Can't Open Proton VPN on Kicksecure 18

marcos-morar · December 23, 2025, 1:35pm

In QubesOS 4.2.4 I’d sys-vpn based on kicksecure-17 and it was working fine.

Butin QubesOS 4.3 I am trying to open Proton VPN on kicksecure-18. Initially it opened and worked fine but when I enabled kill switch, now its not opening and giving this error:

2025-12-23T13:25:10.486891+00:00 | proton.vpn.core.connection:508 | INFO | CONN:STATE_CHANGED | Disconnected (initial state)
Traceback (most recent call last):
  File "/usr/bin/protonvpn-app", line 33, in <module>
    sys.exit(load_entry_point('proton-vpn-gtk-app==4.13.1', 'console_scripts', 'protonvpn-app')())
             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3/dist-packages/proton/vpn/app/gtk/__main__.py", line 35, in main
    controller = Controller.get(executor, exception_handler)
  File "/usr/lib/python3/dist-packages/proton/vpn/app/gtk/controller.py", line 72, in get
    executor.submit(controller.initialize_vpn_connector).result()
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3.13/concurrent/futures/_base.py", line 456, in result
    return self.__get_result()
           ~~~~~~~~~~~~~~~~~^^
  File "/usr/lib/python3.13/concurrent/futures/_base.py", line 401, in __get_result
    raise self._exception
  File "/usr/lib/python3/dist-packages/proton/vpn/app/gtk/controller.py", line 104, in initialize_vpn_connector
    self._connector = await self._api.get_vpn_connector()
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/proton/vpn/core/api.py", line 69, in get_vpn_connector
    self._vpn_connector = await VPNConnector.get(
                          ^^^^^^^^^^^^^^^^^^^^^^^
    ...<3 lines>...
    )
    ^
  File "/usr/lib/python3/dist-packages/proton/vpn/core/connection.py", line 100, in get
    await connector.initialize_state()
  File "/usr/lib/python3/dist-packages/proton/vpn/core/connection.py", line 311, in initialize_state
    await self._update_state(state)
  File "/usr/lib/python3/dist-packages/proton/vpn/core/connection.py", line 532, in _update_state
    new_event = await self._current_state.run_tasks()
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/proton/vpn/connection/states.py", line 194, in run_tasks
    await self.context.kill_switch.enable(permanent=True)
  File "/usr/lib/python3/dist-packages/proton/vpn/backend/networkmanager/killswitch/wireguard/wgkillswitch.py", line 64, in enable                                                                            
    await self._ks_handler.add_kill_switch_connection(permanent)
  File "/usr/lib/python3/dist-packages/proton/vpn/backend/networkmanager/killswitch/wireguard/killswitch_connection_handler.py", line 134, in add_kill_switch_connection                                      
    await _wrap_future(
        self.nm_client.add_connection_async(kill_switch.connection, save_to_disk=permanent)
    )
  File "/usr/lib/python3/dist-packages/proton/vpn/backend/networkmanager/killswitch/wireguard/killswitch_connection_handler.py", line 56, in _wrap_future                                                     
    return await asyncio.wait_for(
           ^^^^^^^^^^^^^^^^^^^^^^^
    ...<2 lines>...
    )
    ^
  File "/usr/lib/python3.13/asyncio/tasks.py", line 507, in wait_for
    return await fut
           ^^^^^^^^^
  File "/usr/lib/python3/dist-packages/proton/vpn/backend/networkmanager/killswitch/wireguard/nmclient.py", line 185, in _on_connection_added                                                                 
    nm_client.add_connection_finish(res)
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^
RuntimeError: Error adding KS connection: nm-settings-error-quark: Insufficient privileges (1)
zsh: exit 1     protonvpn-app

Is there a workaround?

WhiteShadow · December 23, 2025, 1:46pm

Maybe related to new run modes, when you can run qube based on kicksecure/whonix by set envirement from advanced settings of Qubes.

marcos-morar · December 23, 2025, 1:47pm

I checked both user mode and unrestricted mode with no success.

WhiteShadow · December 23, 2025, 1:54pm

I want to reproduce your issue on my device,
Did you follow guide:

+

By using Maintenance tools in kicksecure template?

marcos-morar · December 23, 2025, 2:02pm

I had been using Proton VPN on Kicksecure-17 for many months with the same installation method.

I simply downloaded the .deb package from the Proton website, installed it in the template, created a sys-net qube based on that template, and it worked fine. I was able to log in to my VPN account without issues. However, when I enabled the kill switch, a problem occurred: the application hung, so I restarted the AppVM. After that, the VPN GUI would no longer start. When I tried to run it from the terminal, it gave the error I pasted earlier.

DVM · December 23, 2025, 2:09pm

To make it work, you will probably need to remove user-sysmaint-split from your template. The app won’t work if it requires root access because it’s locked.

marcos-morar · December 23, 2025, 2:33pm

I don’t think in 4.3 now there is any need to remove user-sysmaint-split anymnore. In AppVM now user can set the mode to user mode, unrestricted mode or sysmaint mode.

Theoratically the apps should have complete access in unrestricted mode, but proton VPN is giving error there.

Then I checked sysmaint mode and VPN started and connected to the internet.

But now in sysmaint mode its not providing internet to other qubes. And I don’t know where to check the issue for this.

DVM · December 23, 2025, 2:41pm

The sysmaint account has root access, unlike the other modes. This is why you need to remove the package to regain root access as a user.

marcos-morar · December 23, 2025, 3:12pm

Strangely enough, removing the user-sysmaint-split worked.

I don’t understand the logic behind it, though. Kicksecure-17 also had the user-sysmaint-split, but it never caused an issue for sys-vpn there. In Kicksecure-18, however, it does, even though the option to use sysmaint or unrestricted mode is now available even for AppVMs, which wasn’t possible before.

That’s really odd!

marcos-morar · December 23, 2025, 5:55pm

Proton VPN is now working in Unrestricted mode.

I reinstalled the user-sysmaint-split package because I was not convinced that, when unrestricted mode is available, there is any need to uninstall this package.

After reinstalling, the first time I started sys-vpn in unrestricted mode, but the proton vpn didn’t work. However, after restarting the qube, it worked on the second attempt.

Through further observation, I discovered that if an app requiring privileged access is started before the user-sysmaint-split removal process completes on each AppVM startup, it will not work, no matter how long you wait afterward.

But if you wait a short while after startup (allowing the system to uninstall user-sysmaint-split in the background) and then start the app, it works.