I am using Private Internet Access (PIA) for my VPN. I’ve used PIA’s DNS without any issues with Fedora 41 and 42. Since upgrading to Fedora 43, I get an error from PIA saying that the DNS couldn’t be configured (see attachment). If I choose ‘Use Existing DNS’, I’m able to connect to the PIA VPN server.
FYI, I’ve sent a request to PIA for help with this issue. But, I’m hoping that I could get some insights from a Fedora specific perspective.
Thanks.
How would one be able to help you solve the problem without even knowing what step is failing. Apparently, there is button that shows you a log file. You should take a look and/or post the logs.
The link/button to display the PIA log file is unresponsive, because PIA is looking for /opt/piavpn/var/daemon.log which doesn’t exist. Since PIA runs as systemd service, I ran journalctl -f to try to see what is happening. There is a non-stop sequence of messages related to iptables (NETFILTER_CFG, ….. com=iptables). Please see the attachment. I’m not familiar with iptables, but plan to dig deeper.
Thanks.
I was able to figure out how to enable logging from PIA. The following is the message that occurs non-stop, when the error for selecting PIA DNS occurs:
\[2025-11-13 16:58:06.925\]\[0a21\]\[net.iptables_firewall\]\[src/linux/iptables_firewall.cpp:166\]\[info\] Executing linkChain with mustbefirst if ! iptables -w -L OUTPUT -n --line-numbers -t nat 2> /dev/null | awk ‘int($1) == 1 && $2 == “piavpn.OUTPUT” { found=1 } END { if(found==1) { exit 0 } else { exit 1 } }’ ; then iptables -w -I OUTPUT -j piavpn.OUTPUT -t nat && iptables -L OUTPUT -n --line-numbers -t nat 2> /dev/null | awk ‘int($1) > 1 && $2 == “piavpn.OUTPUT” { print $1; exit }’ | xargs iptables -w -t nat -D OUTPUT ; fiVladislav: Thanks for your response. I’m embarrased to say that my knowledge of iptables and selinux is quite limited.
I ran the commands you suggested and here are the results:
root@jon-fedora:~# setenforce 0
root@jon-fedora:~#
root@jon-fedora:~# restorecon -F -R /opt
root@jon-fedora:~#
root@jon-fedora:~#
root@jon-fedora:~# journalctl --no-pager -b -g avc
Nov 13 13:29:51 jon-fedora dbus-broker[3875]: selinux/macstatus: avc: op=setenforce lsm=selinux enforcing=0 res=1
Nov 13 13:29:52 jon-fedora audit[710]: AUDIT2313 pid=710 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg=‘avc: op=setenforce lsm=selinux enforcing=0 res=1 exe=“/usr/bin/dbus-broker” hostname=? addr=? terminal=? res=success’
Nov 13 13:30:04 jon-fedora systemd[3789]: selinux: avc: op=setenforce lsm=selinux enforcing=0 res=1
Nov 13 13:30:52 jon-fedora audit[101837]: AVC avc: denied { associate } for pid=101837 comm=“restorecon” name=“/” dev=“cgroup” ino=1 scontext=system_u:object_r:etc_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1
Nov 13 13:37:35 jon-fedora dbus-broker[4032]: selinux/macstatus: avc: op=setenforce lsm=selinux enforcing=0 res=1
root@jon-fedora:~#
root@jon-fedora:~#
root@jon-fedora:~# iptables -w -L OUTPUT -t nat
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
piavpn.OUTPUT all – anywhere anywhere
root@jon-fedora:~#
I was able to fix this problem by installing the most recent version of PIA despite being labelled for Ubuntu 18.04+, Mint 19+, Arch, Debian (there was No version that was designated for RedHat/Fedodra).