I wonder which is currently the best (and more secure) way to establish a VPN connection under Linux whatever the distro.
the Secureblue FAQ mentions that there is two ways to install and run a VPN, via ujust install-vpn or via the network manager of the OS
yet, a VPN such like Proton says, in the “Other ways to use Proton VPN on Linux” section : “Where possible, we strongly recommend using our official Linux app (GUI) or Linux CLI. However, there are certain situations where you may wish to use a third party app instead. You can configure OpenVPN or WireGuard manually on Linux using either NetworkManager or the command line. Note that if we retire a server, you may need to download new configuration files.”
It seems also that this last method doesn’t permit to enable some advanced features such like Killswitch and so on (except for port forwarding that is supported by the WireGuard config files)
and at the same time, Proton warns against installing their VPN on a not supported distro (even the atomic version of Fedora !) and the same for DEs other than GNOME, although their service may still function with “limited support"… Yet, in a such configuration, establishing a connection via config files and the network manager would be appropriate because it eliminate the issue of compatibility… But would that mean sacrificing safety to some extent ?
This solution will introduce DNS leaks because of the NetworkManagers defaults you didn’t accommodate to. VPN clients like Mullvad, iVPN do tame NetworkManagers quirks.
I’m pretty sure this setup also leaks IPv6 if no ipv6 interface routes exist, and will be trivially triggered if no in-tunnel IPv6 is chosen since wg-quick is responsible for creating a routing table.
This is because some distros may have programs that will overwrite your VPN client’s routing tables and introduce DNS leaks/DNS server misusage through NetworkManager/resolvconf. They can’t guarantee correct work with every networking software.
While i haven’t looked into it, Secureblue seems to be rather opinionated about the VPN configuration. It probably creates a WG tunnel via networkmanager, which is leaky as I’ve already mentioned and lacks modern VPN client features such as split tunneling, killswitch and obfuscation.
You certainly don’t have to trust sketchy clients or pollute your user space with such tools. I exclusively rely on the the Wireguard tools provided by my distro. For one, the “graphical clients” don’t work at all on headless machines, so they are completely useless for what I use a VPN mostly for.
Modern Linux Desktops are all equipped with connectivity managers. You’re not using only Wireguard and cli. If you were to actually test your solution on a real distro - you’ll notice the leaks. As i’ve said, plain wg-quick just isn’t enough.
Not sure about Proton, but mullvad has a great cli client.
dnsleaktest in extended mode, resolvconf monitoring. You’d have to modify ipv4.dns-priority for an existing connection for NM not to leak DNS. It’s also impossible to make a default dns-priority value for new connections without resorting to hacky ways. So when creating a new NM connection, it’ll overwrite resolvconf priorities, thus resulting in DNS leakage.
For IPv6 testing, simply create a Wireguard tunnel with no IPv6. Your IPv6 tables will stay the same, and if the previous interface had ipv6 configured - it’ll leak regardless.
I’m still not following because your comments doesn’t seem to be about what my wiki post is about.
I did test for DNS leaks (extended) and there were no leaks using my way aforementioned. Either I’m confused or you’re not explaining it clearly or we’re both misunderstanding about what the other is saying.
Your Wiki post is about establishing a Wireguard tunnel connection. As i’ve mentioned, you’re not aware of DNS and IPv6 leaks. A DNS leak will be introduced by the connectivity manager, and IPv6 leak will be introduced if the wireguard tunnel has no IPv6 regardless of connectivity manager usage.
You’re right in a sense your Wiki post has nothing to do with connectivity managers since you’re either assuming they’re not being used or simply don’t understand how flawed your solution is.
I’ll ask again: how do you check for IPv6 leaks specifically? And what other leaks should I test for and how if you think my proposed solution is invalid or inaccurate or flawed? Is there an online tool you suggest I use or a CLI command one is supposed to use?
And as I’ve mentioned, I see no DNS leaks on my end. But I’m asking again nonetheless to see if you have a better way to test for them that I may not know about.
None of the links you shared answers for what I’m asking as I’m talking about the WireGuard protocol only. Or at-least not that I can make sense because its doesn’t seem to be about how I am suggesting to go about setting up a VPN on desktop Linux.
Those pages literally describe DNS leaks introduced by NetworkManager. I can also share a manpage for wg-quick explaining it’s behavior when no IPv6 is being configured, but i think i did enough to explain how IPv6 will leak.
It’s precisely about how you’re suggesting to set up a VPN connection on desktop Linux. Especially on desktop linux, where connectivity managers are the default.