Cannot Split Tunnel vpn with PIA

Hi guys,

I am new to Garuda and Arch and have had trouble with my VPN, Private internet access, and split-tunneling. I was using split tunneling on previous debian-based distros, both Mint and MX without issues.

Currently when I turn on split tunneling, and apply to all apps, it gives me an error that it could not configure DNS. When I first installed, stock settings allowed it to apply the vpn to everything. Once I turned on split tunneling it gave a generic error. Since then changed the DNS with garuda assistant which I was unable to turn off (setting Garuda Assistant > Settings > DNS to blank causes it to revert to the last selection, possible bug). Either way, before and after it has not worked.

When I turn VPN off for all apps, but select apps which are supposed to be subject to the VPN, it does nothing but does appear to connect successfully. Add an app to put behind vpn, it does not affect.

In PIA settings, I attempted it with default openvpn, i attempted it with the WireGuard option. Tried with UDP and TCP and with various different DNS options they offer including existing DNS.

I also deleted the app and reinstalled it, which nuked my settings and put me back at defaults. Still did not resolve.

As of now, I cannot even use the app with all stock settings without split tunneling to send everything through the VPN: it gets a DNS error likely from dns change in garuda assistant.

I wondered what additional information other than the inxi below I might provide that might help me track down the cause of this.

╰─λ garuda-inxi
System:
Kernel: 5.18.3-zen1-1-zen arch: x86_64 bits: 64 compiler: gcc v: 12.1.0
parameters: BOOT_IMAGE=/@/boot/vmlinuz-linux-zen
root=UUID=eaa1f1c6-9940-4c37-9baf-9750aa94737c rw [email protected]
quiet quiet splash rd.udev.log_priority=3 vt.global_cursor_default=0
loglevel=3
Desktop: KDE Plasma v: 5.25.0 tk: Qt v: 5.15.4 wm: kwin_x11 vt: 1
dm: SDDM Distro: Garuda Linux base: Arch Linux
Machine:
Type: Desktop Mobo: ASUSTeK model: MAXIMUS VIII HERO v: Rev 1.xx
serial: <superuser required> UEFI: American Megatrends v: 3802
date: 03/15/2018
CPU:
Info: model: Intel Core i7-7700K bits: 64 type: MT MCP arch: Kaby Lake
gen: core 7 built: 2018 process: Intel 14nm family: 6 model-id: 0x9E (158)
stepping: 9 microcode: 0xF0
Topology: cpus: 1x cores: 4 tpc: 2 threads: 8 smt: enabled cache:
L1: 256 KiB desc: d-4x32 KiB; i-4x32 KiB L2: 1024 KiB desc: 4x256 KiB
L3: 8 MiB desc: 1x8 MiB
Speed (MHz): avg: 1032 high: 1200 min/max: 800/4700 scaling:
driver: intel_pstate governor: powersave cores: 1: 1091 2: 927 3: 1046
4: 946 5: 1106 6: 979 7: 1200 8: 967 bogomips: 67200
Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
Vulnerabilities:
Type: itlb_multihit status: KVM: VMX disabled
Type: l1tf
mitigation: PTE Inversion; VMX: conditional cache flushes, SMT vulnerable
Type: mds mitigation: Clear CPU buffers; SMT vulnerable
Type: meltdown mitigation: PTI
Type: spec_store_bypass
mitigation: Speculative Store Bypass disabled via prctl
Type: spectre_v1
mitigation: usercopy/swapgs barriers and __user pointer sanitization
Type: spectre_v2 mitigation: Retpolines, IBPB: conditional, IBRS_FW,
STIBP: conditional, RSB filling
Type: srbds mitigation: Microcode
Type: tsx_async_abort mitigation: TSX disabled
Graphics:
Device-1: AMD Navi 21 [Radeon RX 6800/6800 XT / 6900 XT]
vendor: XFX Speedster MERC 319 driver: amdgpu v: kernel arch: RDNA 2
process: TSMC n7 (7nm) built: 2020-22 pcie: gen: 4 speed: 16 GT/s
lanes: 16 ports: active: DP-3,HDMI-A-1 empty: DP-1,DP-2 bus-ID: 03:00.0
chip-ID: 1002:73bf class-ID: 0300
Display: x11 server: X.Org v: 21.1.3 with: Xwayland v: 22.1.2
compositor: kwin_x11 driver: X: loaded: amdgpu unloaded: modesetting,radeon
alternate: fbdev,vesa gpu: amdgpu display-ID: :0 screens: 1
Screen-1: 0 s-res: 4479x1440 s-dpi: 96 s-size: 1185x381mm (46.65x15.00")
s-diag: 1245mm (49.01")
Monitor-1: DP-3 mapped: DisplayPort-2 pos: primary,right
model: AOC AG271QG4 serial: <filter> built: 2016 res: 2560x1440 dpi: 109
gamma: 1.2 size: 597x336mm (23.5x13.23") diag: 685mm (27") ratio: 16:9
modes: max: 2560x1440 min: 720x400
Monitor-2: HDMI-A-1 mapped: HDMI-A-0 pos: primary,left model: AOC 2769M
serial: <filter> built: 2016 res: 1920x1080 hz: 60 dpi: 82 gamma: 1.2
size: 598x336mm (23.54x13.23") diag: 686mm (27") ratio: 16:9 modes:
max: 1920x1080 min: 720x400
OpenGL: renderer: AMD Radeon RX 6800 XT (sienna_cichlid LLVM 13.0.1 DRM
3.46 5.18.3-zen1-1-zen)
v: 4.6 Mesa 22.1.1 direct render: Yes
Audio:
Device-1: Intel 100 Series/C230 Series Family HD Audio vendor: ASUSTeK
driver: snd_hda_intel v: kernel bus-ID: 00:1f.3 chip-ID: 8086:a170
class-ID: 0403
Device-2: AMD Navi 21/23 HDMI/DP Audio driver: snd_hda_intel v: kernel
pcie: gen: 4 speed: 16 GT/s lanes: 16 bus-ID: 03:00.1 chip-ID: 1002:ab28
class-ID: 0403
Sound Server-1: ALSA v: k5.18.3-zen1-1-zen running: yes
Sound Server-2: PulseAudio v: 16.0 running: no
Sound Server-3: PipeWire v: 0.3.52 running: yes
Network:
Device-1: Intel Ethernet I219-V vendor: ASUSTeK driver: e1000e v: kernel
port: N/A bus-ID: 00:1f.6 chip-ID: 8086:15b8 class-ID: 0200
IF: enp0s31f6 state: up speed: 1000 Mbps duplex: full mac: <filter>
IF-ID-1: virbr0 state: down mac: <filter>
Bluetooth:
Device-1: ASUSTek Broadcom BCM20702A0 Bluetooth type: USB driver: btusb
v: 0.8 bus-ID: 1-10:7 chip-ID: 0b05:17cb class-ID: fe01 serial: <filter>
Report: bt-adapter ID: hci0 rfk-id: 3 state: up address: <filter>
Drives:
Local Storage: total: 23.41 TiB used: 6.03 TiB (25.7%)
SMART Message: Unable to run smartctl. Root privileges required.
ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: Sabrent model: Rocket 4.0 1TB
size: 931.51 GiB block-size: physical: 512 B logical: 512 B
speed: 63.2 Gb/s lanes: 4 type: SSD serial: <filter> rev: RKT401.3
temp: 35.9 C scheme: GPT
ID-2: /dev/nvme1n1 maj-min: 259:1 vendor: Sabrent model: Rocket 4.0 1TB
size: 931.51 GiB block-size: physical: 512 B logical: 512 B
speed: 63.2 Gb/s lanes: 4 type: SSD serial: <filter> rev: RKT401.3
temp: 40.9 C scheme: GPT
ID-3: /dev/sda maj-min: 8:0 vendor: Toshiba model: HDWE150 size: 4.55 TiB
block-size: physical: 4096 B logical: 512 B speed: 6.0 Gb/s type: HDD
rpm: 7200 serial: <filter> rev: FP2A scheme: GPT
ID-4: /dev/sdb maj-min: 8:16 vendor: Seagate model: ST240HM000-1G5152
size: 223.57 GiB block-size: physical: 4096 B logical: 512 B
speed: 6.0 Gb/s type: SSD serial: <filter> rev: C675 scheme: GPT
ID-5: /dev/sdc maj-min: 8:32 vendor: Western Digital
model: WD40EZRX-00SPEB0 size: 3.64 TiB block-size: physical: 4096 B
logical: 512 B speed: 6.0 Gb/s type: HDD rpm: 5400 serial: <filter>
rev: 0A80 scheme: GPT
ID-6: /dev/sdd maj-min: 8:48 vendor: Samsung model: SSD 850 EVO 500GB
size: 465.76 GiB block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s
type: SSD serial: <filter> rev: 3B6Q scheme: MBR
ID-7: /dev/sde maj-min: 8:64 type: USB vendor: Western Digital
model: WD easystore 264D size: 12.73 TiB block-size: physical: 4096 B
logical: 512 B type: N/A serial: <filter> rev: 3012 scheme: GPT
Partition:
ID-1: / raw-size: 931.22 GiB size: 931.22 GiB (100.00%)
used: 281.13 GiB (30.2%) fs: btrfs dev: /dev/nvme1n1p2 maj-min: 259:3
ID-2: /boot/efi raw-size: 300 MiB size: 299.4 MiB (99.80%)
used: 576 KiB (0.2%) fs: vfat dev: /dev/nvme1n1p1 maj-min: 259:2
ID-3: /home raw-size: 931.22 GiB size: 931.22 GiB (100.00%)
used: 281.13 GiB (30.2%) fs: btrfs dev: /dev/nvme1n1p2 maj-min: 259:3
ID-4: /var/log raw-size: 931.22 GiB size: 931.22 GiB (100.00%)
used: 281.13 GiB (30.2%) fs: btrfs dev: /dev/nvme1n1p2 maj-min: 259:3
ID-5: /var/tmp raw-size: 931.22 GiB size: 931.22 GiB (100.00%)
used: 281.13 GiB (30.2%) fs: btrfs dev: /dev/nvme1n1p2 maj-min: 259:3
Swap:
Kernel: swappiness: 133 (default 60) cache-pressure: 100 (default)
ID-1: swap-1 type: zram size: 31.29 GiB used: 3.9 MiB (0.0%)
priority: 100 dev: /dev/zram0
Sensors:
System Temperatures: cpu: 50.0 C mobo: N/A gpu: amdgpu temp: 39.0 C
mem: 40.0 C
Fan Speeds (RPM): N/A gpu: amdgpu fan: 1046
Info:
Processes: 346 Uptime: 21h 8m wakeups: 0 Memory: 31.29 GiB
used: 5.23 GiB (16.7%) Init: systemd v: 251 default: graphical
tool: systemctl Compilers: gcc: 12.1.0 clang: 13.0.1 Packages: pacman: 1840
lib: 526 Shell: fish v: 3.4.1 default: Bash v: 5.1.16 running-in: konsole
inxi: 3.3.18
Garuda (2.6.3-2):
System install date:     2022-06-13
Last full system update: 2022-06-17 ↻
Is partially upgraded:   No
Relevant software:       NetworkManager
Windows dual boot:       Probably (Run as root to verify)
Snapshots:               Snapper
Failed units:

After you reboot, NetworkManager will write up a new /etc/resolv.conf for you which should resolve your DNS issue.

I have restarted many times while troubleshooting this after making changes, it has not made a difference.

Currently I see my Garuda Assistant DNS selection Cloudflare is still present in resolv.conf. I restarted against just now and PIA still cannot initiate default settings system-wide VPN. When I turn on split tunnel bypass all with exceptions, the exceptions still do not work. When I turn on split tunnel and tunnel only exceptions, it behaves as the system-wide vpn giving me a "Could not configure DNS" error.

Seems like networkmanager or something is locking down resolv.conf. I also noticed I could not modify it even as su.

Try removing the immutable attribute first:

sudo chattr -i /etc/resolv.conf

I think Garuda Assistant sets this attribute when you input a DNS preference, to prevent NetworkManager from overwriting it with the value it gets from the gateway.

4 Likes

Thanks for that info.

This does restore the original ability to use the VPN system-wide, but does not allow me to Bypass All apps except for exceptions. It does however allow me to apply Split tunnel with VPN to all (All Other Apps > Use VPN) and set specific Bypasses up (I think I failed here previously because I chose the wrong executable - my fault).

This is progress, but still not as I used PIA in the past. Applying a system-wide VPN is problematic because many applications or games have multiple files that you must create exceptions for. I much prefer tunneling everything except for specific apps.

Info about pia split tunnel:

https://helpdesk.privateinternetaccess.com/kb/articles/split-tunnel-app-examples

edit: I did find while split tunneling was on with All Other Apps > Bypass VPN, those apps I subject to the VPN do work. Its just everything else that does not with a DNS address issue.

Its like something is preventing me from utilizing multiple DNS. Its either one or the other.

I'm not sure what your configuration is missing, but this page is worth a read through: Private Internet Access - ArchWiki

Crucially, it looks like IPv6 should be disabled as it is not supported by PIA. IPv6 support is built into the kernel, but you can disable the whole IPv6 stack with a kernel parameter:

sudo micro /etc/default/grub

Go down to the GRUB_CMDLINE_LINUX_DEFAULT= line and add ipv6.disable=1 in between the quotes (make sure you leave whatever options are already there :wink:).

Another consideration is it looks like getting the PIA DNS servers set up correctly may require some configuration. In this discussion a person hashed out a solution that looks like it might be worth a shot: Talk:Private Internet Access - ArchWiki

Setting PIA DNS

I was able to correctly configure this after doing more research about DNS and the way it is handled in general. I recommend looking at Domain name resolution, systemd-resolved, and NetworkManager for more information.

When using NetworkManager and systemd-resolved, you will need to install systemd-resolvconf.

Next, check /etc/NetworkManager/conf.d/dns.conf and ensure that systemd-resolved is enabled for dns like so:

/etc/NetworkManager/conf.d/dns.conf

[main] 
dns=systemd-resolved

Now to configure /etc/resolv.conf. In my case, I had messed things up by removing the symlink. We need to restore it so that systemd-resolved will work correctly. In order to do this, we have to first stop NetworkManager and PIA:

# systemctl stop NetworkManager # systemctl stop piavpn.service

Next, restore the symlink:

# rm -f /etc/resolv.conf # ln --symbolic /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Finally, start NetworkManager and PIA again:

# systemctl start NetworkManager # systemctl start piavpn.service
1 Like

Thanks for trying. I tried disabling the ipv6 but no go. Last solution doesn't seem to specifically address split tunnel and it looks like too many hoops to jump through. I will just put the janky extensions on my browsers and run anything else through a vm.