3isec mullvad-vpn installation failure

Hello,
Because my current mullvad-vpn qube in fedora 41 is no longer supported, I decided rather than have to reconfigure things again through a new template (current fedora 41 appvm suddenly got a case of unexplained ‘curl being unable to resolve dns’ when I tried to upgrade in place) to move forward and capitalize on unman and mullvad support’s work and implement @unman 's 3isec packaging from github using debian-13-minimal rather than upgrade fedora.

3isec link

Knowing absolutely nothing about managing anything with ‘salt’, I first reviewed salt and yaml basics so I might review the github code and have a basic idea of how the updating was to work before installing in addition to what was actually taking place codewise.

I decided to use the ‘qubes-task-gui’ to do this and the setup of that all worked great! I did a quick bkp of dom0 and then did the install of the mullvad-vpn with the gui. Things appeared to be ok…almost. The update summary was: Succeeded: 9 (changed 4) Failed: 1.

Reviewing the errors indicated: a problem calling 'state.apply mullvad.configure…sys-mullvad. Result: False Comment: Source file salt://mullvad/set_forward.sh not found in saltenv ‘base’.

This error occurred on creating both /rw/config/qubes-firewall.d/set_forward.sh and /rw/config/network-hooks.d/set_forward.sh files.

Also Source file salt://mullvad/update_dns.nft not found in saltenv ‘base’ for creating /rw/confi/qubes-firewall.d/update_dns.nft

However in checking /srv/salt/mullvad both those files exist and both have permissions of -rwxr-xr-x owner root:root and the contents match what is in the files on github.

When I checked the gui settings for the template-mullvad that got created in the process, it reflects that the mullvad-browser.desktop and mullvad-vpn.desktop are both missing and subsequently they are also missing in ‘mullvad-dvm’ and ‘sys-mullvad’.

Unless I read incorrectly, these missing changes would only occur in sys-mullvad so in checking sys-mullvad in the /rw/config directory neither directory qubes-firewall.d, nor network-hooks.d existed. So of course neither does set_forward.sh nor update_dns.nft exist. (I did check about the /rw/config/qubes-bind-dir.d/50_user.conf and that was appended as reported in the log.) So I have several questions in order to complete the setup. Is the fix:

1. Create the 2 directories: qubes-firewall.d and network-hooks.d in /rw/config and…
2. copy set_forward.sh over to sys-mullvad into the /rw/config/qubes-firewall.d directory and the /rw/config/network-hooks.d directory AND also copy update_dns.nft to the /rw/config/qubes-firewall.d directory?
3. What should the permissions on the newly create directories and the scripts be set to?
4. What might be the solution to getting the mullvad-vpn and mullvad-browser .desktop files enabled? Refreshing applications in the gui did not enable them.
5. Lastly, any ideas on why the files appear on /srv/salt/mullvad in dom0 but didn’t apply and said missing instead? Was it because the directories did not exist on sys-mullvad? Was it implied that the process would create them prior to copying them from /srv/salt/mullvad, or was the salt path incorrect? I did not catch exactly how the salt file structure works when defined in yaml. Does salt: //mullvad equate to /srv/salt/mullvad (which exists) or rather /srv/mullvad (which doesn’t exist)??
   Anyone else run into this?
   Thanks for taking a look at this!!

Followup:
I moved ahead and manually created the 2 missing directories in /rw/config and moved the files as well. Permissions are listed in the configure.sls file so set these to 755. This part should be done.

Moving on to the missing applications. I booted up the template-mullvad and checked apt for mullvad-browser and mullvad-vpn. Neither were there. I checked the mgmt-template-mullad.log for further issues and found an issue regarding the mullvad keyring missing.

Error is as follows:
Comment: An error was encountered while installing package(s):
W: OpenPGP signature verification failed: httpss://repository.mullvad.net/deb/stable trixie InRelease:
Sub-process /usr/bin/sqv returned an error code (1), error message is:
Error: Failed to parse keyring “/usr/share/keyrings/mullvad-keyring.asc”
Caused by: 0: Reading “/usr/share/keyrings/mullvad-keyring.asc”: No such file or directory (os error 2)
1: No such file or directory (os error 2) output:
E: The repository: //repository.mullvad.net/deb/stable = trixie InRelease is not signed.

This was followed by the errors for mullvad files not in the salt-env base. This seems to explain the missing applications shown by the application missing errors shown in the gui applications settings tab.

Moving on I came across an older somewhat similar post from June 2023 where a user had the error: ‘user’ not available during this same process and he stated he had used a non-standard user name in dom0 with the implication that I got from the post was that doing so broke the process or at least threw errors. This may be so because I also noticed those same errors which at the time I hoped were just benign like many errors in Linux are but which instead might explain the earlier missing directories and files for /rw/config. However, I did not see any other notification that they weren’t copied.

When installing Qubes long ago, not knowing that setting a username other than ‘user’ might break things, I also had set a username other than ‘user’ being a newbie and not knowing it was going to dom0 and not fedora. I would venture a guess that many people do this. So if that is truly an issue, it might be nice to use a variable in the salt scripting getting the actual username used in dom0 maybe rather than assuming ‘user’?? Maybe it isn’t even related, I’m not sure at this point…

Anyways I need to find the time to fill in the remaining missing files and see if things resolve to get this up and running. The reason, I chose to use this route to create the mullvad-vpn qubes was to avoid some of the configuration hassle but—unfortunately it didn’t quite go as intended…

Sorry you are having trouble.
There is some essential information that you have not yet provided -
What version of Qubes?
What template is used for the default-mgmt-dvm qube?

Quick replies on some points:

Should not be necessary - the configure state uses makedirs: True
which should create these directories.

Again, the configure state sets user:root with mode 755

In salt, the file structure works relative to specified file roots - for
the base environment this is /srv/salt/. So salt://mullvad refers to
/srv/salt/mullvad. (And, to be absolutely clear, you refer to a file at
/srv/salt/mullvad/example using salt://mullvad/example , BUT a state file
at /srv/salt/mullvad/example.sls is targeted as mullvad.example .)

Hi, thanks for the response.
Using v4.2.4
Not certain what you are referring to as ‘default-mgmt-dvm’ qube. I am using the templateVM named ‘template-mullvad’ which is (Debian13.2 using debian-13-minimal) as the template for the ‘mullvad-dvm’ appVM. If you’re referring to the global default disposable template that is ‘default-dvm’ this is set to ‘debian-12-xfce’ as I still have a number of debian12 appVMs and disposables tied to that.

Those /rw/config directories and files didn’t get created for whatever reason so I manually did them and set to mode 755. I rechecked the configure.sls and as you mentioned user and group are both ‘root’ so I have no idea why they didn’t create.

I was able to resolve the mullad-keyring issue and subsequently did update and download the mullvad-browser and mullvad-vpn apps into the template ‘template-mullvad’. I now currently am able to run mullvad-browser in a dispVM as well as using the mullvad-browser in the appVM ‘mullvad-dvm’ when choosing to not use a dispVM.

However, I am not able to get mullvad-vpn gui to load in either a dispVM or in the ‘sys-mullvad’ appVM. Also it appears that the set_forward.sh script is not running on a sys-mullvad restart. I rechecked the permissions and it executes using sudo ./set_forward.sh with the expected results but this isn’t persistent so I am not certain when/how that gets run.

Thanks for the salt path clarifications!
Just for clarification: sys-mullvad appVM also uses the template-mullvad templateVM same as the mullvad-dvm appVM does.

I will have to dig out an old install to test that, but (of course) the
package used to work. It may need an update but I cant check until I get
the old system running.

Salt uses a separate ‘default-mgmt-dvm’ qube to copy configuration and
set up to target qubes. You can check this from dom0 using
qvm-prefs default-mgmt-dvm template

I dont see any reference to a “user” unavailable error. In any case,
none of the commands (except the call to qvm-appmenus) run as “user”, so
this cant be the root of your problems.

If this is a question, the answer is yes. If a statement, it is correct.

Hello again! The default-mgmt-dvm template is: debian-12. I’m guessing this needs to be debian-13 ?? I will wait to change it until you confirm. I didn’t know it existed or purpose until you mentioned it. I thought the default-dvm template was involved. Sorry.

I am uploading the log files to hopefully save you from having to dig out an old install. Hope this helps! ( I didn’t see anything confidential in them). They’re not big, but very informative! They explain much better than what I was trying to say.

3isec-mullvad-vpn-pkg-install-ERRORS.log (11.4 KB)
mgmt-template-mullvad.log (8.7 KB)
mgmt-sys-mullvad.log (3.1 KB)
Thanks for taking the time!! I know you’re probably very busy with v4.3 and other things.

I moved ahead and left the default-mgmt-dvm template set to debian-12 while instead I set each of the 3 qubes involved individually to management-dispVM to debian-13. I then used apt to purge and reinstall mullvad-vpn but had no effect. I then kept searching through the log with journalctl looking for StartApp+mullvad. It appears debian-13-minimal is missing some shared object files:

libnspr4
libnss3

I installed those and I am now able to load the mullvad-gui both in sys-mullvad and in disposables using mullvad-dvm.

Wrapping this up…this seems to work fine as a basic vpn setup. It is nice to be able to run either the browser and/or the gui within a disposable vm. However there are some functional caveats versus my previous standalone sys-vpn appVM setup created using some earlier docs.

1. The Multihop functionality does not work well. The multihop is so slow it is unusable and mostly times-out.
2. Under the gui vpn settings, DNS content blockers are unable to be used. This is understandable since ‘update_dns.nft’ creates dnat chains specifically for 10.64.0.1 and the dns content blocking uses other dns I believe. So maybe some tweaks here in the update_dns file can add some of that functionality back? Probably not necessary for a basic vpn setup.
3. Using DAITA didn’t seem to have a problem. Still able to access internet.
4. There may be other things that may/may not work. I only tested what I used most in my previous setup. Perhaps things will be different in someone else’s setup? (Or maybe an uninstall and reinstall might give better results? idk)

Since it is currently up and running, I will probably keep it for a backup vpn installation despite the slightly reduced functionality. I was disappointed to see multihop pretty much breaks with this setup, but figuring it out is beyond my knowledge level and time I want to spend on it.

Alternative:
Instead I revisited my fedora 41 standalone vpn install originally based on @solene setup guide found here: Mullvad VPN 4.2 setup guide .

I found the earlier fail with curl errors for my in-place upgrade of fedora41 to fedora42 was due to a ‘newbie’ error whereas the mullvad-vpn installation early blocking service was working even with both mullvad services stopped. So I uninstalled mullvad-vpn and the inplace upgrade sailed on through! After the upgrade, I reinstalled mullvad-vpn, rechecked files to be sure that changes still existed from Solene’s quide and setup the gui to mullvad and all functionality was available as was in my earlier install such as dns content blockers, multihop, quantum resistance and daita. Tested successful with other appVM using it. So this is a great option available to use as well as the 3isec qubes package.