox crash. Eg: https://allencch.wordpress.com/2023/03/20/switching-from-openbox-to-icewm/ |
The openvpn(not openvpn3) bin still works. I also ran into the same issue, i guess this for people who use the access server instead of core. |
In the last update tonight this was fixed. Not really sure which package did it, but I don't see the problem Dbus problem today. |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
New Dev packages for Ubuntu are available in my PPA at https://launchpad.net/~djpig/+archive/ubuntu/openvpn for Jammy (22.04), Mantic (23.10), and Noble (24.04). |
@flichtenheld - This works perfectly. However my issue is more about "knowing" this. The solution took 5 mins to implement, but 2 hours to find? Is there a way this can get baked into the original apt? |
@luke-hill What we have in the PPA is a development snapshot. We don't have a full release just yet. I am working hard to complete the migration of the last services and the command line tools. That's the requirement to do the final The reason is more obvious when you run Unfortunately, migrating the old code to the new one based on the GDBus++ framework has become a lot harder than anticipated in advance. On the positive side, 4 of 7 backend services has now been migrated and I'm fully into migrating the 5th service now. And I hope the migration of the command line tools will be fairly easy as most of the grunt work is hopefully already done. But if anyone is curious and want a challenge .... I'm open for more collaborators! The |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
Just a quick update on Fedora: I updated my machine to Fedora 40 and the copr dev builds are working like a charm. |
Thanks a lot, @detached! Such feedbacks are really valuable for us! |
Just a very little progress report ... The In parallel, the |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
A little heads-up .... The The Update: Fedora Copr builds has completed successfully! |
New Dev packages for Ubuntu are available in my PPA at https://launchpad.net/~djpig/+archive/ubuntu/openvpn for Jammy (22.04), Mantic (23.10), and Noble (24.04). These include the migrated openvpn3-service-log. |
A quick report on the progress ... All the crucial components are now fully migrated to GDBus++. And it seems to behave well now. I've spend the last few days to also fix several bugs which appeared during more heavy testing. But there might be more bugs hiding. The only service not migrated is the AWS-VPC integration add-on. This will be migrated in a later release. The last few pieces now is basically to merge everything to As a teaser ....
|
Hi @dsommers Thanks for providing an update on this and for your work on the openvpn3 client for Linux; it is much appreciated. Cheers! |
We are wrapping up the The target distributions for The v22_dev release will go through some basic QA testing internally before we will finally announce the release. In the mean time, I will do some efforts to provide at least one more devsnapshot build and I hope @flichtenheld can provide an update to the PPA repository too. This will hopefully happen late this week or sometime next week. For those eager to build and test themselves ... The |
Hi! I've added a I hope it's helpful, and please don't hesitate to point out any problems you might be having using it! FWIW, I've also written a small local
|
Thank you! Compiled and installed without issue. Testing is solid. I did need to remove my preexisting openvpn3 files from the filesystem before install. One issue I ran into was that I imported another instance of my config (stupidly), and now I can't "undo" that because it gets confused that "More than one configuration profile was found with the given name", even if I try to dump that config. My workaround was to rename the profile on the filesystem, and then use that renamed config. Ideally, in another version, it'll just alert the user that the config is already imported. |
You can fix such issues by using the D-Bus path to the configuration. Each configuration profile has a unique path. To find the path currently, use the
That's a good idea! That's definitely something to implement in a later version. Thanks a lot for the feedback! |
Just another quick update. I wanted to provide some updated dev-snapshots, but I've not been able to do that this week. Our internal QA has started smoke testing and running some various automated tests against the current code base. And lots of small cruft and other minor improvements has been added and improved. A few issues in GDBus++ has also been fixed. Basically, the code is stabilising quite nicely now. I've just pushed out updated Also, lots of thanks to @rzvncj who provided the needed pieces to have GDBus++ packaged for Arch Linux - and it seems the |
Great to be able to help! Thanks! |
I've pushed out an updated devsnapshot build to Fedora Copr .... EPEL-8 and EPEL-9 plus Fedora 39+ are ready any minute now. This is the first devsnapshot build without any of the old v21 code being compiled. This is all from the latest git master and it provides everything the v21 release contained with one exception - the This will probably be the last devsnapshot build before the final If you have any issues, please file issues in the codeberg service. From the |
On Arch Linux, I found managing updates via commits to be a little tedious. I'd have to:
Not a huge lift, but I wanted to make life a little easier for myself, and I figured I'd share what I came up with to others here. Huge thanks to @rzvncj for the PKGBUILD. To make life easier for myself, I created this shell script and set it to executable, then put it in the same directory as my PKGBUILD: #!/usr/bin/sh
# Global Variables
DEVELOPER=OpenVPN # codeberg
PROJECT=openvpn3-linux # codeberg
LOCALPROJECT=openvpn3-linux-git # local project name
LOCALPATH=$HOME/git/$LOCALPROJECT # local project path
# Get the latest commit hash of the above project from Codeberg's API, and store that hash to the "latestCommit" variable.
latestCommit=$(curl --silent "https://codeberg.org/api/v1/repos/$DEVELOPER/$PROJECT/commits" | jq -r '.[0].sha[0:16]')
# Use grep to find out if the latestCommit is the same as what is in the PKGBUILD. Either way, store the grep response to the "grepResponse" variable.
grepResponse=$(grep "$latestCommit" $LOCALPATH/PKGBUILD | awk '{print $1}')
# If the commit hash returned by Codeberg's API matches what is in the PKGBUILD...
if [ "$grepResponse" == "pkgver=master_$latestCommit" ]; then
# Give the option to download the package anyway
echo -en "$PROJECT latest commit is the \033[38;0;32msame as current\033[0m.\nDo you still want to download it? (y/n): "
read toDownloadOrNotToDownload
# Convert toDownloadOrNotToDownload to lowercase to make evaluation simpler in the if statements, and store the converted value back into the toDownloadOrNotToDownload variable.
toDownloadOrNotToDownload=$(echo $toDownloadOrNotToDownload | tr '[:upper:]' '[:lower:]')
# If the choice is to download the package, download it, get the sha256sum, and echo some helpful information
if [ "$toDownloadOrNotToDownload" == "y" ]; then
archiveUrl=$(curl --silent -X 'GET' \
"https://codeberg.org/api/v1/repos/$DEVELOPER/$PROJECT/archive/$latestCommit.tar.gz" \
-H 'accept: application/octet-stream' --head | grep -i 'link' | sed -e 's/^[^<]*<//' -e 's/>.*$//')
wget -O "${LOCALPATH}/${PROJECT}_master_${latestCommit}.tar.gz" "$archiveUrl" > /dev/null 2>&1
sha256=$(sha256sum ${LOCALPATH}/${PROJECT}_master_${latestCommit}.tar.gz | awk '{print $1}')
echo -e "\nSHA256SUM of ${PROJECT}_master_${latestCommit}.tar.gz: \033[38;0;33m$sha256\033[0m\n\n\033[38;0;35m${PROJECT}_master_${latestCommit}.tar.gz\033[0m has been downloaded; delete it when you're done with it.\n"
# If the choice is to not download the package, dismiss the user.
elif [ "$toDownloadOrNotToDownload" == "n" ]; then
echo -e "\nOk, peace out.\n"
# Otherwise, dismiss the user in a friendly way.
else
echo -e "\nSorry, I didn't understand the response. Please try again.\n"
fi
# If the commit hash returned by Codeberg's API doesn't match what is in the PKGBUILD...
elif [ "$grepResponse" != "pkgver=master_$latestCommit" ]; then
# Return the new commit hash, and give the option to download it.
echo -en "Latest commit of $PROJECT is: \033[38;0;31mmaster_$latestCommit\033[0m\nDo you want to download it? (y/n): "
read toDownloadOrNotToDownload
# Convert toDownloadOrNotToDownload to lowercase to make evaluation simpler in the if statements, and store the converted value back into the toDownloadOrNotToDownload variable.
toDownloadOrNotToDownload=$(echo $toDownloadOrNotToDownload | tr '[:upper:]' '[:lower:]')
# If the choice is to download the package, download it, get and echo the sha256sum, delete the package, then open the PKGBUILD in Sublime Text.
if [ "$toDownloadOrNotToDownload" == "y" ]; then
archiveUrl=$(curl --silent -X 'GET' \
"https://codeberg.org/api/v1/repos/$DEVELOPER/$PROJECT/archive/$latestCommit.tar.gz" \
-H 'accept: application/octet-stream' --head | grep -i 'link' | sed -e 's/^[^<]*<//' -e 's/>.*$//')
wget -O "${LOCALPATH}/${PROJECT}_master_${latestCommit}.tar.gz" "$archiveUrl" > /dev/null 2>&1
sha256=$(sha256sum ${LOCALPATH}/${PROJECT}_master_${latestCommit}.tar.gz | awk '{print $1}')
echo -e "\nSHA256SUM of ${PROJECT}_master_${latestCommit}: \033[38;0;33m$sha256\033[0m\n"
# Update the pkgver in the PKGBUILD
sed -i "s/pkgver=.*/pkgver=master_$latestCommit/" $LOCALPATH/PKGBUILD
# Update the sha256sums in the PKGBUILD
# sed -i "s/sha256sums=.*/sha256sums=('$sha256')/" $LOCALPATH/PKGBUILD
# rm ${PROJECT}_master_${latestCommit}.tar.gz
subl $LOCALPATH/PKGBUILD
echo -e "Pop over and review the PKGBUILD in \033[38;0;32mSublime Text\033[0m.\n"
# If the choice is to not download the package, dismiss the user.
elif [ "$toDownloadOrNotToDownload" == "n" ]; then
echo -e "\nOk, peace out.\n"
# Otherwise, dismiss the user in a friendly way.
else
echo -e "\nSorry, I didn't understand the response. Please try again.\n"
fi
fi What this does is:
For me, this helps reduce steps. Hope it helps others - feel free to use a different editor if you want (nano, vim). This script depends on curl, wget, jq, grep, awk, sed, and sha256sum. Maybe this is overkill, or maybe it helps others :) |
That's great! I try to update the GDBus++ build as often as possible. You can always ping me (on GitHub, or on the AUR page) and I'll try to update it. :) |
Package: https://aur.archlinux.org/packages/openvpn3
ERROR Failed calling D-Bus method UserInputProvide: GDBus.Error:net.openvpn.v3.sessions.error: Backend VPN process has died. Session is no longer valid.
Tried to rollback to previous versions:
https://aur.archlinux.org/cgit/aur.git/commit/?h=openvpn3&id=92bc949acae50959fd7ac49b81e3c2bec2572a62
https://aur.archlinux.org/cgit/aur.git/commit/?h=openvpn3&id=575161a346fe326a8ab3ea7da6598b5e473acfd5
Got same error. Tried
systemctl enable systemd-resolved
. Nothing changed.sudo journalctl --since -30m SYSLOG_IDENTIFIER=net.openvpn.v3.log + SYSLOG_IDENTIFIER=openvpn3-service-logger + SYSLOG_IDENTIFIER=dbus + _SYSTEMD_UNIT=dbus.service + UNIT=dbus.service
Logs
logs.txt
### UPD: Temporary solution:
sudo downgrade 'glib2=2.74.6'
downgrade available on aur.
I don't recommend ignoring the glib2 upgrade and trying to upgrade the system afterwards.
UPD2: The discussion contains scripts to fix this problem on different linux distros(ex: for arch-based). I haven't been following this discussion for a long time since the problem is no longer relevant to me. Read from the end to find the solution.
The text was updated successfully, but these errors were encountered: