UPDATE
There is a new and recent post on this subject where I explain what was wrong. Basically, the free plan only allows 1 VPN connection. So when you try to have two or more, it drops again and again. You need to just have one.

I am a user of the ProtonVPN free plan, and although I do not know how is it for the paid users, the Linux official apps, and even the terminal client, are literally garbage. In my own experience, the app is really slow and buggy, but lately, since two months ago or something it was quite frequent that I was connected and then, out of a sudden, the connection dropped. I had then to force close the app, which had lost the Quick Connect access button on the top bar by the way, open it again, and establish another connection. This new one worked for some minutes, and then the same whole thing happened again. Other people have been even experimenting a complete drop in connection related to ProtonVPN apps. This reveals to you, dear reader, two important messages:

  1. I really want to encrypt my connection to the web, not because I do anything dark or wrong, but because I think it is not correct that big corporations use us for profits, even when we have not chosen to be their users, and
  2. I really do not want to add another subscription fee to my month expenses.

ProtonVPN is one of the three trusted VPN services on the privacy community in general, and the only of them which provides a free entry plan. For me this plan is perfect, it brings everything I need and the speeds it provides, although people say are considerably slow, to my use case are more than enough. It’s really a live saver to me, because I would not use any other free VPN service, and as previously said, I do not what to pay for it neither. I know I could make my own with my VPS, or a Raspberry Pi, but I am not an expert in this subject, and making it by myself will probably put me in more risks than those I am avoiding by using a VPN.

But the event that triggered my rage was that now, I could not correctly update my system because the signature of ProtonVPN was not longer reachable and the package could not longer be trusted, or something like that. I removed the proton repository from my list, uninstalled the apps and removed everything related to proton in my PC, and updated my system. Afterwards, I tried to follow the official guide to re install it, maybe some dependencies were causing the problems, right? No. Definitely the package signature could not be verified because their key had expired. Maybe I am the one who did something wrong here and wreck the signature, but I strictly followed the guide and nothing worked.

Partial solution

Luckily, they also provide OpenVPN manual configuration files, which is what I ended up doing. I set it up this way, and it worked. So far the connection is really stable, and the only small problem is that some times the servers seem to be really loaded and it takes me some tries to connect.

The problem

IPLeak leaking IPv6

Leaking IPv6 with the VPN active

But there is a problem with this configuration, it leaks IPv6. The apps are designed to block IPv6 connections, but the OpenVPN file configuration cannot do that. The solution here is to block IPv6 system wide. I found then that including these lines in /etc/sysctl.conf

1
2
3
4
5
net.ipv6.conf.all.disable_ipv6 = 1 
net.ipv6.conf.default.disable_ipv6 = 1 
net.ipv6.conf.lo.disable_ipv6 = 1 
net.ipv6.conf.wlp2s0.disable_ipv6 = 1
net.ipv6.conf.tun0.disable_ipv6 = 1

and then running

1
sudo sysctl -p

blocked the IPv6 traffic on the computer. The problem is that this configuration is not persistent, and after each reboot I had to manually execute the sysctl -p part. This is not convenient at all.

The final solution

Finally I found here that it is possible to block IPv6 on boot, in the kernel modules. To do this, it is necessary to edit the GRUB file /etc/default/grub, and add (or edit) the ipv6.disable=1 directive to the GRUB_CMDLINE_LINUX entry, resulting in something like this:

1
2
3
4
5
6
7
# cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="ipv6.disable=1 crashkernel=auto rhgb quiet"
GRUB_DISABLE_RECOVERY="true"

Finally, we only have to rebuild the GRUB configuration

1
grub2-mkconfig -o /boot/grub2/grub.cfg

and reboot the system. Done!

IPLeak not leaking IPv6

Leaking IPv6 with the VPN active not happening anymore

Conclusion

I think everybody should encrypt as much communication as possible, for privacy purposes, and it is still possible to have a trustworthy VPN service for free nowadays, just some adjustments are needed. Of course if you are in the economical position to support their job, do not hesitate on doing it so. I do recommend, in case you are in Linux and are going to pay for the service, to go for IVPN or Mullvad, as their applications are much much better. I have only tied IVPN from these two, and it was perfect!

⋇ ⋇ ⋇ ⋇ ⋇

Thanks for reading the post! Do not hesitate to write me an email, and share your point of view 😉: contact@poview.org