Rebooting XFCE while connected to VPN

Hi all, not sure where to begin looking into this. I had Dragonized installed on an external HD for a while which I was booting from on my Lenovo laptop. If I was connected to a VPN when I reboot or shutdown, when I logged back in again, the wifi connected and reconnected the vpn when I logged in and everything was fine.

I recently installed garuda xfce onto the internal HD since the laptop really can't support dragonized well and I needed a lightweight OS. It's working GREAT! However, when I reboot while still connected to a VPN (I have a wireguard VPN set up to route traffic to my pihole for ad/tracker blocking), after logging back in, it shows I'm connected to the wifi (can confirm device appears connected on router) and the little wifi icon shows the lock to indicate the VPN is active, but I actually have NO internet access until I toggle the VPN connection off, then back on, and then everything works fine.

Any ideas on where I should start looking? I'd be perfectly ok if the vpn didn't connect automatically on login (although that behavior IS preferred) and I'd have to manually connect.

Here's my garuda-inxi just in case
System:
  Kernel: 5.19.12-zen1-1-zen arch: x86_64 bits: 64 compiler: gcc v: 12.2.0
    parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-zen root=UUID=26e615d1-03fd-4e35-ad50-291b9741281a
    rw [email protected] quiet quiet splash rd.udev.log_priority=3 vt.global_cursor_default=0
    resume=UUID=43ba501a-f3d1-444f-a6cc-3a08d6139da2 loglevel=3 sysrq_always_enabled=1
  Console: pty pts/0 DM: LightDM v: 1.32.0 Distro: Garuda Linux base: Arch Linux
Machine:
  Type: Laptop System: LENOVO product: 20175 v: Lenovo IdeaPad Yoga 13 serial: <filter> Chassis:
    type: 10 v: Lenovo IdeaPad Yoga 13 serial: <filter>
  Mobo: LENOVO model: INVALID v: 31900003WIN8 STD MLT serial: <filter> UEFI: LENOVO v: 66CN55WW
    date: 02/28/2013
Battery:
  ID-1: BAT1 charge: 38.4 Wh (100.0%) condition: 38.4/49.3 Wh (78.0%) volts: 16.2 min: 14.8
    model: Lenovo IdeaPad Mocca2 type: Unknown serial: <filter> status: full
CPU:
  Info: model: Intel Core i7-3537U socket: rPGA988B (U3E1) note: check bits: 64 type: MT MCP
    arch: Ivy Bridge gen: core 3 level: v3 built: 2012-15 process: Intel 22nm family: 6
    model-id: 0x3A (58) stepping: 9 microcode: 0x21
  Topology: cpus: 1x cores: 2 tpc: 2 threads: 4 smt: enabled cache: L1: 128 KiB desc: d-2x32
    KiB; i-2x32 KiB L2: 512 KiB desc: 2x256 KiB L3: 4 MiB desc: 1x4 MiB
  Speed (MHz): avg: 1530 high: 2464 min/max: 800/3100 base/boost: 1900/4000 scaling:
    driver: intel_cpufreq governor: performance volts: 0.8 V ext-clock: 100 MHz cores: 1: 1368
    2: 1158 3: 1133 4: 2464 bogomips: 19954
  Flags: avx ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
  Vulnerabilities:
  Type: itlb_multihit status: KVM: VMX disabled
  Type: l1tf mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
  Type: mds mitigation: Clear CPU buffers; SMT vulnerable
  Type: meltdown mitigation: PTI
  Type: mmio_stale_data status: Unknown: No mitigations
  Type: retbleed status: Not affected
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization
  Type: spectre_v2 mitigation: Retpolines, IBPB: conditional, IBRS_FW, STIBP: conditional, RSB
    filling, PBRSB-eIBRS: Not affected
  Type: srbds status: Vulnerable: No microcode
  Type: tsx_async_abort status: Not affected
Graphics:
  Device-1: Intel 3rd Gen Core processor Graphics vendor: Lenovo driver: i915 v: kernel
    arch: Gen-7 process: Intel 22nm built: 2012-13 ports: active: LVDS-1 empty: DP-1,HDMI-A-1,VGA-1
    bus-ID: 00:02.0 chip-ID: 8086:0166 class-ID: 0300
  Device-2: Chicony Lenovo EasyCamera type: USB driver: uvcvideo bus-ID: 2-1.7:4
    chip-ID: 04f2:b322 class-ID: 0e02
  Display: x11 server: X.org v: 1.21.1.4 compositor: xfwm driver: X: loaded: modesetting
    alternate: fbdev,intel,vesa gpu: i915 tty: 120x30
  Monitor-1: LVDS-1 model: LG Display 0x0360 built: 2011 res: 1600x900 dpi: 138 gamma: 1.2
    size: 294x166mm (11.57x6.54") diag: 338mm (13.3") ratio: 16:9 modes: 1600x900
  Message: Unable to show GL data. Required tool glxinfo missing.
Audio:
  Device-1: Intel 7 Series/C216 Family High Definition Audio vendor: Lenovo driver: snd_hda_intel
    v: kernel bus-ID: 00:1b.0 chip-ID: 8086:1e20 class-ID: 0403
  Sound Server-1: ALSA v: k5.19.12-zen1-1-zen running: yes
  Sound Server-2: PulseAudio v: 16.1 running: no
  Sound Server-3: PipeWire v: 0.3.58 running: yes
Network:
  Message: No PCI device data found.
  IF-ID-1: br-a572650f76ea state: down mac: <filter>
  IF-ID-2: br-c3bb553f7f14 state: up speed: 10000 Mbps duplex: unknown mac: <filter>
  IF-ID-3: docker0 state: down mac: <filter>
  IF-ID-4: veth52b23cc state: up speed: 10000 Mbps duplex: full mac: <filter>
  IF-ID-5: wlp0s26u1u4i2 state: up mac: <filter>
Bluetooth:
  Device-1: Realtek RTL8723AU 802.11n WLAN Adapter type: USB driver: btusb,rtl8723au
    bus-ID: 1-1.4:5 chip-ID: 0bda:1724 class-ID: e001 serial: <filter>
  Report: bt-adapter ID: hci0 rfk-id: 0 state: up address: <filter>
Drives:
  Local Storage: total: 238.47 GiB used: 26.37 GiB (11.1%)
  SMART Message: Required tool smartctl not installed. Check --recommends
  ID-1: /dev/sda maj-min: 8:0 vendor: Samsung model: MZMTD256HAGM-000L1 size: 238.47 GiB
    block-size: physical: 512 B logical: 512 B speed: 3.0 Gb/s type: SSD serial: <filter> rev: 2L0Q
    scheme: GPT
Partition:
  ID-1: / raw-size: 229.37 GiB size: 229.37 GiB (100.00%) used: 26.36 GiB (11.5%) fs: btrfs
    block-size: 4096 B dev: /dev/sda2 maj-min: 8:2
  ID-2: /boot/efi raw-size: 300 MiB size: 299.4 MiB (99.80%) used: 608 KiB (0.2%) fs: vfat
    block-size: 512 B dev: /dev/sda1 maj-min: 8:1
  ID-3: /home raw-size: 229.37 GiB size: 229.37 GiB (100.00%) used: 26.36 GiB (11.5%) fs: btrfs
    block-size: 4096 B dev: /dev/sda2 maj-min: 8:2
  ID-4: /var/log raw-size: 229.37 GiB size: 229.37 GiB (100.00%) used: 26.36 GiB (11.5%)
    fs: btrfs block-size: 4096 B dev: /dev/sda2 maj-min: 8:2
  ID-5: /var/tmp raw-size: 229.37 GiB size: 229.37 GiB (100.00%) used: 26.36 GiB (11.5%)
    fs: btrfs block-size: 4096 B dev: /dev/sda2 maj-min: 8:2
Swap:
  Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default)
  ID-1: swap-1 type: zram size: 7.64 GiB used: 2 MiB (0.0%) priority: 100 dev: /dev/zram0
  ID-2: swap-2 type: partition size: 8.8 GiB used: 0 KiB (0.0%) priority: -2 dev: /dev/sda3
    maj-min: 8:3
Sensors:
  System Temperatures: cpu: 57.0 C mobo: N/A
  Fan Speeds (RPM): N/A
Info:
  Processes: 239 Uptime: 1h 29m wakeups: 1 Memory: 7.64 GiB used: 1.67 GiB (21.8%) Init: systemd
  v: 251 default: graphical tool: systemctl Compilers: gcc: 12.2.0 Packages: pm: pacman
  pkgs: 1507 libs: 364 tools: octopi,paru Shell: garuda-inxi (sudo) default: Bash v: 5.1.16
  running-in: pty pts/0 (SSH) inxi: 3.3.21
Garuda (2.6.8-1):
  System install date:     2022-09-26
  Last full system update: 2022-09-29
  Is partially upgraded:   No
  Relevant software:       NetworkManager
  Windows dual boot:       No/Undetected
  Snapshots:               Snapper
  Failed units:

Thanks in advance!

What is your method for connecting to the VPN?

XFCE's network manager. I think I figured it out, on the General tab, I've unchecked "Connect automatically with priority" and 0 was the default value. If I set it to 1 or 2, will it wait for the Wifi to connect first, then authenticate via the vpn?

So, I found somewhere that the connection priority is highest value first, then works its way down, so I set my WiFi to 2 and the Wireguard connection to 0, but that didn't work either, so I have to disable connect automatically with priority altogether for it not to connect to the VPN at startup....would love to have this work and connect once the wifi authenticates if anyone knows how to tell it to do this LOL

You could set up a wg-quick service, as described here: WireGuard - ArchWiki

It looks like setting up WireGuard in the first place is the most painful part of the process and you've already managed that. You can copy your existing configuration with showconf command.

sudo wg showconf wg0 > /etc/wireguard/wg0.conf

Obviously change wg0 to whatever your interface is. Then enable the service so it starts on its own at boot (again, change wg0 if needed).

sudo systemctl enable --now [email protected]

That's pretty much it! That should start your WireGuard tunnel automatically at boot, once your network is up.

3 Likes

This sounds odd but try it: set the priority for auto-connect to -100. :slight_smile:

I'm gonna give this a shot and see if it helps! Thanks!

Update: ssssoooo, not really sure why, but it totally didn't work. The /etc/wireguard/wg0.conf file is exactly the same as the manually added wireguard client details in Network Manager.

And systemctl status [email protected] showed that it's active and running with no issue, however, it did not install the client properly. It did show up in the Network Manager so when I tried pinging google.com or accessing anything on the internet, it all timed out. So, I manually had to re-configure the client details (peer information was missing like preshared key, allowed IPs, endpoint, etc) and I can manually click on it in the gui interface, but using the service, it doesn't work at all.

Does your VPN provider also provide an "anti-tracker" feature? Aka custom encrypted passive DNS servers. I personally only use and vouch for ivpn.net, they have logless, audited, passive DNS servers and one of the most helpful and responsive support teams I've ever encountered from any IT company. (They also arguably are the most up-to-date, most audited without fail, logless (as in, logs aren't disabled, there is no logging daemons at all on any servers, sans a local diagnostics log you can opt-in for troubleshooting/debugging, they also allow no-private information, you can even mail them cash to create an account ID.).

Ok sorry for the ramble, but something that happened to me was I had my Ubiquiti Dream Machine Pro (UDP) set to a different private DNS company, and for some reason, the way the UDP handled the dns overwrite in garuda would cause my internet to only work when I connected to the VPN service; until I changed the DHCP DNS to ivpn's own free passive DNS server.

Once you get DNS MiTM it becomes your biggest fear :frowning:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.