Seems DNS related:
Your VPN is leaving behind DNS/routes that break Xet-backed HF downloads. You don’t need to reboot. Do one of the following fast fixes.
Fastest stable workarounds
-
Split-tunnel a “download browser.” In NordVPN on Windows, enable Split Tunneling and exclude one browser from the VPN. Use that browser only for HF downloads. Keep your other traffic on the VPN. (support.nordvpn.com)
-
Disable Threat Protection Pro for the test. It inspects DNS/URLs and can block or slow downloads. If downloads resume, keep it off during HF downloads or add allow-lists. (NordVPN)
-
Allow-list Xet + HF endpoints in any filter (Nord Threat Protection, corporate gateway, local firewall):
huggingface.co, hub-ci.huggingface.co, cdn-lfs.hf.co, cdn-lfs-us-1.hf.co, cdn-lfs-eu-1.hf.co, cas-bridge.xethub.hf.co, cas-server.xethub.hf.co, transfer.xethub.hf.co. (Hugging Face Forums)
When you toggle the VPN, reset networking instead of rebooting
Run as Administrator:
ipconfig /flushdns
ipconfig /release
ipconfig /renew
Optional deeper reset (requires sign-out or reboot): netsh winsock reset. (Windows Central)
Or momentarily disable/enable adapters:
# disable Nord's TAP/TUN, then re-enable your main adapter
Get-NetAdapter | ? {$_.Name -match "TAP|Nord"} | Disable-NetAdapter -Confirm:$false
Enable-NetAdapter -Name "Ethernet" -Confirm:$false # or "Wi-Fi"
This forces route/DNS refresh without a full reboot. (Microsoft Learn)
Reduce interference from NordVPN
-
Switch protocol. Try OpenVPN (UDP/TCP) if NordLynx misbehaves, or vice-versa. (support.nordvpn.com)
-
Fix MTU with WireGuard/NordLynx. Many see success near 1380. Test and set MTU:
-
Find max unfragmented size:
ping 1.1.1.1 -f -l 1472and decrease until it succeeds; MTU = value + 28. -
Set MTU:
netsh interface ipv4 set subinterface "Ethernet" mtu=1450 store=persistent(name pernetsh interface ipv4 show subinterfaces). (Reddit) -
Use non-Nord DNS while disconnected or for the excluded browser. Set 1.1.1.1/1.0.0.1 (or 8.8.8.8/8.8.4.4) at the adapter, or in Nord’s Custom DNS. (Cloudflare Docs)
-
Consider the NordVPN browser extension for the “download browser” instead of the desktop app; it proxies only the browser’s traffic and avoids system-wide hooks. (support.nordvpn.com)
Browser-specific levers
-
Fully quit Brave/Edge so they release network state. Disable background apps to ensure a clean restart after toggling VPN:
-
Brave:
brave://settings/system→ turn off Continue running background apps… (Brave Community) -
Edge:
edge://settings/system→ turn off Startup boost and Continue running background extensions and apps… (Microsoft) -
Mitigate WebRTC quirks if your VPN policy cares about IP leaks. Brave/Edge can limit WebRTC; this also changes connection paths. (Avoid the Hack (avoidthehack!))
Prefer CLI for Xet repos
Downloads are often more reliable via the HF tooling, and you can throttle concurrency.
-
Update:
pip install -U huggingface_hub hf-xet -
Example:
huggingface-cli download <repo> --max-workers 1 -
Ensure the same allow-list (above) if filtering is in place. (Hugging Face)
Why this happens
HF moved many large repos to Xet. Xet adds new domains and a CAS flow that some VPN DNS/filters break. When you disconnect NordVPN, Windows can keep Nord’s DNS/routes until you reset the stack, so browsers continue failing until a reboot. The allow-list and resets address that path. (Hugging Face Forums)