For me, i think it’ll be a better thing to explain with GUI with some screenshoots. To much work?
And for the template, to be clearer than before. I use a minimal template and all working with your wireguard guide. You just have to add wireguard/openvpn pakage and the network-manager applet.
2 Likes
Why settle for one? Both should be documented. Ability to see both workflows makes knowledge more versatile, and might just help understand the topic.
1 Like
In absolute terms, I completely agree with you 
But I also think that, given the capabilities of this distribution, the most important thing is that it will be accessible to as many people as possible (even novices with Linux).
That’s why I’ll value the fact that a new tutorial is the easiest (even if it’s less learning).
The easier it is, the more people will use it and stay on this distribution.
The primary purpose of this distribution is security but anonymity, I think, will become just as important in the future, hence the interest of an easy tutorial for the creation of a sys-vpn for everyone 
2 Likes
I would highly recommend including an install script / salt in the guide.
I create my vpn qubes via 2 scripts, and only need to do the following steps:
- copy script a to the templatevm (fresh minimal), copy script b to dom0
- run script a in the template vm
- create the vpn qube with “network-manger” and “qubes-firewall” service
- qvm-copy the configs to the vpn qube
- run script b in dom0
This set ups everything including going though all config files in the vpn qube and adding the ips and ports to qvm-firewall in dom0 for all ips found.
I also like to have helper scripts like setting the MTU, restarting the vpn with a different config etc.
1 Like
I’ll answer as someone who’s used your guides since forever, as I believe they are the best ones that exist to date
Should it use a minimal template? It’s not too much extra work, but is it worth it? Some users may have a hard time to debug issues.
I think that’s a good idea. I’ve been using minimal, even gui-less templates for this purpose here. Maybe as a “bonus” in the guide.
Debian or fedora? I’d be tempted to switch all the guides to Debian because you don’t have to upgrade every 6 months… It loses selinux protection though.
I’d vote Debian.
Should it be explained to use it as a disposable qube? This adds a lot of explanations and complexity to the guide, many people are lost with named disposables.
Since you’re updating this for 4.3, why not just use custom-persist? Should be way easier.
Should we cover openvpn as well?
As far as the configs go, wouldn’t it be quite easy to incorporate this in the exact same way you did with WG?
3 Likes
I’d prefer:
- debian 13 - build it once, rest for a long time.
- minimal template - does make sense for a single task: provide VPN network
- AppVM (no disposable)
Thx for your effort!
1 Like
ditto. In general community guides are more valuable if they’re specific to the strengths of Qubes (minimal templates, (named) disposable qubes, etc…), but in this case I don’t see any value added by making the VPN qube disposable.
2 Likes
First, I have to mention that I have not followed those specific VPN guides
The default way to do so should not use minimal templates. As you said, inexperienced users frequently end up asking questions about trivial mistakes. Still, it could be good to mention that.
With not hiding minimal template instructions with details, like this?
blabla
Note for minimal templates
Some extra steps
blabla
Some of those instructions should only point to the docs.
I don’t know if you want to write everything but if not, we can combine our efforts: you write the main part and we can provide minor editions about minimal templates?
My personal preference is Debian (because I had trouble using Fedora withapt-cacher-ng) but that should not matter. Is there any difference between them, except for the installation commands with minimal templates?
Same thing here, if you choose to support on one distro, we can check the instructions on the other one.
Is it possible to provide an optional section, like @otter2 said, with links to the official docs? The work of ben grande on the disposable documentation is very good.
Another section on custom-persist as pointed out by @Atrate is a good idea.
That’s something that we can do (I’m still fine if you want to write everything but I want to suggest that we can help too).
Not sure if it is a reason not to do that, but Mullvad VPN will remove OpenVPN support this month.
It should link to the official docs when those docs provide both methods (i.e. How to enable a qube service — Qubes OS Documentation). I think that telling how to use CLI is less work to write the guide but it might require much support. This is a guide, not a tutorial so it should not teach the user how Qubes OS works.
3 Likes
i think wireguard for mullvad setups since thats all they have now, and as a beginner its difficult enough already so whatever is easiest for most users and provides best benefits. also an in place upgrade would be helpful!!! It may be easier to do brand new install on fedora 42 for me. the in place upgrades are difficult but it’d be nice since the work was put in if we had some way to easier upgrade the system our vpn runs on then downloading and setting up again
i installed my mullvad vpn using your set up and its nice since it has a functional GUI app. debian i could only get cli working and didnt have as many options as the nice fedora gui app options
1 Like
Adding onto the guide or at least pointing to a guide on how to enable selinux to their Fedora 43 Minimal template would be a great addition.
This post by @Gandalfen worked smoothly to create a fedora-43-minimal-selinux template in which people could then clone if they want to make that the baseline Fedora 43 Minimal template to clone from.
1 Like
+1 for AppVM via Debian 13 minimal template! Unless there are performance benefits to using Fedora 42 minimal…
Disposables for specific wireguard / openVPN instances would make sense too, but wouldnt be my personal priority.
1 Like
i will not use wireguard, but will use openvpn (i have my .conf files). So yes please, majority of vpns are openvpn anyway.
I also use qubes 4.3 not 4.2. just saying
do it for debian, minimal template. a vpn gateway in qubes will only be used for that. any extra packages are, at best, useless
in enterprise environments sysadmins will never use fedora over debian, for a reason.
1 Like