[RESPONDED] Bad internet connection using VPN on Fedora 39 FW 13" AMD

I don’t know if this is the right place to put request, if not, I’m sure someone will tell me. Either way, I could use some help with the following.

Issue: I use the IVPN GUI based app on Fedora 39 and get a flaky connection. Some websites load, some don’t.

Examples:
Firefox / Brave: https: //duckduckgo .com - works
Firefox / Brave: https: //frame .work - works
Firefox / Brave: https: //knowledgebase .frame.work - does not load
Firefox / Brave: https: //1password .com - does not load
Firefox / Brave: https: //ivpn .net - does not load
Terminal: ping duckduckgo .com - works
Terminal: ping ivpn .net - does not work, and times out
Terminal: ping x.x.x.x - ip address of IVPN’s server - works

Without the VPN, I have a good working internet connection.

At first, this seemed like a DNS issue, hence that’s where I, together with IVPN’s support team, started searching. But we haven’t found a solution yet. And right now I don’t know if that is where we should look, hopefully someone here can tell me where to look.

Setup:

  • Framework laptop 13" AMD + Fedora 39 workstation - official edition
    • The system is installed this week, and includes bios 3.03
    • After installation I only did the following, and nothing else:
      • Updated Fedora (sudo dnf upgrade)
      • Added the IVPN repo
      • Installed their app as described on their website (sudo dnf install ivpn-ui)
      • These details are to show that the installation is as vanilla as possible
  • I use a router that connects to a cellular network (Netgear M1 nighthawk) - i.e. sim card in wifi out.

Things I tried and did not work:

  • Both Wireguard and OpenVPN, but obviously the focus is on using Wireguard
  • MTU related
    • Tried many different MTU settings in the GUI client (ranging from MTU 1284 to 1420)
    • The router doesn’t offer me the option to specify MTU / MSS settings
    • I also modify MTU settings on the network adapter, like: sudo ip link set dev wlp1s0 mtu 1380
  • Tried V2ray and other obfuscation options
  • All of the above on IPv4 and IPv6 (by toggling the ‘enable IPv6’ setting in IVPN GUI)
  • All tests used ‘single-hop’ and not ‘multi-hop’
  • All without using custom DNS services, and no special domain blocking settings on my router, nor on the laptop.
  • Mullvad
    • I installed Mullvad and got almost the same results
    • the only difference is that instead of websites not loading and ping timing out, I get the message: “temporary failure in name resolution” - some websites still work, for example duckduckgo queries work, just like with IVPN

What does work:

  • Using manual configuration of wireguard in the terminal works! (wg-quick up ...)
    • Bot IVPN and Mullvad work this way
    • This connection loads websites blazing fast, almost instantaneous. Hence, no signs of DNS or MTU issues.
  • I use IVPN on a Macbook and Iphone on the same network and those always work.

content of /etc/resolv.conf:

nameserver 127.0.0.53
options edns0 trust-ad
search net

After all this, I received another reply from the IVPN team:

  • They had installed Fedora 39 on their system and said that IVPN worked as expected
  • They offered some ideas to force either IPv4 or IPv6, see following three options.
    • I don’t really know what to do with the first two, so I tried option 3, without success.

Option 1: Preferring IPv4 might offer another solution:

Option 2: Prioritizing IPv6 is available on other Linux distributions via the /etc/gai.conf file, though I am not aware of anything like this for Fedora specifically:

Option 3: Run these commands to disable IPv6; a system reboot may or may not be required:

echo 'net.ipv6.conf.all.disable_ipv6=1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.default.disable_ipv6=1' | sudo tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.lo.disable_ipv6=1' | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

My take on IPv4 vs IPv6:

  • I don’t prefer one over the other, I think both should work. I would only choose IPv6 due to it being the future.
  • My Macbook seems to do fine with both. I am not an expert at this. But in the past the ‘enable IPv6’ option was unchecked in IVPN’s settings. Now I have it checked, and it confirms to be connected to a IPv6 enabled server. So from this I conclude that both work.

I received my Framework laptop a week ago, and because I don’t go online without a VPN connection, I haven’t been able to use it so far. All though the IVPN support team has been quick to respond, and offered many suggestions; after a week of much back and forth, I find myself without a solution and at my wits’ end.

#framework-laptop:linux

Sorry to hear that. Curious from reading on IVPN site, they deploy Wireguard VPN. I am running a selfhosted wireguard server myself and my framework is connected to it and I do not have any problems.Though my server is currently IPv4 only. I hope for you that your issue will be resolved soon.

Welcome to the community!

As a general rule, if the sites work with the VPN off, it’s the VPN at some level.

My overall guess is wireguard is mis-configured somewhere along the line. It is working from a CLI, but fails elsewhere. Your /etc/resolv.conf looks right. Everything indicates that there is either some oddball conditional DNS resolution issue (which is proven to be false with the terminal as it works there) or there is a real issue with something in their config.

You also indicated that both OpenVPN and Wireguard were a fail.

Things we can do to dial this in:

  • If you have a second drive available, install it, load a FRESH installation of Fedora 39. Make zero changes to it. We want this to be a vanilla as possible, no tweaks, changes or updates. Every change adds a layer of complexity to be unraveled and examined. No ipv6 adjustments off or on, nothing. Just a vanilla installation.

  • Without changing anything whatsoever, install Fedora 39.

  • Install ivpn-ui and ivpn

  • Again, no updates - test again with Firefox. Working? Okay.

  • Disconnect from the VPN, THEN do your updates. (Trust me on this). I have seen instances where on Ubuntu/Pop for example, having a VPN can really mess things up for updating due to repo configs. Do not skip this step.

  • Reboot, then with the updates applied, try the then and only then reconnect to the VPN and test again. Does it match the results seen before your updates?

2 Likes

Thanks for the replies.

@Matt_Hartley, I followed your suggestions to the letter, which didn’t solve the issue, but did result in new options to try.

The issue is not resolved yet. But I do have some updates, see as follows.

  • The issue on (what I call) a second degree is IVPN’s Firewall (kill-switch is how some other VPN providers call this feature). In a nutshell: the Firewall ensures that all trafic is routed through the VPN, and blocks the connection when a leak is about to take place. In effect, much of my internet gets blocked.

  • I have confirmed to get DNS leaks when the Firewall is disabled. So, the firewall is not causing false alarm.

    • The DNS leak test on browserleaks.com showed several DNS servers, one from IVPN, and a couple from my ISP

I presume the issue to the first degree would be the cause for the DNS leak, which I have yet to find.

  • I have tested my Fedora based FW laptop on 3 other networks, and it worked on all three with IVPN’s out-of-the-box-configurations - including firewall enabled.
    • I reinstalled Fedora for this test, and only installed IVPN after that, even excluding updates.
    • The networks included a regular home network and two phone hotspots, one of which is my iphone which connects to the same ISP, as my router (for the contended connection).

So this suggest the problem isn’t at my laptop, but the network. Yet, my Macbook and Iphone do just fine on this same network with IVPN and their firewall enabled - regardless of using openVPN, wireguard IPv4/6.

The following I already covered in my initial request, and doesn’t offer new results. But I have delved a little deeper since then.

  • My ISP most likely only offers IPv4, all though I’m not entirely certain.
    • IVPN’s customer service suggested that if my ISP only offers IPv4 and I’m trying to use IPv6, this may cause for DNS problems. I wasn’t sure if this mattered at first because I enabled IPv6 on my Macbook (in IVPN’s settings) using the same network, and got connected to a IPv6 VPN server.
    • But when I tried, I couln’t find details provided by my ISP, but I have read complains online about not having IPv6 regarding the same ISP. Besides that, my router shows an outward IPv4 ip and is blank at the IPv6 designation.
  • Preferring IPv4 / disabling IPv6 doesn’t resolve the issue, so far
    • As a solution to the previous point IVPN offered option to force the use of IPv4.
    • I used the ‘heavy handed approach’ to force IPv4, like I did last time (see Option 3 in my initial request).
  • Router reset didn’t help.
    • I reset my router to factory settings, and disconnected it from my ISP for more than 10 minutes - which is supposed to reset the system relating my simcard at their end.

Maybe another VPN provider?

  • I have read a suggestion of switching VPN provider, since their system is part of what makes the connection and could, presumably, be part of the problem.
    • I want to keep using IVPN as they are the only ones I know to offer custom DNS with DoH support, and feature parity on all platforms.
    • I tried Mullvad, which shows similar issues to IVPN (offers custom DNS but not DoH).
    • I tried ProtonVPN, which seems to work (though I havn’t checked for leaks), but doesn’t offer custom DNS at all, and their Linux app is sorely behind in feature parity.

I am, again, at a loss what to do from here.

Based on the fact that there is a DNS leak, that would give me significant pause.

I have used ExpressVPN while traveling. it works well and while you will see a multitude of DNS servers when looking for leaks, all of them are as it should be - not the ISP. They do offer their own DNS handling as part of their setup.

Will it be as full featured? Not sure, but I have been happy with them for years since moving off of PIA some years ago. I use them for privacy while on public WiFi. They offer a 30 day refund period, might be worth a try.

Success! My Framework-Fedora system can finally go online while using IVPN.

It took me some time to get get back. Thanks for all the replies.

I ended up buying a new router - which was suggested to me by IVPN staff. After lots of (additional) frustration I got it to work.

For anyone who cares to know how I made it to work, read as follows.

Initially I put the Netgear M1 in ‘IP passthrough’ mode to turn it into modem only and make the new router (Netgear RAX30) in charge of NAT functionality. But the router didn’t get working internet access (it works for a second, just enough to get IP info from the ISP, and then it flunks).

As you probably guessed, my ISP offers only 4G which means I’m behind their CGNAT. From what I learned online, this may be the cause for IP passthrough not working.

I got the connection working by the following changes:

  • Changed the APN of my ISP to a more open (and less secure) NAT
    • they say I will receive real IP, all though not static (24hr renewal cycle). But so far, I didn’t. I think if I did, the IP passthrough would work.
  • Kept the M1 in regular (modem + router / NAT) mode but setup for port-forward by:
    • Turning off DDNS
    • Enabling DMZ for a single IP (pointing to the new router).
      • Modem M1 IP: 192.168.1.1
      • Router RAX30 IP: 192.168.1.2
  • Setup the routers internet connection manually by:
    • IP: 192.168.1.2
    • Subnet mask: 255.255.255.0
    • Gateway IP: 192.168.1.1
    • DNS: the ISP’s DNS
    • The LAN addresses: IP Router 10.0.0.1 DHCP Range 10.0.0.20 - 10.0.0.256

I guess this may be a triple NAT situation, far from ideal. But, I did get it to work - at last!