VPN issues with Ubuntu 16.04

Question

Weirdly, I seem to be able to connect successfully to the VPN, but then all requests just timeout (things were fine in 14.04 before upgrading)

   NetworkManager[26605]: <info>  [1475104045.6096] audit: op="connection-activate" uuid="f3e592de-b14e-4775-8950-cdedac3b5a28" name="AirVPN_United-Kingdom_UDP-443" pid=2156 uid=1000 result="success"
   NetworkManager[26605]: <info>  [1475104045.6166] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",0]: Started the VPN service, PID 4493
   NetworkManager[26605]: <info>  [1475104045.6237] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",0]: Saw the service appear; activating connection
   NetworkManager[26605]: nm-openvpn-Message: openvpn[4496] started
   NetworkManager[26605]: <info>  [1475104045.6310] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",0]: VPN plugin: state changed: starting (3)
   NetworkManager[26605]: <info>  [1475104045.6313] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",0]: VPN connection: (ConnectInteractive) reply received
   nm-openvpn[4496]: OpenVPN 2.3.10 x86_64-pc-linux-gnu [SSL (OpenSSL)] [LZO] [EPOLL] [PKCS11] [MH] [IPv6] built on Feb  2 2016
   nm-openvpn[4496]: library versions: OpenSSL 1.0.2g  1 Mar 2016, LZO 2.08
   nm-openvpn[4496]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
   nm-openvpn[4496]: Control Channel Authentication: using '/home/lee/.cert/nm-openvpn/AirVPN_United-Kingdom_UDP-443-tls-auth.pem' as a OpenVPN static key file
   nm-openvpn[4496]: NOTE: chroot will be delayed because of --client, --pull, or --up-delay
   nm-openvpn[4496]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
   nm-openvpn[4496]: UDPv4 link local: [undef]
   nm-openvpn[4496]: UDPv4 link remote: [AF_INET]185.103.96.133:443
   nm-openvpn[4496]: WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1557', remote='link-mtu 1558'
   nm-openvpn[4496]: WARNING: 'comp-lzo' is present in remote config but missing in local config, remote='comp-lzo'
   nm-openvpn[4496]: [server] Peer Connection Initiated with [AF_INET]185.103.96.133:443
   nm-openvpn[4496]: TUN/TAP device tun0 opened
   nm-openvpn[4496]: /usr/lib/NetworkManager/nm-openvpn-service-openvpn-helper --bus-name org.freedesktop.NetworkManager.openvpn.Connection_5 --tun -- tun0 1500 1557 10.4.9.184 255.255.0.0 init
   NetworkManager[26605]: <info>  [1475104048.1017] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/5)
   NetworkManager[26605]: <info>  [1475104048.1177] devices added (path: /sys/devices/virtual/net/tun0, iface: tun0)
   NetworkManager[26605]: <info>  [1475104048.1178] device added (path: /sys/devices/virtual/net/tun0, iface: tun0): no ifupdown configuration found.
   NetworkManager[26605]: <info>  [1475104048.1261] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",0]: VPN connection: (IP Config Get) reply received.
   nm-openvpn[4496]: chroot to '/var/lib/openvpn/chroot' and cd to '/' succeeded
   nm-openvpn[4496]: GID set to nm-openvpn
   NetworkManager[26605]: <info>  [1475104048.1346] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: VPN connection: (IP4 Config Get) reply received
   nm-openvpn[4496]: UID set to nm-openvpn
   NetworkManager[26605]: <info>  [1475104048.1359] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: Data: VPN Gateway: 185.103.96.133
   nm-openvpn[4496]: Initialization Sequence Completed
   NetworkManager[26605]: <info>  [1475104048.1359] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: Data: Tunnel Device: tun0
   NetworkManager[26605]: <info>  [1475104048.1359] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: Data: IPv4 configuration:
   NetworkManager[26605]: <info>  [1475104048.1360] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: Data:   Internal Gateway: 10.4.0.1
   NetworkManager[26605]: <info>  [1475104048.1360] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: Data:   Internal Address: 10.4.9.184
   NetworkManager[26605]: <info>  [1475104048.1360] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: Data:   Internal Prefix: 16
   NetworkManager[26605]: <info>  [1475104048.1361] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: Data:   Internal Point-to-Point Address: 10.4.9.184
   NetworkManager[26605]: <info>  [1475104048.1361] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: Data:   Maximum Segment Size (MSS): 0
   NetworkManager[26605]: <info>  [1475104048.1361] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: Data:   Forbid Default Route: no
   NetworkManager[26605]: <info>  [1475104048.1361] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: Data:   Internal DNS: 10.4.0.1
   NetworkManager[26605]: <info>  [1475104048.1362] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: Data:   DNS Domain: '(none)'
   NetworkManager[26605]: <info>  [1475104048.1362] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: Data: No IPv6 configuration
   NetworkManager[26605]: <info>  [1475104048.1362] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: VPN plugin: state changed: started (4)
   NetworkManager[26605]: <info>  [1475104048.1387] vpn-connection[0x19f55c0,f3e592de-b14e-4775-8950-cdedac3b5a28,"AirVPN_United-Kingdom_UDP-443",7:(tun0)]: VPN connection: (IP Config Get) complete
   NetworkManager[26605]: <info>  [1475104048.1392] device (tun0): state change: unmanaged -> unavailable (reason 'connection-assumed') [10 20 41]
   NetworkManager[26605]: <info>  [1475104048.1500] manager: NetworkManager state is now CONNECTED_LOCAL
   NetworkManager[26605]: <info>  [1475104048.1502] manager: NetworkManager state is now CONNECTED_GLOBAL
   NetworkManager[26605]: <info>  [1475104048.1505] dns-mgr: Writing DNS information to /sbin/resolvconf
   dnsmasq[26678]: setting upstream servers from DBus
   dnsmasq[26678]: using nameserver 10.4.0.1#53
   dbus[804]: [system] Activating via systemd: service name='org.freedesktop.nm_dispatcher' unit='dbus-org.freedesktop.nm-dispatcher.service'
   NetworkManager[26605]: <info>  [1475104048.1769] keyfile: add connection in-memory (40a6043d-7871-4195-8e3e-d7ea59e00877,"tun0")
   NetworkManager[26605]: <info>  [1475104048.1786] device (tun0): state change: unavailable -> disconnected (reason 'connection-assumed') [20 30 41]
   NetworkManager[26605]: <info>  [1475104048.1852] device (tun0): Activation: starting connection 'tun0' (40a6043d-7871-4195-8e3e-d7ea59e00877)
   NetworkManager[26605]: <info>  [1475104048.1890] device (tun0): state change: disconnected -> prepare (reason 'none') [30 40 0]
   NetworkManager[26605]: <info>  [1475104048.1894] device (tun0): state change: prepare -> config (reason 'none') [40 50 0]
   NetworkManager[26605]: <info>  [1475104048.1897] device (tun0): state change: config -> ip-config (reason 'none') [50 70 0]
   NetworkManager[26605]: <info>  [1475104048.1901] device (tun0): state change: ip-config -> ip-check (reason 'none') [70 80 0]
   NetworkManager[26605]: <info>  [1475104048.1904] device (tun0): state change: ip-check -> secondaries (reason 'none') [80 90 0]
   NetworkManager[26605]: <info>  [1475104048.1907] device (tun0): state change: secondaries -> activated (reason 'none') [90 100 0]
   NetworkManager[26605]: <info>  [1475104048.1935] manager: NetworkManager state is now CONNECTED_LOCAL
   NetworkManager[26605]: <info>  [1475104048.1936] manager: NetworkManager state is now CONNECTED_GLOBAL
   NetworkManager[26605]: <info>  [1475104048.1937] policy: set 'tun0' (tun0) as default for IPv4 routing and DNS
   NetworkManager[26605]: <info>  [1475104048.1938] device (tun0): Activation: successful, device activated.
   systemd[1]: Starting Network Manager Script Dispatcher Service...
   dbus[804]: [system] Successfully activated service 'org.freedesktop.nm_dispatcher'
   systemd[1]: Started Network Manager Script Dispatcher Service.
   nm-dispatcher: req:1 'vpn-up' [tun0]: new request (2 scripts)
   nm-dispatcher: req:1 'vpn-up' [tun0]: start running ordered scripts...
   nm-dispatcher: req:2 'up' [tun0]: new request (2 scripts)
   wpa_supplicant[1266]: wlp4s0: Failed to initiate sched scan
   nm-openvpn[4496]: write to TUN/TAP : Invalid argument (code=22)
   nm-dispatcher: req:2 'up' [tun0]: start running ordered scripts...
   whoopsie[881]: [] Cannot reach: https://daisy.ubuntu.com
   whoopsie[881]: [] offline
   whoopsie[881]: [] The default IPv4 route is: /org/freedesktop/NetworkManager/ActiveConnection/6
   whoopsie[881]: [] Network connection may be a paid data plan: /org/freedesktop/NetworkManager/Devices/5
   whoopsie[881]: [] The default IPv4 route is: /org/freedesktop/NetworkManager/ActiveConnection/6
   whoopsie[881]: [] Network connection may be a paid data plan: /org/freedesktop/NetworkManager/Devices/5
   nm-openvpn[4496]: write to TUN/TAP : Invalid argument (code=22)

This is an AirVPN vpn and the ovpn file was generated via their config generator for linux selecting UK country and UDP (the same config works fine on my android phone openvpn). I tried with a work VPN ovpn file and it was a similar story.

I've already installed network-manager-openvpn and network-manager-openvpn-gnome

Also ifconfig shows:

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          inet addr:10.4.16.251  P-t-P:10.4.16.251  Mask:255.255.0.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:35 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:1860 (1.8 KB)

iptables flushed:

[ root@myhostname: /home/lee ]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

route -n (without VPN):

[ root@myhostname: ~ ]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp3s0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp3s0
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp3s0

route -n (with VPN):

[ root@myhostname: ~ ]# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.4.0.1        0.0.0.0         UG    50     0        0 tun0
0.0.0.0         192.168.0.1     0.0.0.0         UG    100    0        0 enp3s0
10.4.0.0        0.0.0.0         255.255.0.0     U     50     0        0 tun0
169.254.0.0     0.0.0.0         255.255.0.0     U     1000   0        0 enp3s0
185.103.96.130  192.168.0.1     255.255.255.255 UGH   100    0        0 enp3s0
192.168.0.0     0.0.0.0         255.255.255.0   U     100    0        0 enp3s0

The AirVPN ovpn looks like (I removed on the crts and keys at end):

# --------------------------------------------------------
# Air VPN | https://airvpn.org | Wednesday 28th of September 2016 11:02:52 PM
# OpenVPN Client Configuration.
# AirVPN_United-Kingdom_UDP-443
# --------------------------------------------------------

client
dev tun
proto udp
remote gb.vpn.airdns.org 443
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-CBC
comp-lzo no
route-delay 5
verb 3
explicit-exit-notify 5

EDIT: I found that if I change the config so comp-lzo is enabled (or use LZO data compression in Network Manager settings) things work. I'm not sure exactly why this was the problem, and why this departure from the settings AirVPN auto generated are necessary on 16.04.

Answer 1

What is "comp-lzo" anyway?

Well according to OpenVPN's website:

Use fast LZO compression -- may add up to 1 byte per packet for incompressible data.

But that doesn't really cut it, so lets start with the name "LZO Compression"...

Lempel–Ziv–Oberhumer, sensibly abbreviated to LZO...

... Is a compression algorithm that remains to this day particularly fast, especially at decompressing data - which makes it ideal for a VPN system where many small data packets can be sent often.

So whats the point of using compression...?

Enabling compression is simply a tradeoff - you reduce your connection speed by a tiny fraction and use slightly more processing power, but in return take up less bandwidth. Naturally some server provides use it to allow more users to connect simultaneously for a given bandwidth.

Okay, so what was the problem here/why do I need it enabled?

Put simply, if a client doesn't send compressed packets to a server that is expecting them, the server will see this as an error and refuse to proceed - likewise if a server is expecting uncompressed data and receives it compressed, it won't understand the request being made and will simply drop it.

If you're wondering why servers and clients aren't just programmed to automatically detect and deal with compression, I suspect its optimisation - auditing every single data packet for compression would slow down everything, so letting the user manually specify the system is most efficient, if less resilient to good old human error.

I suspect AirVPN changed this setting recently but didn't modify the config making tool!