I am using Private Internet Access (PIA) for my VPN. I’ve used PIA’s DNS without any issues with Fedora 41 and 42. Since upgrading to Fedora 43, I get an error from PIA saying that the DNS couldn’t be configured (see attachment). If I choose ‘Use Existing DNS’, I’m able to connect to the PIA VPN server.
FYI, I’ve sent a request to PIA for help with this issue. But, I’m hoping that I could get some insights from a Fedora specific perspective.
Thanks.
How would one be able to help you solve the problem without even knowing what step is failing. Apparently, there is button that shows you a log file. You should take a look and/or post the logs.
The link/button to display the PIA log file is unresponsive, because PIA is looking for /opt/piavpn/var/daemon.log which doesn’t exist. Since PIA runs as systemd service, I ran journalctl -f to try to see what is happening. There is a non-stop sequence of messages related to iptables (NETFILTER_CFG, ….. com=iptables). Please see the attachment. I’m not familiar with iptables, but plan to dig deeper.
Thanks.
I was able to figure out how to enable logging from PIA. The following is the message that occurs non-stop, when the error for selecting PIA DNS occurs:
\[2025-11-13 16:58:06.925\]\[0a21\]\[net.iptables_firewall\]\[src/linux/iptables_firewall.cpp:166\]\[info\] Executing linkChain with mustbefirst if ! iptables -w -L OUTPUT -n --line-numbers -t nat 2> /dev/null | awk ‘int($1) == 1 && $2 == “piavpn.OUTPUT” { found=1 } END { if(found==1) { exit 0 } else { exit 1 } }’ ; then iptables -w -I OUTPUT -j piavpn.OUTPUT -t nat && iptables -L OUTPUT -n --line-numbers -t nat 2> /dev/null | awk ‘int($1) > 1 && $2 == “piavpn.OUTPUT” { print $1; exit }’ | xargs iptables -w -t nat -D OUTPUT ; fiVladislav: Thanks for your response. I’m embarrased to say that my knowledge of iptables and selinux is quite limited.
I ran the commands you suggested and here are the results:
root@jon-fedora:~# setenforce 0
root@jon-fedora:~#
root@jon-fedora:~# restorecon -F -R /opt
root@jon-fedora:~#
root@jon-fedora:~#
root@jon-fedora:~# journalctl --no-pager -b -g avc
Nov 13 13:29:51 jon-fedora dbus-broker[3875]: selinux/macstatus: avc: op=setenforce lsm=selinux enforcing=0 res=1
Nov 13 13:29:52 jon-fedora audit[710]: AUDIT2313 pid=710 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg=‘avc: op=setenforce lsm=selinux enforcing=0 res=1 exe=“/usr/bin/dbus-broker” hostname=? addr=? terminal=? res=success’
Nov 13 13:30:04 jon-fedora systemd[3789]: selinux: avc: op=setenforce lsm=selinux enforcing=0 res=1
Nov 13 13:30:52 jon-fedora audit[101837]: AVC avc: denied { associate } for pid=101837 comm=“restorecon” name=“/” dev=“cgroup” ino=1 scontext=system_u:object_r:etc_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
Nov 13 13:37:35 jon-fedora dbus-broker[4032]: selinux/macstatus: avc: op=setenforce lsm=selinux enforcing=0 res=1
root@jon-fedora:~#
root@jon-fedora:~#
root@jon-fedora:~# iptables -w -L OUTPUT -t nat
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
piavpn.OUTPUT all – anywhere anywhere
root@jon-fedora:~#
I was able to fix this problem by installing the most recent version of PIA despite being labelled for Ubuntu 18.04+, Mint 19+, Arch, Debian (there was No version that was designated for RedHat/Fedodra).
Glad you got it sorted! The underlying cause is the iptables/nftables transition that completed in Fedora 43. The newer PIA installer you used (the Ubuntu 18.04+ package) ships a more recent version of the daemon that handles the nftables compatibility layer properly – or has been updated to use nftables-native commands. The older Fedora-specific installer was likely built against an older iptables API that doesn’t translate cleanly through iptables-nft on F43, which is what causes that NETFILTER_CFG loop in journalctl. For anyone else finding this via search – if updating PIA is not an option, you can also switch to iptables-legacy mode as an alternative. Install with sudo dnf install iptables-legacy, then run sudo alternatives --set iptables /usr/sbin/iptables-legacy and sudo alternatives --set ip6tables /usr/sbin/ip6tables-legacy, then sudo systemctl restart piavpn. That bypasses the nftables translation layer entirely and lets older VPN clients use the traditional kernel iptables backend without any code changes on PIA’s side.
Best of luck with it.