Arch Linux

nekiiinkognito

Member

Registered: 2025-10-25

Posts: 9

nmcli vpn: destination is unreachable

Hello, I've setup sstp vpn connection with networkmanager, networkmanager-applet and networkmanager-sstp

I can connect to vpn server and even received dns that resolving all needed domains

But I can't connect to ips that is resolved (they are 100% correct)

> tracepath develop-opo.local
1?: [LOCALHOST]                      pmtu 1500
1:  new-pc                                             3058.326ms !H
     Resume: pmtu 1500

> nmcli dev with vpn connection on
DEVICE           TYPE      STATE                   CONNECTION
wlan0                      wifi      connected               cool-network
lo                            loopback  connected (externally)  lo
br-28a6e38c7316  bridge    connected (externally)  br-28a6e38c7316
docker0                   bridge    connected (externally)  docker0
ppp0                        ppp       disconnected            --
p2p-dev-wlan0         wifi-p2p  disconnected            --

> ip route
default dev ppp0 proto static scope link metric 50
default via 192.168.0.1 dev wlan0 proto dhcp src 192.168.0.100 metric 600
10.130.128.1 dev ppp0 proto kernel scope link src 10.130.128.112
10.130.128.1 dev ppp0 proto kernel scope link src 10.130.128.112 metric 50
10.130.128.1 via 10.130.128.1 dev ppp0 proto static metric 50
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-28a6e38c7316 proto kernel scope link src 172.18.0.1 linkdown
192.168.0.0/24 dev wlan0 proto kernel scope link src 192.168.0.100 metric 600
192.168.0.1 dev wlan0 proto static scope link metric 50
192.168.0.1 dev wlan0 proto dhcp scope link src 192.168.0.100 metric 600
0.vpn.server.ip via 192.168.0.1 dev wlan0 proto static metric 50

> ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
3: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 48:45:e6:8d:c3:a9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.0.100/24 metric 600 brd 192.168.0.255 scope global dynamic wlan0
       valid_lft 6588sec preferred_lft 6588sec
    inet6 fe80::c3e0:710d:dd50:2d47/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
    inet6 fe80::4a45:e6ff:fe8d:c3a9/64 scope link proto kernel_ll
       valid_lft forever preferred_lft forever
4: br-28a6e38c7316: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 2e:19:75:8d:78:ce brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-28a6e38c7316
       valid_lft forever preferred_lft forever
5: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 36:61:c5:9d:1e:4f brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
8: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp
    inet 10.130.128.112 peer 10.130.128.1/32 scope global ppp0
       valid_lft forever preferred_lft forever

> nmcli dev con ppp0
Error: Failed to add/activate new connection: Device class NMDevicePpp had no complete_connection method

After that i've installed ppp from pacman but error did not disappear

I think that problem is in disconnected ppp0 device, but not sure on that

-thc

Member

Registered: 2017-03-15

Posts: 1,059

Re: nmcli vpn: destination is unreachable

Hello, I've setup sstp vpn connection with networkmanager, networkmanager-applet and networkmanager-sstp

There are no packages named "networkmanager-applet" and "networkmanager-sstp".

After that i've installed ppp from pacman but error did not disappear

If you had installed the correct packages, ppp should have been installed too.

I can connect to vpn server and even received dns that resolving all needed domains
I think that problem is in disconnected ppp0 device, but not sure on that

What now? Are you connected or not? Can you ping the IP address of the PPP tunnel endpoint 10.130.128.1?

But I can't connect to ips that is resolved (they are 100% correct)

Why does your trace end after more that 3 seconds at an IP address that is resolved to "new-pc"?
Are you aware that ".local" is reserved for local AVAHI/mDNS name resolution?

Please use "code" tags.

nekiiinkognito

Member

Registered: 2025-10-25

Posts: 9

Re: nmcli vpn: destination is unreachable

Thanks for the answer. I'm new to this, so sorry if I didn't provide enough information and for not using code blocks.

I did write the wrong package names; I meant network-manager-applet and network-manager-sstp.

The DNS is resolving to 192.168.*.* IPs, which should be reachable when I'm connected to the VPN.

I installed ppp, probably without a good reason, thinking it would fix the problem with the nmcli connection to ppp0.

Yes, I was connected to the VPN itself, because my IP address in the browser had changed.

Yes, I can ping the address of the PPP tunnel endpoint.

As for the traceroute ending after 3 seconds, I have no idea why that happens.

-thc

Member

Registered: 2017-03-15

Posts: 1,059

Re: nmcli vpn: destination is unreachable

Yes, I was connected to the VPN itself, because my IP address in the browser had changed.
Yes, I can ping the address of the PPP tunnel endpoint.

If your VPN connection is set up correctly and if this connection works correctly you can disregard the "connected" status of NetworkManager.

The DNS is resolving to 192.168.*.* IPs, which should be reachable when I'm connected to the VPN.

Are you aware that your home WiFi is in the range 192.168.*.* too? The address spaces may be in conflict.

If there a computer in your home network named "new-pc"?

nekiiinkognito

Member

Registered: 2025-10-25

Posts: 9

Re: nmcli vpn: destination is unreachable

Yes, I am aware of the 192.168.*.* IP range. I have this VPN set up on Windows, and there it is working just fine. I had to add a DNS suffix in the VPN settings there; maybe it needs to be done here as well.

"new-pc" is the name of my machine that I am connecting from.

-thc

Member

Registered: 2017-03-15

Posts: 1,059

Re: nmcli vpn: destination is unreachable

"new-pc" is the name of my machine that I am connecting from.

That's what I suspected.

O.K. - let's check the DNS angle. I presume "develop-opo.local" to be your target. Please install the "ldns" package. While connected to the VPN please provide the output of

tracepath -n develop-opo.local
drill develop-opo.local

nekiiinkognito

Member

Registered: 2025-10-25

Posts: 9

Re: nmcli vpn: destination is unreachable

> tracepath -n develop-opo.local
 1?: [LOCALHOST]                      pmtu 1500
 1:  192.168.0.8                                         3070.359ms !H
     Resume: pmtu 1500

> drill develop-opo.local
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 41853
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; develop-opo.local.	IN	A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
.	445	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2025110900 1800 900 604800 86400

;; ADDITIONAL SECTION:

;; Query time: 23 msec
;; SERVER: 192.168.0.1
;; WHEN: Sun Nov  9 11:25:09 2025
;; MSG SIZE  rcvd: 110

-thc

Member

Registered: 2017-03-15

Posts: 1,059

Re: nmcli vpn: destination is unreachable

But I can't connect to ips that is resolved (they are 100% correct)

1:  192.168.0.8                                         3070.359ms !H

So - is this IP address (192.168.0.8) the correct one you want to reach?

Since your DNS resolver (192.168.0.1, presumably your router) doesn't resolve "develop-opo.local" - how does tracepath "knows" what to try? Is something in your Arch installation resolving that name? Did you enter it into "/etc/hosts"? Do you use mDNS/Avahi?

nekiiinkognito

Member

Registered: 2025-10-25

Posts: 9

Re: nmcli vpn: destination is unreachable

No, the correct address is 192.168.0.217 (in the remote local network I'm trying to reach)
My /etc/hosts is untouched.
When i connect to VPN, there a new lines in /etc/resolv.conf

# Generated by NetworkManager
search vnp.domain.com # censored
nameserver 10.130.128.1
nameserver 192.168.0.1

My pings to develop-opo.local looks like this

> ping develop-opo.local
PING develop-opo.local (192.168.0.217) 56(84) bytes of data.
From new-pc (192.168.0.10) icmp_seq=1 Destination Host Unreachable
From new-pc (192.168.0.10) icmp_seq=2 Destination Host Unreachable
From new-pc (192.168.0.10) icmp_seq=3 Destination Host Unreachable
From new-pc (192.168.0.10) icmp_seq=4 Destination Host Unreachable
From new-pc (192.168.0.10) icmp_seq=5 Destination Host Unreachable
^C
--- develop-opo.local ping statistics ---
7 packets transmitted, 0 received, +5 errors, 100% packet loss, time 6161ms
pipe 4

I do have package nss-mdns installed, but not sure if it is actively working

Here is nslookup of this domain

> nslookup develop-opo.local
Server:		10.130.128.1
Address:	10.130.128.1#53

Non-authoritative answer:
Name:	develop-opo.local
Address: 192.168.0.217

nekiiinkognito

Member

Registered: 2025-10-25

Posts: 9

Re: nmcli vpn: destination is unreachable

I've updated the routing table. The command:

sudo ip route add 192.168.0.217/32 dev ppp0

now allows me to access that specific IP via its domain name in browser.

How to automatically route all traffic to IPs resolved by the VPN's DNS server through the ppp0 interface?

-thc

Member

Registered: 2017-03-15

Posts: 1,059

Re: nmcli vpn: destination is unreachable

This is really confusing. With your last post your PC now has three IPv4 addresses: 192.168.0.8, 192.168.0.10 and 192.168.0.100.

Are you aware that you should avoid this scenario (Connecting two identically numbered subnets via VPN)? Probably not.

Why is the VPN domain

search vnp.domain.com

censored but nevertheless the remote VPN endpoint resolves ".local" - it makes no sense - sorry.

You can enter static routes via nm-connection editor under IPv4 > Routes.

nekiiinkognito

Member

Registered: 2025-10-25

Posts: 9

Re: nmcli vpn: destination is unreachable

Ok, than I'll just write all IPs that I need by hand.

Thanks a lot for your time and help!