VPN bug and leaks during changeover

Fedora 39 Workstation.
Lenovo Yoga 7 16ARP8

I’ve used a VPN for many years, just moved to Fedora from Mac and I’m using the built in VPN functionality in the top right drop down (sorry, dont know the proper terminology).
I downloaded some Wireguard config files from my VPN provider, and set them up in Network settings. I have 6 or 7 currently. I have two problems:

  1. Constant notifications of “Failed to activate network connection”, whilst there is no issue at all, connected just fine. These come and go for a while after waking machine (which re-establishes connection very quickly especially with me using Wireguard protocol. I can live with it, but it’s annoying as they just float there until i get rid, then another one arrives a few seconds later. There’s definitely no actual problem with internet connectivity during this time so it seems like some kind of bug due to VPN use, doesn’t happen when I am not on VPN.

  2. More problematic is the fact I can’t switch my VPN connection without exposing my real IP. This is a big enough concern that I will be forced to install a VPN app, which means paying again for a different VPN as my current one doesn’t have a great app. When I click the top right drop down, let’s say it’s connected to “Chicago”, if I want to switch to say “Washington”, I have two options:

a) Click “VPN” which turns it off, then click right arrow to choose a connection to switch on
b) Click the right arrow (this is what I do), (Ha there goes another connection failure msg as I type this!) and move the Chicago switch to off, which closes the dialogue, so i have to then quickly click to bring it down again, click the right arrow again, and choose “Washington”.

In the time this takes to do, my real IP is exposed (I have confirmed this).

Just wondered if anyone knows about this and is addressing it. Otherwise I will start looking at VPN services with good linux apps.

Thanks

PS Before using the built in VPN functionality of Fedora, I did ask around and was advised that it has built in ‘leak protection’, aka ‘kill switch’. I think this is true, meaning if I am connected to VPN and lose the connection temporarily, my IP isn’t exposed while the connection is re-established. That’s great, but due to the lack of a dedicated setting for a ‘kill switch’, i can’t have any leak protection during switching of connections.

1 Like

That menu should be called Quicksettings I guess.

Yes in KDE it is the same, there is no network lock feature natively built in.

It could totally be possible with a few commands, that is what apps like Mullvad do.

ChatGPT gave me this (a bit modified)

cat > ~/.local/bin/vpn-chicago <<EOF
#!/bin/bash

# Block all outgoing traffic
iptables -P OUTPUT DROP &&\
echo "Blocking all traffic" ||\
echo "Blocking all traffic FAILED" && exit 

# Allow traffic to VPN server
iptables -A OUTPUT -p udp -d example.com,example2.com --dport 51820 -j ACCEPT &&\
echo "Allow traffic for VPN connection."

# connect to VPN (example config)
wg-quick up CHICAGO &&
echo "VPN connected." ||\
echo "VPN connection failed!"

# Only when finished (&&) unblock network
iptables -P OUTPUT ACCEPT &&\
echo "Network unlocked."
EOF

chmod +x ~/.local/bin/vpn-chicago
vpn-chicago

This blocks all traffic, enables only some websites and ports (you may need to check which are needed to establish the wireguard connection) and should wait until the connection is established.

It works by URLs so no IP address problems. You can put all DNS server URLs in the same command to make it easy.

This could then be triggered by a GNOME extension, or you run it from terminal.

Thanks as always, sounds very neat, but beyond me sadly at this point. I just need a native built in (GUI) solution. I’ll go for an app that has the feature built in like Mullvad. Thanks again though, I’ve bookmarked this for when I have more confidence, which will be sooner than expected at this rate :slight_smile:

1 Like

Give it a try first, it should be very possible.

Automated and fixed that command, added error messages.

This is a bigger issue and using some random locked in app is not a good solution. Though, I also use Mullvad to easily have secure DNS and insecure dns when needing to login to captive portals, which is a currently dealt with issue.

This is how it should work with firewalld, which is default on Fedora:

cat > ~/.local/bin/vpn-chicago <<EOF
#!/bin/bash

# Block all outgoing traffic
sudo firewall-cmd --set-default-zone=drop &&\
echo "Blocking all traffic" ||\
echo "Blocking traffic failed, exiting" && exit

# Allow traffic to VPN server (IPv4)
sudo firewall-cmd --add-rich-rule='rule family="ipv4" source address="your_vpn_server_ipv4" port port="51820" protocol="udp" accept'

# Allow traffic to VPN server (IPv6)
sudo firewall-cmd --add-rich-rule='rule family="ipv6" source address="your_vpn_server_ipv6" port port="51820" protocol="udp" accept'

# connect to VPN server
wg-quick up CHICAGO &&\
echo "VPN connected." ||\
echo "VPN connection failed!"

# unblock outgoing connections
sudo firewall-cmd --set-default-zone=public &&\
echo "Internet unlocked" ||\
echo "Internet unlocking failed!"
EOF

chmod +x ~/.local/bin/vpn-chicago

Now the VPN server is still hardcoded in the code, which is really bad. So the port is set but the URLs should be read from the config files, and a menu should allow choosing the VPN connection to establish.

But for your purposes you should get the needed infos from the config files (the ipv4 and/or ipv6 addresses), add them all and run the script.

https://meow464.neocities.org/blog/firewalld-vpn-killswitch/

1 Like

Really appreciate your effort here, sincerely, but the truth is I don’t have a clue what most of your comments mean. I’m just nowhere near the level of ability you’re hoping I am when writing what looks like great advice for someone able to do whatever it is you’re saying :slight_smile:

A list of commands I can paste, that’s a bit closER to my ability-level! But sadly not quite close enough. I don’t have “Network Manager” either. It’s all just too complex. I need a kill switch I can rely on, and some good VPN apps do implement it well, at least I am reliably informed so anyway.

Far be it from me to say, but I would think it would be something Fedora would look into implementing natively in the VPN functionality. The fact I can’t just flick a different connection switch and have it switch (while blocking internet in between drop and re-connect) seems odd to me, when everything seems so polished generally on Fedora. Maybe not enough people use VPNs these days. Either way, I can’t have my IP leaking out (which happens instantly, so it’s a good second or two of exposure) every time I switch. I guess I switch more often than most do too, and i have to for work reasons.

How does that interact with firewalld?

I want to emphasize this is only true for Wireguard connections. It is not true for VPN connections, where there is no leak protection by default. A lot of users want this, but apparently not enough to actually fix it. (Wireguard is a special built-in connection type; it’s not treated the same as a VPN under the hood.)

2 Likes

Thanks, but I am using Wireguard. I suspect I have heard something similar to your comments here and hence why I chose to get WG configs rather than ovpn ones. But…

It appears there indeed is no leak protection even with me using WG connections. My IP leaks every time I try to switch connection. Or, maybe not, as at a granular level I have to actually switch my connection OFF, in order to be ‘able’ to select another. if I just try to switch to another it refuses every time, so I am forced to disconnect and reconnect, causing the temporary leak/exposure. So yes, maybe if the connection drops itself, i am protected, in which case you’re right. But my point here about how things could be improved, without coding in kill switches etc, is to just allow a straight swap from one connection to another, it would at least be a split second rather than 1-3 seconds :slight_smile:

(I can record what I am doing if that would help). I’ll have to use a 3rd party app which I really don’t want to, but no choice the way things are. :frowning:

Not sure, thats why I added a firewalld version.

The linked article should be more complete.

The link is way above my level. Hence why I wish Fedora would enable some kind of kill switch within the already included VPN functionality. I have no way of implementing one otherwise. Will just have to use VPN apps, which is a real shame IMO.

Could someone advise where/how we can submit a feature request for Fedora please?

Report it to NetworkManager. I was going to say “but surely somebody has already done so” but actually I don’t see any duplicate reports there. Either I’m bad at searching, or nobody has taken the time to file a bug report before. That’s surprising, since the number of users who complain about missing kill switch functionality is very high.

This issue is a little similar, but not the same, so I would report a new issue.

2 Likes

Yes the whole process is not hard at all. Networkmanager would be the right address, then when done GNOME and KDE to include a “use killswitch” button .

For the time being though, I will experiment with that script and maybe write a plasmoid to do it.

Implementing a standard kill switch solution that persists across different VPN connections is more complicated than just the scripts linked above.

Certain types of traffic must be allowed to bypass the kill switch to prevent race conditions and deadlocks for network and time related services:

  • DHCP/DHCPv6/ICMPv6 to configure and update IPv4/IPv6/SLAAC when necessary.
  • NTP to sync system time to properly establish secure connections.
  • DNS to resolve NTP servers and VPN endpoints.

In this case, possible traffic leaks can be mitigated with NTS and DoT.

Some alternative solutions:

  • Using different network namespaces.
  • Moving the VPN gateway role to the router.
1 Like

Thanks, I forgot these.

So we have these additional things that are always required.

  • DNS: allowlisted Port and set IP addresses
  • NTP: allowlisted Port and set URLs
  • DHCP/DHCPv6/ICMPv6 to configure and update IPv4/IPv6/SLAAC when necessary (no comment, too high for me)

And specific to the VPN

  • specific port depending on the protocol, and specific URLs from a list.

Couldnt also NetworkManager get access to the Internet, while all other processes are blocked? This sounds like it would make connection to random configured VPNs possible, and the rest too, not sure about NTP.

this maybe could work using different Network namespaces, but I also dont know what that is

I think it would be great to add that comment in the Networkmanager issue

Here’s a good explanation of namespaces, unfortunately not yet supported by NM:
Routing & Network Namespaces - WireGuard

However, note that similar threats and mitigations apply to NTP and DNS client services as they need to run in the physical namespace, otherwise it requires to run separate service instances in different namespaces.

2 Likes

This all goes wooosh, over my head :slight_smile:
Shame no reply to the bug I reported yet. As someone above said, I’m very surprised nobody else has noticed/reported this problem.
I may just have to go with a VPN app, yuk, but works i guess.