VPN Connection Issue

I tried to set up a sys-vpn via ivpn on a StandaloneVm fedora-41-xfce,also tried via Template then AppVm following the guides from @solene. In both the app version and the wireguard set up I have a connection and can ping servers as 9.9.9.9 .
But when trying to browse it doesnt work. I can also acces the sys-vpn as a net qube from a different qube same symptoms. I tried without, with the DNS hardening with 9.9.9.9 as DNS, and with the DNS provided by my VPN Provider.

I tried the same with fedora-38, no progress same issue.

I dont know what else to try
Thanks in advance

How do you chain VM’s?
It should be sys-net → sys-firewall → sys-vpn → app-vm

Yes like this.
Even with the set up: sys-net—sys-firewall—sys-pre-vpn-firewall—sys-vpn—sys-after-vpn-firewall—app-vm
I have connection and can ping as described, but cannot browse…

it’s an mtu issue. search for mtu on this forum, read what you can, try again

i am not sure of this, but often when you can get a little bit of data to flow but anything major won’t work, it’s an mtu configuration issue, such as trying to fit an mtu of 1500 through an mtu of 1300 etc.

Did you configured WireGuard in NetworkManager like this - Wireguard MTU problems? - #6 by apparatus

Then try change MTU from auto and start from 1500 and lower it by 20 and test.

PS: I didn’t need to do anything for WireGuard to work with ProtonVPN-GUI

PS2: did you blocked in firewall traffic to all server except one? ProtonVPN connect to random server each time so maybe IVPN does same thing and firewall rule is blocking you?

PS3: for test try bypass sys-friewall or any firewall as the matter and connect vpn-vm to sys-net directly

The OP has not stated that a ping needing DNS resolution works, they just has tried ping on an IP address. @runtz would you mind to try out ping forum.qubes-os.org? If that doesn’t work it’s a DNS issue, otherwise, as explained, it’s probably a MTU issue.

Can you describe exactly what you did in the VPN qube?

Thanks for all the advice.

I set up another sys-vpn with the IVPN App exatly via the guide IVPN App 4.2 setup guide.
But left out the DNS hardening Part. I tried to ping 9.9.9.9 and forum.qubes-os.org and had a connection. Therefore MTU Issue.
When setting the MTU value manually in the IVPN App the max. value is 1392, after that the connection breaks. I also used the script from @solene to avoid issues with wireguard.

I found this in a guide about Wireguard: Silvio's Blog - WireGuard and MTU/MSS: Prevent Packet Loss on Your Linux Router

MSS Clamping: Preventing Packet Loss

MSS clamping is crucial when routing between interfaces with different MTUs. It prevents your router from sending packets that are too large for the receiving interface.

Example:

• Physical Interface: MTU = 1500, MSS = 1460
• WireGuard Interface: MTU = 1420, MSS = 1360

Without clamping, packets between 1360 and 1460 bytes would be accepted by the router but dropped by the receiving device.

How to Implement MSS Clamping:

Using iptables:

iptables -A FORWARD -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
ip6tables -A FORWARD -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360

iptables -A OUTPUT -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
ip6tables -A OUTPUT -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360

Using WireGuard Configuration:

[Interface]
...
PostUp = ip6tables -A FORWARD -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 && ip6tables -A OUTPUT -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 && iptables -A FORWARD -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 && iptables -A OUTPUT -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360
PostDown = ip6tables -D FORWARD -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 && ip6tables -D OUTPUT -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 && iptables -D FORWARD -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360 && iptables -D OUTPUT -o <device_name> -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --set-mss 1360

Remember to replace with your WireGuard interface name.

By understanding and correctly configuring MTU and MSS, you can ensure your WireGuard VPN performs optimally and avoids packet loss, providing a smooth and reliable network experience.`

`

—But from my understandig the script would also just set the MTU value at 1360, knowing you have to convert it into nftables.

Is there a disadvantage from using a fixed MTU value?
I am not able to write scripts but is there a way to fix this issue?

I did not imply you should change the MTU before running the firewall rule to fix the MTU problem.

I did it aftwards.
As I said I tried your guide exactly and the changed MTU manually.
@solene could you give me an opinion about my other questions?

I don’t know, I never change the MTU because it always creates problems.

no solution thing? those are hard to get around here for people like me. other users (who i won’t point out) usually take them all!

if you type mtu in search, the first thing you see (Changing Default MTU for Networking VMs) is what you need.

just create it, make an @reboot cronjob to run it or use /rw/ and create a script there (unman put a link in there on doing it that way), but either way use that script.

no pressure of anything, but i’m waiting for the solution button to be pressed. if you’re not willing to do that, i would also accept a large amount of kudos

Since changing it to the fixed MTU value everything works good.
I did a quick research and found no security implications, does anybody know of ones?

I am not able to write a script but would appreciate anyone who can

whatever you do, don’t click on that link to the other thread or mark me as providing the solution. that would be a terrible outcome.