Librem Tunnel Xubuntu No Longer Working

Using the “Installation (from source)” guide at https://source.puri.sm/liberty/ldh_client/ I was able to use Librem Tunnel on Xubuntu successfully for a few months after Librem One first came out. Starting a few months ago, that solution no longer works for me. I started from scratch on a new Xubuntu install. It creates the VPN network connection successfully but when I attempt to turn the VPN on, it prompts for a password (something it never used to do), tries to connect for a few seconds, then the password prompt shows again with no other message.

As this is a new install, seemingly with a remembered password on the old install, are you sure that the username and password are correct? You may need to contact Purism support in order to confirm that your account is still OK.

I can use my librem.one username and password for Social, Mail and the librem.one website, where I also verified that Tunnel is “Active”. During the setup, it ask for librem.one username and password, I verified that it fails setup if I put in the wrong password. I’m not totally sure how it works but, If I use the right password, it completes setup and adds the VPN entry to my network connections. I believe that auto generates a key and password for PIA that I have no control over. I can see the crazy long generated password if I edit the VPN network connection, and I’ve attempted to paste that into the prompt, but that has the same result, few seconds attempting to connect then another password prompt.

I’ve also tried deleting the network connection and any keys generated to retry the setup process.

Best to contact Purism support then.

@vqbq make sure you have the following dependencies installed:

libcairo2-dev libgirepository1.0-dev pip venv python3-pip python-pip gir1.2-nm-1.0 network-manager-openvpn network-manager-openvpn-gnome seahorse

I suspect your issue is with not having seahorse installed

And then run the setup script again to create a new librem one tunnel connection.

1 Like

I had the same issue when i configured it on my machine (BTW I use arch :sweat_smile:)

Maybe I also missed the “seahorse” package, however I did found a workaround.
I guess that the “seahorse” solution should be the correct way.

Let me now if you want my workaround solution.

We are always interested in solutions :wink:

Fire away!

I guess I’m not that proud of the solution. :wink:

I got the python setup script to print out the “VPN-password” in the terminal, then I could manually add it to the VPN configuration.
If this is done via the NetworkManager, one has to “save the password for all users on the system”, which affects that any user of the computer would have access to the password/connection, however in my case, it’s my personally computer, so it should not be a problem (in this particular case).

I’m not exactly sure what the seahorse is (other than a keyring?), so does the NetworkManager retrieve the password from there, or?

EDIT: If I didn’t saved the password for all users on the system, the password was apparently not stored in the config file ?!? Which I didn’t figured out why that was the case.

I believe (perhaps mistakenly) that the password goes in your keyring if its saved for just the one user. Whenever I had the issue y’all describe I just used the terminal (assuming pureos uses openvpn).

Finally! Changing the script to output the password worked. Turns out I was trying to use the generated username due to a confusing layout in the network manager UI. Password was always blank.

Seahorse lets me modify the password once it’s added to the keyring, which is nice, but there’s no entry for the VPN until I first attempt to enter a password at the prompt.

Maybe I can figure out why the password isn’t ending up where it needs to during setup on my machine. If I can, I’ll post my findings back here.

1 Like

Nice…!

I tried briefly to figure it out, but i was late and I was to tired. xD
But it would be nice to know why. I’m after all pretty convinced that the fact I don’t have “seahorse” on my machine plays a role in my case.

@joao.azevedo maybe by chance you know how much is required for the setup to work.
I mean, a setup program should get the certificate and then setup the config file.
But is there some magic, or could a “setup-program/script” just simply create this config file as plain text and put it in the appropriate folder, and get the certificate via the API?

seahorse is a password manager. It manages multiple keyrings. Some number of keyrings can be unlocked automatically using your login password at login time. Any other keyrings have to be unlocked manually. Once a keyring is unlocked, you can programmatically grab passwords from the keyring e.g. in Python. On my computer, it can hold passwords, certificates, SSH keys and PGP keys.

Some kind of password manager is considered superior (from a security point of view) to

  • storing plaintext passwords in config files, or
  • individual applications attempting to implement their own password manager and doing it badly

On Ubuntu you launch seahorse as ‘Passwords and Keys’ or of course using the seahorse command at the shell prompt.

2 Likes