If you want to use/connect to VPN without installing the VPN client on your system, the common way to do it is through the WireGuard configuration file.
This's more preferable on an immutable OS, e.g. Fedora Silverblue, unless the VPN provider you're using has their client officially available on Flathub.
Why not wireguard-tools
Because using the WireGuard configuration file in GUI (GNOME's network settings) is easier and faster.
The issue with systemd-resolved VS NetworkManager
It's funny that these two don't work together very well. systemd-resolved is enabled by default in Fedora Silverblue, for example. While NetworkManager is the backend of GNOME's network settings.
Considering that Fedora Silverblue is an immutable OS that has its main focus on GNOME, you can clearly see from miles away that this mix and match is a disaster 😂
1. Disable systemd-resolved
If you're going to use VPN at all in Fedora Silverblue, unless you love to have your DNS leaking when using VPN, I recommend you to disable systemd-resolved:
sudo systemctl stop systemd-resolved
sudo systemctl disable systemd-resolved
If you symlink /etc/resolv.conf to /run/systemd/resolve/stub-resolv.conf, like what I wrote here, remove the link too:
sudo rm /etc/resolv.conf
Don't worry, this file will be regenerated by
NetworkManager
If you have issue removing it, maybe you had made it immutable, fix it with this then try again:
sudo chattr -i /etc/resolv.conf
2. Enable DNS option in NetworkManager
To ensure NetworkManager manage DNS reliably, enable dnsmas, of which is already installed in Fedora Silverblue. You don't have to layer anything:
sudo nano /etc/NetworkManager/NetworkManager.conf
In the [main] section, put in this line:
dns=dnsmasq
Save the file, then restart NetworkManager:
sudo systemctl restart NetworkManager
3. Having your default DNS setup
It's extremely important to NOT using your ISP's DNS. Why? Because it's not likely going to be encrypted. Not only that, it's prone to censorship.
Please use a secure DNS from reputable providers like Cloudflare or Quad9, for example. Quad9 if you don't have Cloudflare WARP proxy setup like I wrote here. Otherwise, it's better to use Cloudflare, so you won't have a leak with WARP proxy.
Cloudflare DNS
I recommend using the Families (malware filtering) endpoint 1.1.1.2 or 1.0.0.2 instead of the usual 1.1.1.1. See more here.
Quad9
As the name suggested, 9.9.9.9. Quad9 filtered out malware by default. From many tests I've seen for years, it's leading in this regard, slightly better than Cloudflare's 1.1.1.2. See more on their website.
Make either of them your default DNS as per connection easily in GNOME settings
For example, in your Wi-Fi settings, put in the DNS's IPv4 and IPv6 accordingly:
4. Import your WireGuard configuration file
You can import WireGuard configuration files directly in GNOME's network settings, and use them at will through the quick settings panel. It's that easy, no need to go through many hoops with different VPN clients.
However, there are some caveats. Check your WireGuard configuration file, make sure under the [Interface] section, the DNS line should exist or not commented out. Otherwise, your VPN connection will regress back to the default DNS address in the previous step, hence leaking.
The best place to check your public IP and DNS addresses you're using is https://dnscheck.tools/
Thanks for reading 🙏 God bless ✝️
Cover Photo by Gavin Allanwood on Unsplash
Top comments (0)