If you want to use/connect to VPN without installing the VPN client on your system, the common way to do it is through the WireGuard configuration file.
This's more preferable on an immutable OS, e.g. Fedora Silverblue, unless the VPN provider you're using has their client officially available on Flathub.
Why not wireguard-tools?
Because using the WireGuard configuration file in GUI (GNOME's network settings) is easier and faster.
1. Set Up systemd-resolved
systemd-resolved is enabled by default in Fedora Silverblue. So, you only have to set up its configure file right.
DNSOverTLS=opportunistic is Your Best Friend
Because it's the only way currently to have both non-leaking DNS when using a VPN (with its own DNS) and to be able to configure your preferred secure DNS in the settings' GUI.
If you use DNSOverTLS=no (the default value), you have non-leaking DNS when using a VPN (with its own DNS), but you won't be able to configure any secure DNS in the GUI at all.
If you use DNSOverTLS=yes, you won't be able to use VPN with its DNS setup, hence forcing to be leaked. Also, you won't be able to configure any secure DNS in the GUI at all. I would say, this is the worst setup!
But if you don't use VPN, you can just use DNSOverTLS=yes and have your secure DNS set up directly in /etc/systemd/resolved.conf. See more here.
In any case, I recommend DNSOverTLS=opportunistic because of its flexibility.
sudo nano /etc/systemd/resolved.conf
Then, in the file:
[Resolve]
DNSOverTLS=opportunistic
Lastly, restart systemd-resolved:
sudo systemctl restart systemd-resolved
2. Having your default DNS setup
It's extremely important to NOT using your ISP's DNS. Why? Because it's not likely going to be encrypted. Not only that, it's prone to censorship.
Please use a secure DNS from reputable providers like Cloudflare or Quad9, for example. Quad9 if you don't have Cloudflare WARP proxy setup like I wrote here. Otherwise, it's better to use Cloudflare, so you won't have a leak with WARP proxy.
Cloudflare DNS
I recommend using the Families (malware filtering) endpoint 1.1.1.2 or 1.0.0.2 instead of the usual 1.1.1.1. See more here.
Quad9
As the name suggested, 9.9.9.9. Quad9 filtered out malware by default. From many tests I've seen for years, it's leading in this regard, slightly better than Cloudflare's 1.1.1.2. See more on their website.
Make either of them your default DNS as per connection easily in GNOME settings
For example, in your Wi-Fi settings, put in the DNS's IPv4 and IPv6 accordingly:
3. Import your WireGuard configuration file
You can import WireGuard configuration files directly in GNOME's network settings, and use them at will through the quick settings panel. It's that easy, no need to go through many hoops with different VPN clients.
The process is straightforward enough that no screenshot is needed 😆
However, there are some caveats. Check your WireGuard configuration file, make sure under the [Interface] section, the DNS line should exist or not commented out. Otherwise, your VPN connection will regress back to the default DNS address in the previous step, hence leaking.
The best place to check your public IP and DNS addresses you're using is https://dnscheck.tools/
Thanks for reading 🙏 God bless ✝️
Cover Photo by Gavin Allanwood on Unsplash
Top comments (0)