Okay, I'm asking the Mastodon Hivemind something. It concerns GNU/Linux (specifically Debian), Signal Messenger, and Proton VPN.
Edit: Somehow fixed by changing the VPN server _on the router_ (which passes through the desktop untouched...supposedly). I don't get it.
1/?
Overview of my setup: Networking is managed with systemd-networkd, wpa_supplicant, and systemd-resolved. VPN is managed by downloading WireGuard configs from Proton and activating wg-quick@<config>.service. I have some additions to the wg-quick service to punch holes so that HTTP(S) and SSH traffic is routed outside the VPN. Signal Desktop has been working great for a long time.
2/?
Here's what happened: Signal Desktop suddenly refuses to work through the VPN. If I turn off the VPN, messages go through without any issues. If I turn on the VPN, messages sit forever without actually sending (as verified by it not showing up on either the recipient's device or my phone).
3/?
Things I have tried:
1. Downgrading Signal to 8.2.0 did not help.
2. Using the previous kernel (since WireGuard is part of the kernel) didn't help.
3. Disabling the netfilter in the Proton config didn't help.
4. Other countries didn't help.
5. Using completely new VPN configs didn't help.
4/?
It seems to be working for at least one other person _also_ using Proton VPN and Signal Desktop, but they are using NetworkManager to deal with the VPN (since it's the same config, I'd be surprised if that's the issue).
Other networking is fully working. Other websites, streaming services, etc all work without issues. It is _only_ Signal Desktop and _only_ when on the VPN.
5/?
I can provide debug logs as necessary:
https://f002.backblazeb2.com/file/chiraag-public/debuglog.txt
From my reading, something is happening with the connection. The odd thing is, I'm able to open an HTTPS connection to the domains specified there through the browser and it gives the expected warning that the certificate is only valid for chat.reflector.signal.org. I thought it gave an error on VPN, but apparently that's not reproducible (but the issue is), so that can't be it.
6/?
It's really annoying because I'd really like to re-enable the desktop-wide VPN, but I can't until I get this sorted. I use Signal as my main messenger, so I can't suddenly not be able to send/receive messages.
Oh, and I think sometimes the incoming messages _do_ come in (though delayed).
Any thoughts would be appreciated!
7/7
Actually, I can also replicate that the _first_ time I connect to the servers Signal is trying to connect to, it comes back saying an HTTPS connection is not available. Subsequent ones work just fine.
And, there are some TCP connections stuck in FIN-WAIT-1 that are likely from Signal (PID no longer shows for those connections, but the servers are AWS-owned).
8/7
Okay, this is *wild*. I also have a router-wide VPN that the desktop is exempted from. But somehow, *that* was causing the issue, but _only_ when I turned on the VPN locally. I...don't get it.
Switching to a different VPN _on the router_ fixed the issue. Wild.
Oh. For some reason the IP address wasn't pinned for the desktop. Welp.
9/7
ಚಿರಾಗ್ 🌹✊🏾Ⓥ🌱🇵🇸 (he/him)