Trying to set up openvpn fedora 33 - DNS and ipv6 issues

bgreaterthanavg · January 6, 2021, 2:58am

Hello,

I’m completely new in linux, I know the basics commands only (but I’m searching about this for 5 days ) .

Im using Fedora now, and tried to set a openvpn with a config file from my vpn provider (surfshark).
I just want to:
1- disable IPv6 (surfshark does not support it)
2- change DNS (prevent dns leaking)
3- set up to vpn autostart with system (this is OK)

Now I re-installed the system and I’m doing step by step, so lets get into them:
I just created a vpn config with my credentials there and worked with this command(sudo openvpn miami_udp(my file))

My vpn provider does not support IPv6, so now I have to disable and change DNS (I want to use 1.1.1.1 just this)
But when I disable IPv6:
[user@pc etc]$ sudo sysctl -p
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
The connection stops working.
Anyone have a clue what it could be?

ilikelinux · January 6, 2021, 4:11am

I just can guess that you disabled IPV6 for all adapters.
So revert your commands writing a = 0 instead of =1 and then try to find out with the Network Manager Applet the values for the VPN adapter and just disable there ipv6.

vgaetera · January 6, 2021, 7:11am

The recommended method for disabling IPv6 depends on your connection manager that is NetworkManager by default:

nmcli connection show
nmcli connection modify id CON_NAME ipv6.method disabled
nmcli connection down id CON_NAME
nmcli connection up id CON_NAME

Then fix DNS leak by configuring resolver priorities:
https://discussion.fedoraproject.org/t/systemd-resolved-not-querying-dns-server-set-by-openvpn/74961/2?u=vgaetera

bgreaterthanavg · January 7, 2021, 12:08am

Hello vgaetera.

First, thank you for your help.

I tried this method but the connection stopped again. look:

        [user@localhost openvpn]$ nmcli connection show
    NAME                UUID                                  TYPE      DEVICE 
   HOME-WIFI   72d6f40a-a021-4a5c-8abf-c828c522ebc1  wifi      wlo1   
    tun1                f7be6766-0b13-477e-9bbc-ab0c3035aa3b  tun       tun1   
    tun0                66cb7eb8-70ec-4a85-8d8c-f9b57f0191d6  tun       tun0   
    virbr0              4cfdc73c-a058-449a-a4ee-66d0da7e238e  bridge    virbr0 
    Wired connection 1  4440265d-07ea-32be-aa98-5c4651d542d9  ethernet  --     
    [user@localhost openvpn]$ nmcli connection modify 72d6f40a-a021-4a5c-8abf-c828c522ebc1 ipv6.method disabled
    [user@localhost openvpn]$ nmcli connection down 72d6f40a-a021-4a5c-8abf-c828c522ebc1 
    Connection 'HOME-WIFI' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
    [user@localhost openvpn]$ nmcli connection up 72d6f40a-a021-4a5c-8abf-c828c522ebc1 
    Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/8)
    [user@localhost openvpn]$ ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    ^C
    --- 8.8.8.8 ping statistics ---
    50 packets transmitted, 0 received, 100% packet loss, time 50196ms

I dont know what I’m doing wrong, ;/

vgaetera · January 7, 2021, 1:14am

You have disabled IPv6 on the HOME-WIFI connection.
Try to re-activate the VPN and make sure it connects successfully.

bgreaterthanavg · January 7, 2021, 2:26am

Hello,
I ran the command in the VPN connection now, but as soon as I rant it vpn disconnected and pings starts using ipv6 protocol look:

[user@pc openvpn]$ nmcli connection show 
NAME                UUID                                  TYPE      DEVICE 
HOME-WIFI   72d6f40a-a021-4a5c-8abf-c828c522ebc1  wifi      wlo1   
tun0                f5cf660d-2520-4d15-8d6c-002def5dfe53  tun       tun0   
virbr0              7b15a0e9-98c4-4911-851d-ea0d11defdfb  bridge    virbr0 
J Vicente 2g        c98d47bd-2a46-4956-bbf5-530ab17a7687  wifi      --     
tun0                66cb7eb8-70ec-4a85-8d8c-f9b57f0191d6  tun       --     
tun0                c867b8a8-e13f-4e35-9107-4a55152433a5  tun       --     
Wired connection 1  4440265d-07ea-32be-aa98-5c4651d542d9  ethernet  --     
[user@pc openvpn]$ nmcli connection modify f5cf660d-2520-4d15-8d6c-002def5dfe53 ipv6.method disabled
[user@pc openvpn]$ nmcli connection down  f5cf660d-2520-4d15-8d6c-002def5dfe53 
Connection 'tun0' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
[user@pc openvpn]$ nmcli connection up  f5cf660d-2520-4d15-8d6c-002def5dfe53 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/7)
[user@pc openvpn]$ ping www.google.com
PING www.google.com(2800:3f0:4004:804::2004 (2800:3f0:4004:804::2004)) 56 data bytes
64 bytes from 2800:3f0:4004:804::2004 (2800:3f0:4004:804::2004): icmp_seq=1 ttl=116 time=50.1 ms
64 bytes from 2800:3f0:4004:804::2004 (2800:3f0:4004:804::2004): icmp_seq=2 ttl=116 time=51.3 ms
64 bytes from 2800:3f0:4004:804::2004 (2800:3f0:4004:804::2004): icmp_seq=3 ttl=116 time=50.2 ms
64 bytes from 2800:3f0:4004:804::2004 (2800:3f0:4004:804::2004): icmp_seq=4 ttl=116 time=51.2 ms
64 bytes from 2800:3f0:4004:804::2004 (2800:3f0:4004:804::2004): icmp_seq=5 ttl=116 time=50.6 ms
^C
--- www.google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms

any clue? correct if I am wrong; I have to disable ipv6 in tun0 UUID correct?
**Important: when I enable vpn again it works, but when I go to ipleak.net It keep seeing my ipv6 **

vgaetera · January 7, 2021, 10:34am

Check the Wi-Fi connection config to verify IPv6 status:

PAGER= nmcli connection show id HOME-WIFI

bgreaterthanavg · January 7, 2021, 11:46pm

Hello vgaetera,

I ran a test, I disabled my ipv6 in other conection and it worked as intended.
So I did it again in HOME-WIFI but when I disable ipv6 (ipv6.method disabled) and restart the connection it stop working look:

configuration of HOME-WIFI:
I copied just the ipv4 and 6 part to resume:

    [user@user ~]$ nmcli connection show HOME-WIFI 
    connection.id:                          HOME-WIFI
    connection.uuid:                        c256cc9c-c4ea-4cf0-bcea-259233853e3e
    ipv4.method:                            auto
    ipv4.dns:                               1.0.0.1,1.1.1.1
    ipv4.dns-search:                        --
    ipv4.dns-options:                       --
    ipv4.dns-priority:                      -50
    ipv4.addresses:                         --
    ipv4.gateway:                           --
    ipv4.routes:                            --
    ipv4.route-metric:                      -1
    ipv4.route-table:                       0 (unspec)
    ipv4.routing-rules:                     --
    ipv4.ignore-auto-routes:                no
    ipv4.ignore-auto-dns:                   yes
    ipv4.dhcp-client-id:                    --
    ipv4.dhcp-iaid:                         --
    ipv4.dhcp-timeout:                      0 (default)
    ipv4.dhcp-send-hostname:                yes
    ipv4.dhcp-hostname:                     --
    ipv4.dhcp-fqdn:                         --
    ipv4.dhcp-hostname-flags:               0x0 (none)
    ipv4.never-default:                     no
    ipv4.may-fail:                          yes
    ipv4.dad-timeout:                       -1 (default)
    ipv4.dhcp-vendor-class-identifier:      --
    ipv6.method:                            disabled
    ipv6.dns:                               --
    ipv6.dns-search:                        --
    ipv6.dns-options:                       --
    ipv6.dns-priority:                      0
    ipv6.addresses:                         --
    ipv6.gateway:                           --
    ipv6.routes:                            --
    ipv6.route-metric:                      -1
    ipv6.route-table:                       0 (unspec)
    ipv6.routing-rules:                     --
    ipv6.ignore-auto-routes:                no
    ipv6.ignore-auto-dns:                   no
    ipv6.never-default:                     no
    ipv6.may-fail:                          yes
    ipv6.ip6-privacy:                       -1 (unknown)
    ipv6.addr-gen-mode:                     stable-privacy
    ipv6.ra-timeout:                        0 (default)
    ipv6.dhcp-duid:                         --
    ipv6.dhcp-iaid:                         --
    ipv6.dhcp-timeout:                      0 (default)
    ipv6.dhcp-send-hostname:                yes
    ipv6.dhcp-hostname:                     --
    ipv6.dhcp-hostname-flags:               0x0 (none)
    ipv6.token:                             --

Result of pings:

~]$ ping www.google.com
ping: www.google.com: Temporary failure in name resolution
~]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=52.4 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=50.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=50.3 ms
^C

vgaetera · January 8, 2021, 8:46am

Check the resolver config:

resolvectl --no-pager status

jpbn · January 8, 2021, 9:18am

I know it is not an exact answer to your question, But protonvpn is a lot easier than your vpn. And it is free.

bgreaterthanavg · January 9, 2021, 1:50am

Here is the config:
I didn’t understood this so, if you see anything wrong, let me know.

@localhost ~]$ resolvectl --no-pager status
Global
       Protocols: LLMNR=resolve -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub                                                 

Link 2 (enp1s0)
Current Scopes: none                                                        
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 3 (wlo1)
    Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6                                   
         Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
Current DNS Server: fe80::96ea:eaff:fe96:acf7%32767                             
       DNS Servers: 192.168.15.1 fe80::96ea:eaff:fe96:acf7%21989                
        DNS Domain: br ~.                                                       

Link 4 (virbr0)
Current Scopes: none                                                        
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Link 5 (virbr0-nic)
Current Scopes: none                                                        
     Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported

Just to recapitulate and explain better what is happening:
When I disable ipv6 the Dns does not works (Just in HOME-WIFI)
and know I’m getting low internet upload speeds (just in HOME WIFI too)
yesterday I ran a test, reinstalled fedora from scratch, the internet upload speed stayed stable until I updated the system.
After Install (internet working full speed) when I go to gnome store and updated the software (upload speed dropped drastically) I’m thinking that one update of fedora didnt liked something in my HOME WIFI connection:

speedtest result:

~]$ speedtest

   Speedtest by Ookla

     Server: Vivo  (id = XXXXX)
        ISP: Vivo
    Latency:     2.10 ms   (0.71 ms jitter)
   Download:   288.04 Mbps (data used: 470.5 MB)                               
     **Upload:     1.57 Mbps (data used: 4.8 MB)**

Normally it would be 250/200, I’m getting around 250/2

sorry for this much of information but, I’m testing everything to find the point. I’ll keep adding any new info.

vgaetera · January 9, 2021, 9:51am

Disable automatic DNS and configure a major DNS provider:

nmcli connection modify id HOME-WIFI \
    ipv4.dns 8.8.8.8,8.8.4.4 \
    ipv4.dns-priority 0 ipv6.dns-priority 0 \
    ipv4.ignore-auto-dns yes ipv6.ignore-auto-dns yes
nmcli connection down id HOME-WIFI
nmcli connection up id HOME-WIFI

Verify the system is using the configured resolvers:

resolvectl dns
resolvectl query example.org

bgreaterthanavg · January 9, 2021, 4:56pm

The dns was configured but the system fail to use it look:

[user@localhost ~]$ sudo nmcli connection modify HOME-WIFI \
>     ipv4.dns 8.8.8.8,8.8.4.4 \
>     ipv4.dns-priority 0 ipv6.dns-priority 0 \
>     ipv4.ignore-auto-dns yes ipv6.ignore-auto-dns yes \
> 
[sudo] password for user: 
[user@localhost ~]$ nmcli connection down HOME-WIFI 
Connection 'HOME-WIFI' successfully deactivated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/1)
[user@localhost ~]$ nmcli connection up HOME-WIFI 
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/3)
[user@localhost ~]$ resolvectl dns
Global:
Link 2 (enp1s0):
Link 3 (wlo1): 8.8.8.8 8.8.4.4
Link 4 (virbr0):
Link 5 (virbr0-nic):
[user@localhost ~]$ resolvectl query www.google.com
www.google.com: resolve call failed: All attempts to contact name servers or networks failed
[user@localhost ~]$ resolvectl query www.bbc.com
www.bbc.com: resolve call failed: All attempts to contact name servers or networks failed
[user@localhost ~]$ resolvectl query www.bing.com
www.bing.com: resolve call failed: All attempts to contact name servers or networks failed

vgaetera · January 9, 2021, 6:39pm

That’s weird, try this:

nslookup example.org
ping -w 3 8.8.8.8; nslookup example.org 8.8.8.8
ping -w 3 1.1.1.1; nslookup example.org 1.1.1.1

bgreaterthanavg · January 9, 2021, 8:26pm

I’d got these results:

@localhost ~]$ ping -w 3 8.8.8.8; nslookup www.google.com 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=51.0 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=50.8 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=50.9 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 50.760/50.876/50.987/0.092 ms
Server:		8.8.8.8
Address:	8.8.8.8#53

** server can't find www.google.com: REFUSED

@localhost ~]$ ping -w 3 1.1.1.1; nslookup www.google.com 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=59 time=60.4 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=59 time=60.1 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=59 time=60.2 ms

--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 60.055/60.220/60.385/0.134 ms
Server:		1.1.1.1
Address:	1.1.1.1#53

** server can't find www.google.com: REFUSED

vgaetera · January 9, 2021, 8:45pm

It appears that something is blocking your DNS traffic.
You can try to enable DNS encryption to override the issue:

sudo mkdir -p /etc/systemd/resolved.conf.d
sudo tee /etc/systemd/resolved.conf.d/00-custom.conf << EOF > /dev/null
[Resolve]
DNSOverTLS=yes
EOF
sudo systemctl restart systemd-resolved.service

bgreaterthanavg · January 9, 2021, 8:53pm

I did it but nothing changed look:

~]$ sudo mkdir -p /etc/systemd/resolved.conf.d
[user@localhost ~]$ sudo tee /etc/systemd/resolved.conf.d/00-custom.conf << EOF > /dev/null
> [Resolve]
> DNSOverTLS=yes
> EOF
[user@localhost ~]$ sudo systemctl restart systemd-resolved.service
[user@localhost ~]$ ping -w 3 8.8.8.8; nslookup www.google.com 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=119 time=50.8 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=119 time=89.9 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=119 time=51.3 ms

--- 8.8.8.8 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 50.832/64.035/89.933/18.313 ms
Server:		8.8.8.8
Address:	8.8.8.8#53

** server can't find www.google.com: REFUSED

anything else that I have to do?

Important: I tested and deleted

sudo rm 00-custom.conf

I did this because every connection stopped working with the file

vgaetera · January 9, 2021, 9:41pm

This kind of reply is typically related to firewall-specific problems.
Are you filtering DNS traffic on the router?
Is your VPN active when the issue happens?

bgreaterthanavg · January 9, 2021, 9:47pm

I do not know about the router, how can I check?
I never changed anything in firewall, how can I check?
VPN is off whole time.

ilikelinux · January 10, 2021, 9:41pm

" https://www.youtube.com/watch?v=EAnm383PG4Y "

If you router is different try to search in internet with your routers model included.
For the Video above i used “como accessar o roteador da vivo”

Your router might have a firewall too … If you can’t configure please ask your ISP (VIVO) for help.

" https://docs.fedoraproject.org/en-US/quick-docs/firewalld/ "