A few quick follow-up thoughts from my original review. First, problems I haven’t solved yet:
- I forgot an important problem in my first blog: email. Evolution is borderline unusable with PIA. My personal GMail account usually works reliably, but my Google Apps school GMail account (which you’d think would function the same) and my Igalia email both time out with the error “Source doesn’t support prompt for credentials”. That’s Evolution’s generic error that it throws up whenever the mail server is taking too long to respond. So what’s going on here? I can check my email via webmail as a workaround in the meantime, but this is really terrible.
- Still no solution for the first attempt to connect always failing. That’s really annoying! I was expecting some insight (or at least guesses) as to what might be going wrong here, but nobody has suggested anything about this yet. Update: The problem is that I had selected “Make available to other users” but “Store the password only for this user”, which results in the first attempt to connect always failing, because it’s performed by the gdm user. The fix is to store the password for all users.
Some solutions and answers to problems from my original post:
- Jonh Wendell suggested using TCP instead of UDP to connect to PIA. I’ve been trying this and so far have not noticed a single instance of connection loss. So I think my biggest problem has been solved. Yay!
- Dan LaManna posted a link to vpnfailsafe. I’m probably not going to use this since it’s a long shell script that I don’t understand, and since my connection drop problems seem to be solved now that I’ve switched to TCP, but it looks like it’d probably be a good solution to its problem. Real shame this is not built in to NetworkManager already.
- Christel Dahlskjaer has confirmed that freenode requires NickServ/SASL authentication to use via PIA. This isn’t acceptable for me, since Empathy can’t handle it well, so I’m probably just going to stop using freenode for the most part. The only room I was ever really active in was #webkitgtk+, but in practice our use of that room is basically redundant with #epiphany on GIMPNet (where you’ll still find me, and which would be a better location for a WebKitGTK+ channel anyway), so I don’t think I’ll miss it. I’ve been looking to reduce the number of IRC rooms I join for a long time anyway. The only thing I really need freenode for is Fedora Workstation meetings, which I can attend via a web gateway. (Update: I realized that I am going to miss #webkit as well. Hmm, this could be a problem….)
So my biggest issue now is that I can’t use my email. That’s pretty surprising, as I wouldn’t think using a VPN would make any difference for that. I don’t actually care about my Google Apps account, but I need to be able to read my Igalia mail in Evolution. (Note: My actual IP seems to leak in my email headers, but I don’t care. My name is on my emails anyway. I just care that it works.)
Caveat: I have not tried PIA and thus am not familiar with their VPN server config (at least the output from OpenVPN client-side when connecting). However, the OpenBSD 6.[01] and FreeBSD 11-RELEASE-pX OpenVPN 2.4.x servers with which I am familiar need this for UDPv4:
…
proto udp
tun-mtu 1500
fragment 1300
mssfix
…
More goodies at https://community.openvpn.net/openvpn/wiki/Openvpn24ManPage
(Also, there is pf interaction, namely icmp-type unreachable being allowed.)
Hi Michael, very interesting set of blog posts!
I’ve been using SSH tunnels for years but that’s a very involved client-side process that I’d like to see built into GNOME by default. This prompted me to dig around in bugzilla regarding SSH support, and I found https://bugzilla.gnome.org/show_bug.cgi?id=706314 which led me to https://github.com/danfruehauf/NetworkManager-ssh
Pretty cool, no? The issue I then faced is that it made no sense to me as a user: https://github.com/danfruehauf/NetworkManager-ssh/issues/66
IMHO for my usecase (network security while travelling) SSH tunnels are the way to go, they require pretty much zero set-up and SSH is ubiquitous on servers, so anyone can set this infrastructure up much much more easily than a VPN.
And for those interested I filed a bug about the need for SSH/VPN enforcement in GNOME Control Center’s GUI: https://bugzilla.gnome.org/show_bug.cgi?id=781355
Hi Michael,
PIA blocks SMTP unless you whitelist your server:
https://www.privateinternetaccess.com/forum/discussion/2886/problem-sending-e-mail
Hi,
Your topic got pinged to me as a point of interest (as I’m the Head of Customer Support for Private Internet Access).
I note 2 things:
1. Emails needs to be whitelisted by Support because of spam. If you fire me an email at helpdesk@privateinternetaccess.com FAO Jayson with the hostname you’d like to whitelist, I can do that for you.
2. For IRC that’s because Freenode has to fight spam so the only realistic solution is to require SASL (and Empathy certainly can be configured to work with SASL).
I hope this helps.
Hi Jayson. Thanks for your response. I can sometimes send mails from my Igalia mail account, so I don’t think we need to be whitelisted (probably because we don’t use port 25). It’s sometimes much slower than when I am not using PIA, and sometimes it times out and I have to try sending it again, but I don’t think it would work at all if you were completely blocking it. I am having more trouble with IMAP. Sometimes it works just fine when using PIA, but more often my connections time out and so IMAP doesn’t work at all. For example, I was able to check my mail with no problems an hour ago, but trying again now I’m hitting timeout errors and have had no success. I can nevertheless still send mail via SMTP.
Regarding freenode… Empathy handles NickServ/SASL *really* badly, and I’m not planning to try a new messaging app to work around this. That’s really a problem on our (GNOME’s) side, of course.
And… IMAP is working fine again now, half an hour later. Really weird.
Regarding FreeNode, you could have Empathy connect to ZNC (a popular IRC proxy), and then have ZNC connect to FreeNode.
ZNC is kind of a pain to set up, and sometimes I’m not sure the benefits (storing the backlog while your laptop is offline, push notifications for mentions) are worth it.
Yeah, not worth it to me, but thanks for the tip!
Hi, I am writing here on Epiphany. Comments under the article about Epiphany are blocked. Why Epiphany hangs up and freezes on the pages: tvp.pl. I use Arch with all possible codecs. Firefox works great.