I have been attempting to get openvpn set up and had run into numerous guides with different instructions. I end up getting tied up somewhere along the line, so I put one in-depth guide into ChatGPT to ask it to give me instructions, and it came up with a different instruction set to do this. Can anyone tell me how accurate these instructions are? I’ll try it out in a disposable qube just to see if it works, but I thought it was interesting.
- Open the Qube Manager by clicking on the “Q” button in the top left corner of your QubesOS desktop.
- Click the “Create VM” button and fill out the VM creation wizard with the following settings:
- Name: Choose a name for your ProxyVM
- Type: ProxyVM
- Template: Choose a template for your ProxyVM
- Networking: Select the default network settings or customize them as needed
- Color: Choose a color for your ProxyVM
- After creating the ProxyVM, open its settings by right-clicking on it and selecting “Settings”.
- In the “Services” tab, click the “+” button and select “network-manager” from the list of available services. Click “OK” to save the changes.
- Configure your VPN as described in the NetworkManager documentation linked in step 3.
- (Optional) To make your VPN start automatically, edit the
/rw/config/rc.local
file and add the following lines:
bash
# Automatically connect to the VPN once Internet is up
while ! ping -c 1 -W 1 1.1.1.1; do
sleep 1
done
PWDFILE="/rw/config/NM-system-connections/secrets/passwd-file.txt"
nmcli connection up file-vpn-conn passwd-file $PWDFILE
Replace “file-vpn-conn” with the name of your VPN connection file. You can find this file in /rw/config/NM-system-connections/
.
Create the /rw/config/NM-system-connections/secrets/
directory if it doesn’t exist yet. Place your VPN certificates and keys in this directory, and create a new file /rw/config/NM-system-connections/secrets/passwd-file.txt
with the following contents:
makefile
vpn.secrets.password:XXXXXXXXXXXXXX
Replace "XXXXXXXXXXXXXX" with your actual VPN password. The contents of `passwd-file.txt` may differ depending on your VPN settings. See the [documentation for `nmcli up`](https://www.mankier.com/1/nmcli#up) for more information.
* (Optional) To make the network fail-close for the AppVMs if the VPN connection breaks, edit the `/rw/config/qubes-firewall-user-script` file and add the following lines:
bash
1. ```
# Block forwarding of connections through upstream network device
# (in case the VPN tunnel breaks)
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP
- Configure your AppVMs to use the new VM as a NetVM by right-clicking on the AppVM and selecting “Settings”. In the “Applications” tab, select “Network” from the left-hand side, and then select the name of your ProxyVM from the “NetVM” drop-down menu.
Once you have completed these steps, your ProxyVM should be set up as a VPN gateway using NetworkManager, and your AppVMs should be able to use it as a NetVM to access the Internet through the VPN connection.