Trying to set up openvpn fedora 33 - DNS and ipv6 issues

Hello,

I’m completely new in linux, I know the basics commands only (but I’m searching about this for 5 days :frowning:) .

Im using Fedora now, and tried to set a openvpn with a config file from my vpn provider (surfshark).
I just want to:
1- disable IPv6 (surfshark does not support it)
2- change DNS (prevent dns leaking)
3- set up to vpn autostart with system (this is OK)

Now I re-installed the system and I’m doing step by step, so lets get into them:
I just created a vpn config with my credentials there and worked with this command(sudo openvpn miami_udp(my file))

My vpn provider does not support IPv6, so now I have to disable and change DNS (I want to use 1.1.1.1 just this)
But when I disable IPv6:
[user@pc etc]$ sudo sysctl -p
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
The connection stops working.
Anyone have a clue what it could be?

1 Like

I just can guess that you disabled IPV6 for all adapters.
So revert your commands writing a = 0 instead of =1 and then try to find out with the Network Manager Applet the values for the VPN adapter and just disable there ipv6.

The recommended method for disabling IPv6 depends on your connection manager that is NetworkManager by default:

nmcli connection show
nmcli connection modify id CON_NAME ipv6.method disabled
nmcli connection down id CON_NAME
nmcli connection up id CON_NAME

Then fix DNS leak by configuring resolver priorities:
https://discussion.fedoraproject.org/t/systemd-resolved-not-querying-dns-server-set-by-openvpn/74961/2?u=vgaetera

1 Like

Hello vgaetera.

First, thank you for your help.

I tried this method but the connection stopped again. look:

        [user@localhost openvpn]$ nmcli connection show
    NAME                UUID                                  TYPE      DEVICE 
   HOME-WIFI   72d6f40a-a021-4a5c-8abf-c828c522ebc1  wifi      wlo1   
    tun1                f7be6766-0b13-477e-9bbc-ab0c3035aa3b  tun       tun1   
    tun0                66cb7eb8-70ec-4a85-8d8c-f9b57f0191d6  tun       tun0   
    virbr0              4cfdc73c-a058-449a-a4ee-66d0da7e238e  bridge    virbr0 
    Wired connection 1  4440265d-07ea-32be-aa98-5c4651d542d9  ethernet  --     
    [user@localhost openvpn]$ nmcli connection modify 72d6f40a-a021-4a5c-8abf-c828c522ebc1 ipv6.method disabled
    [user@localhost openvpn]$ nmcli connection down 72d6f40a-a021-4a5c-8abf-c828c522ebc1 
    Connection 'HOME-WIFI' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
    [user@localhost openvpn]$ nmcli connection up 72d6f40a-a021-4a5c-8abf-c828c522ebc1 
    Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/8)
    [user@localhost openvpn]$ ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    ^C
    --- 8.8.8.8 ping statistics ---
    50 packets transmitted, 0 received, 100% packet loss, time 50196ms

I dont know what I’m doing wrong, ;/

1 Like

You have disabled IPv6 on the HOME-WIFI connection.
Try to re-activate the VPN and make sure it connects successfully.

Hello,
I ran the command in the VPN connection now, but as soon as I rant it vpn disconnected and pings starts using ipv6 protocol look:

[user@pc openvpn]$ nmcli connection show 
NAME                UUID                                  TYPE      DEVICE 
HOME-WIFI   72d6f40a-a021-4a5c-8abf-c828c522ebc1  wifi      wlo1   
tun0                f5cf660d-2520-4d15-8d6c-002def5dfe53  tun       tun0   
virbr0              7b15a0e9-98c4-4911-851d-ea0d11defdfb  bridge    virbr0 
J Vicente 2g        c98d47bd-2a46-4956-bbf5-530ab17a7687  wifi      --     
tun0                66cb7eb8-70ec-4a85-8d8c-f9b57f0191d6  tun       --     
tun0                c867b8a8-e13f-4e35-9107-4a55152433a5  tun       --     
Wired connection 1  4440265d-07ea-32be-aa98-5c4651d542d9  ethernet  --     
[user@pc openvpn]$ nmcli connection modify f5cf660d-2520-4d15-8d6c-002def5dfe53 ipv6.method disabled
[user@pc openvpn]$ nmcli connection down  f5cf660d-2520-4d15-8d6c-002def5dfe53 
Connection 'tun0' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
[user@pc openvpn]$ nmcli connection up  f5cf660d-2520-4d15-8d6c-002def5dfe53 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/7)
[user@pc openvpn]$ ping www.google.com
PING www.google.com(2800:3f0:4004:804::2004 (2800:3f0:4004:804::2004)) 56 data bytes
64 bytes from 2800:3f0:4004:804::2004 (2800:3f0:4004:804::2004): icmp_seq=1 ttl=116 time=50.1 ms
64 bytes from 2800:3f0:4004:804::2004 (2800:3f0:4004:804::2004): icmp_seq=2 ttl=116 time=51.3 ms
64 bytes from 2800:3f0:4004:804::2004 (2800:3f0:4004:804::2004): icmp_seq=3 ttl=116 time=50.2 ms
64 bytes from 2800:3f0:4004:804::2004 (2800:3f0:4004:804::2004): icmp_seq=4 ttl=116 time=51.2 ms
64 bytes from 2800:3f0:4004:804::2004 (2800:3f0:4004:804::2004): icmp_seq=5 ttl=116 time=50.6 ms
^C
--- www.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms

any clue? correct if I am wrong; I have to disable ipv6 in tun0 UUID correct?
**Important: when I enable vpn again it works, but when I go to ipleak.net It keep seeing my ipv6 :frowning: **

1 Like

Check the Wi-Fi connection config to verify IPv6 status:

PAGER= nmcli connection show id HOME-WIFI

Hello vgaetera,

I ran a test, I disabled my ipv6 in other conection and it worked as intended.
So I did it again in HOME-WIFI but when I disable ipv6 (ipv6.method disabled) and restart the connection it stop working look:

configuration of HOME-WIFI:
I copied just the ipv4 and 6 part to resume:

    [user@user ~]$ nmcli connection show HOME-WIFI 
    connection.id:                          HOME-WIFI
    connection.uuid:                        c256cc9c-c4ea-4cf0-bcea-259233853e3e
    ipv4.method:                            auto
    ipv4.dns:                               1.0.0.1,1.1.1.1
    ipv4.dns-search:                        --
    ipv4.dns-options:                       --
    ipv4.dns-priority:                      -50
    ipv4.addresses:                         --
    ipv4.gateway:                           --
    ipv4.routes:                            --
    ipv4.route-metric:                      -1
    ipv4.route-table:                       0 (unspec)
    ipv4.routing-rules:                     --
    ipv4.ignore-auto-routes:                no
    ipv4.ignore-auto-dns:                   yes
    ipv4.dhcp-client-id:                    --
    ipv4.dhcp-iaid:                         --
    ipv4.dhcp-timeout:                      0 (default)
    ipv4.dhcp-send-hostname:                yes
    ipv4.dhcp-hostname:                     --
    ipv4.dhcp-fqdn:                         --
    ipv4.dhcp-hostname-flags:               0x0 (none)
    ipv4.never-default:                     no
    ipv4.may-fail:                          yes
    ipv4.dad-timeout:                       -1 (default)
    ipv4.dhcp-vendor-class-identifier:      --
    ipv6.method:                            disabled
    ipv6.dns:                               --
    ipv6.dns-search:                        --
    ipv6.dns-options:                       --
    ipv6.dns-priority:                      0
    ipv6.addresses:                         --
    ipv6.gateway:                           --
    ipv6.routes:                            --
    ipv6.route-metric:                      -1
    ipv6.route-table:                       0 (unspec)
    ipv6.routing-rules:                     --
    ipv6.ignore-auto-routes:                no
    ipv6.ignore-auto-dns:                   no
    ipv6.never-default:                     no
    ipv6.may-fail:                          yes
    ipv6.ip6-privacy:                       -1 (unknown)
    ipv6.addr-gen-mode:                     stable-privacy
    ipv6.ra-timeout:                        0 (default)
    ipv6.dhcp-duid:                         --
    ipv6.dhcp-iaid:                         --
    ipv6.dhcp-timeout:                      0 (default)
    ipv6.dhcp-send-hostname:                yes
    ipv6.dhcp-hostname:                     --
    ipv6.dhcp-hostname-flags:               0x0 (none)
    ipv6.token:                             --

Result of pings:

~]$ ping www.google.com
ping: www.google.com: Temporary failure in name resolution
~]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=52.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=50.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=50.3 ms
^C
1 Like

Check the resolver config:

resolvectl --no-pager status

I know it is not an exact answer to your question, But protonvpn is a lot easier than your vpn. And it is free.

Here is the config:
I didn’t understood this so, if you see anything wrong, let me know.

@localhost ~]$ resolvectl --no-pager status
Global
       Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub                                                 

Link 2 (enp1s0)
Current Scopes: none                                                        
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 3 (wlo1)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6                                   
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: fe80::96ea:eaff:fe96:acf7%32767                             
       DNS Servers: 192.168.15.1 fe80::96ea:eaff:fe96:acf7%21989                
        DNS Domain: br ~.                                                       

Link 4 (virbr0)
Current Scopes: none                                                        
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 5 (virbr0-nic)
Current Scopes: none                                                        
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Just to recapitulate and explain better what is happening:
When I disable ipv6 the Dns does not works (Just in HOME-WIFI)
and know I’m getting low internet upload speeds (just in HOME WIFI too)
yesterday I ran a test, reinstalled fedora from scratch, the internet upload speed stayed stable until I updated the system.
After Install (internet working full speed) when I go to gnome store and updated the software (upload speed dropped drastically) I’m thinking that one update of fedora didnt liked something in my HOME WIFI connection:

speedtest result:

~]$ speedtest

   Speedtest by Ookla

     Server: Vivo  (id = XXXXX)
        ISP: Vivo
    Latency:     2.10 ms   (0.71 ms jitter)
   Download:   288.04 Mbps (data used: 470.5 MB)                               
     **Upload:     1.57 Mbps (data used: 4.8 MB)**

Normally it would be 250/200, I’m getting around 250/2

sorry for this much of information but, I’m testing everything to find the point. I’ll keep adding any new info.

Disable automatic DNS and configure a major DNS provider:

nmcli connection modify id HOME-WIFI \
    ipv4.dns 8.8.8.8,8.8.4.4 \
    ipv4.dns-priority 0 ipv6.dns-priority 0 \
    ipv4.ignore-auto-dns yes ipv6.ignore-auto-dns yes
nmcli connection down id HOME-WIFI
nmcli connection up id HOME-WIFI

Verify the system is using the configured resolvers:

resolvectl dns
resolvectl query example.org

The dns was configured but the system fail to use it look:

[user@localhost ~]$ sudo nmcli connection modify HOME-WIFI \
>     ipv4.dns 8.8.8.8,8.8.4.4 \
>     ipv4.dns-priority 0 ipv6.dns-priority 0 \
>     ipv4.ignore-auto-dns yes ipv6.ignore-auto-dns yes \
> 
[sudo] password for user: 
[user@localhost ~]$ nmcli connection down HOME-WIFI 
Connection 'HOME-WIFI' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
[user@localhost ~]$ nmcli connection up HOME-WIFI 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[user@localhost ~]$ resolvectl dns
Global:
Link 2 (enp1s0):
Link 3 (wlo1): 8.8.8.8 8.8.4.4
Link 4 (virbr0):
Link 5 (virbr0-nic):
[user@localhost ~]$ resolvectl query www.google.com
www.google.com: resolve call failed: All attempts to contact name servers or networks failed
[user@localhost ~]$ resolvectl query www.bbc.com
www.bbc.com: resolve call failed: All attempts to contact name servers or networks failed
[user@localhost ~]$ resolvectl query www.bing.com
www.bing.com: resolve call failed: All attempts to contact name servers or networks failed
1 Like

That’s weird, try this:

nslookup example.org
ping -w 3 8.8.8.8; nslookup example.org 8.8.8.8
ping -w 3 1.1.1.1; nslookup example.org 1.1.1.1

I’d got these results:

@localhost ~]$ ping -w 3 8.8.8.8; nslookup www.google.com 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=51.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=50.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=50.9 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 50.760/50.876/50.987/0.092 ms
Server:		8.8.8.8
Address:	8.8.8.8#53

** server can't find www.google.com: REFUSED

@localhost ~]$ ping -w 3 1.1.1.1; nslookup www.google.com 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=59 time=60.4 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=59 time=60.1 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=59 time=60.2 ms

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 60.055/60.220/60.385/0.134 ms
Server:		1.1.1.1
Address:	1.1.1.1#53

** server can't find www.google.com: REFUSED
1 Like

It appears that something is blocking your DNS traffic.
You can try to enable DNS encryption to override the issue:

sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/00-custom.conf << EOF > /dev/null
[Resolve]
DNSOverTLS=yes
EOF
sudo systemctl restart systemd-resolved.service

I did it but nothing changed look:

~]$ sudo mkdir -p /etc/systemd/resolved.conf.d
[user@localhost ~]$ sudo tee /etc/systemd/resolved.conf.d/00-custom.conf << EOF > /dev/null
> [Resolve]
> DNSOverTLS=yes
> EOF
[user@localhost ~]$ sudo systemctl restart systemd-resolved.service
[user@localhost ~]$ ping -w 3 8.8.8.8; nslookup www.google.com 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=50.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=89.9 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=51.3 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 50.832/64.035/89.933/18.313 ms
Server:		8.8.8.8
Address:	8.8.8.8#53

** server can't find www.google.com: REFUSED

anything else that I have to do?

Important: I tested and deleted

sudo rm 00-custom.conf

I did this because every connection stopped working with the file :frowning:

This kind of reply is typically related to firewall-specific problems.
Are you filtering DNS traffic on the router?
Is your VPN active when the issue happens?

I do not know about the router, how can I check?
I never changed anything in firewall, how can I check?
VPN is off whole time.

" https://www.youtube.com/watch?v=EAnm383PG4Y "

If you router is different try to search in internet with your routers model included.
For the Video above i used “como accessar o roteador da vivo”

Your router might have a firewall too … If you can’t configure please ask your ISP (VIVO) for help.

" https://docs.fedoraproject.org/en-US/quick-docs/firewalld/ "