Difficulty setting up Standalone ProtonVPN Service

Qubesquark · December 17, 2022, 9:40pm

Aha… Thank you renehoj. I will follow that advice. Hopefully I’ll have everything up and running tomorrow and will report back on success. cheers

Qubesquark · December 18, 2022, 7:56pm

Still not crystal clear, I’m afraid. Decided that, as suggested, I would choose not to log into Proton via the applet and use the working vm instead with a client. I tried installing the protonvpn-cli client in one of my working vm’s - Debian Personal. I got as far as successfully entering my protonmail account password and a server, but it wouldn’t connect. So I rebooted to see if it would reset but lost the persistence of the installation and there was no proton in the Personal vm. Now I’m thinking, that I need to install protonvpn-cli in my debian-11 template, to have it persistent and available to all vm’s using that template. Am I now on the proper track? If so, could I be corrected in any errors in thinking for my plan below, if I only want to use the client in the vm to enable proton?

I can delete my previously made standalone vpn debian vm, into which I was trying to install protonvpn-cli.
Instead of trying to install protonvpn-cli in my working vm’s, I should be installing it directly into my debian-11 Template.
If the above are true, I will need to remove my mullvad-vpn Network vm from being the Network vm for my debian-11 Template. I should therefore use my default sys-firewall as the Network vm for my debian-11 Template.

I’ve been making a number of changes to my system on this and so far everything but the vpn still works. I’d like to keep it that way and not blunder into something, that I will have trouble fixing. cheers

renehoj · December 18, 2022, 8:11pm

This is how I made it work.

Make a debian 11 qube that provides network with autostart and has the network-manager service.

In the template, install the protonvpn client

You should now be able to test the vpn works by using the gui client.

If everything is working, you can make a logon script that uses the cli client to automatically connect the vpn at boot time.

Assign the vpn as netvm for the qubes you want to use the vpn.

Qubesquark · December 26, 2022, 2:22pm

Finally got it thanks. Installed the Protonvpn in a new Fedora 36 vm and used the gui to get the vpn running. But I’m not a scripter (and too old at this stage to become adept at it). So for an auto-start script I borrowed Micah Lee’s Mullvad vpn startup script and used vim to change the autovpn.sh file’s mullvad_ca value to “Proton VPN CA#24” where 24 is a sample server number and the quotes were used due to the spaces in the default Proton config file. After doing the rest of his mods, everything now works great. ProtonVPN starts up on boot and if I then shut the vpn vm down and open another vm, which uses the Proton vm for networking, the Proton opens up automatically. Very happy. Thanks again

renehoj · December 26, 2022, 2:41pm

You can use protonvpn-cli c --cc CA, cc is country code and automatically selects the best server available for that country.

I use the cc option and very rarely get a server that is overloaded.

Qubesquark · December 26, 2022, 3:14pm

Thanks renehoj. I will definitely give that a try. cheers

M4US · March 10, 2023, 8:18am

thank you for the solution, renehoj.
if the logon script (for automatically connecting the vpn at boot time) is based on Micah Lee’s Mullvad VPN walkthrough, then the following modification is suggested for autovpn.sh:

changing

if nmcli con | grep -Fq tun0

to

if nmcli con | grep -q proton0

renehoj · March 10, 2023, 5:37pm

I just add an ProtonVPNstart.desktop to ~/.config/autostart, which runs my connect script when the qube starts.

This is the script I use to connect, it picks a random EU country each restart

#!/bin/bash

cc[0]=“BE”
cc[1]=“IT”
cc[2]=“ES”
cc[3]=“FR”
cc[4]=“FI”
cc[5]=“NL”
cc[6]=“NO”
cc[7]=“CH”
cc[8]=“SE”
cc[9]=“DK”
cc[10]=“DE”
cc[11]=“LU”
cc[12]=“AT”

s=${#cc[@]}
i=$(($RANDOM % $s))

/usr/bin/protonvpn-cli ks --off
/usr/bin/protonvpn-cli c --cc ${cc[$i]} -p udp

I tried using the nmcli client, but I couldn’t get it to work with the ProtonVPN client. If you use the protonvpn-cli client you can use the GUI client to switch server if you need it.

M4US · March 10, 2023, 10:01pm

thank you for sharing the script
i tried adding the vpn autostart script to both /rw/config/ and /home/user/.config, but the app vm does not automatically run the script during boot.

there are no issues connecting to the vpn server after running the script manually in the vm’s terminal window
i am using a debian-11 app vm. below is the modified script (autovpn.sh) derived from Micah Lee’s writeup:

#!/bin/bash
while [ "true" ]
do
	if nmcli con |grep -q proton0
	then
		echo "Already connected, sleeping 5"
		sleep 5
	else
		echo "Connecting"
		protonvpn-cli c --cc NL
	fi
done

which operating system are you using?
are you running the vpn service through an app vm or a standalone vm?

renehoj · March 10, 2023, 10:17pm

I’m using Debian 11 appVM.

protonvpn-cli needs access to the gnone keyring, which is why I use the autostart option, autorun runs the file after login when the desktop is ready.

I have got I working with rc.local, but you need to check when the dbus file is created, it was just easier to use autorun.

You just need to make a .desktop file in /home/user/.config/autorun, and this file can be used to execute your connect script.

Qubesquark · April 2, 2023, 9:55pm

Having trouble getting protonvpn with the gui to run on debian 11. My Fedora based Protonvpn vm stopped working reliably for some reason, so I made a new app vm based of a debian 11 template, set it to provide networking to other app vms, network-manager, autostart and installed the Protonvpn debian 10+ app in the vm, as per Proton’s instructions. But there is no gui system tray icon and the Proton webpage says, “Please note that we don’t support the system tray icon on Debian 11 because the package gir1.2-appindicator3-0.1 has been deprecated and is not present on Debian 11”. How do I start the protonvpn app gui, after a fresh reboot of the computer. The vpn networking widget in the tray shows an unconfigured vpn listing, but clicking on that shows a grayed-out listing. I was using the cli client with fedora before, but I’d like to use the gui client if possible.

renehoj · April 2, 2023, 10:15pm

I can start the GUI client from the terminal and start menu.

The tray icon also doesn’t work for me, but the network manager icon will show if the VPN is connected, with the lock icon.

Do you get an error if you run the protonvpn command from the command line?

Qubesquark · April 2, 2023, 10:31pm

I’m confused on this renehoj. It was a while since I set up the previous cli proton instance and I’m a little fuzzy on the commands. For this new debian 11 instance, I installed the client on the ProtonVPN-debian11 vm and then installed the files as per Proton’s instructions into that vm. Now I am trying to start the protonvpn session directly in that vm also. But I’m not sure of the exact command to enter in Terminal. Entering anything “protonvpn” yields the result protonvpn command not recognized. Was I supposed to install the client in each and every vm, which will be using the ProtonVPN-debian11 vm for their networking instead of in the proton vm? I tried entering “protonvpn login” in the terminals of both the protonvpn vm and also a vm using protonvpn for its networking.

renehoj · April 2, 2023, 10:47pm

The command protonvpn should start the GUI client.

Did you run the command sudo apt install protonvpn?

The deb package you downloaded from the proton website only installs the repository needed to install the VPN client, it doesn’t install the client itself.

You don’t need to install the client in all VMs, you only need to install it in one VM, and that VM will be the netVM for the qubes that need to use the VPN.

Qubesquark · April 2, 2023, 11:08pm

Aha. Maybe that’s where I went wrong. After sudo apt–get install didn’t do anything, I just used sudo dpkg -i filename, so I guess, that I just installed the repo. Wait… no go I’m afraid. sudo apt install protonvpn yields “Unable to locate package protonvpn”.

Div · April 2, 2023, 11:18pm

This may be another alternative, hopefully useful: GitHub - QubesOS-contrib/qubes-tunnel: Integration of vpn tunnels for Qubes OS

You can download OpenVPN config from the Proton dashboard (VPN>settings>OpenVPN: Proton)

renehoj · April 3, 2023, 1:07am

You need to run sudo apt update

Qubesquark · April 3, 2023, 10:39pm

I finally have it up and running. Not perfectly yet, but it runs. I was following the ProtonVPN instructions and then rebooting as per the instructions, before entering protonvpn in Terminal. The reboot from the app vm was the problem, as proton was no longer there. Switched from an app vm to a standalone vm, reinstalled proton, rebooted and it was still persistent. I now get error messages on first entering protonvpn in Terminal and there’s no connection. I need to enable the Proton VPN box in VPN Connections of the networking widget in the tray, when I reboot. Then the Protonvpn gui is useable and I can select and change servers. Thank you renehoj. And thanks Div. I want to try your suggestion also, for another vpn vm in a few days, when I can devote some time to that method.

jlariviere · May 13, 2023, 3:35pm

This thread has been very helpful.
Out of curiosity,
Does that script only work with the CLI or does it work with the full app as well?
Does the Kill Switch actually work using Qubes? (I was wondering if a user would have to put firewall restrictions instead)
Have people been able to get the app’s taskbar icon to work though? I have other programs that don’t have a problem with it, so I was wondering…

renehoj · May 13, 2023, 3:49pm

This is the firewall rules I use, it prevents qubes using sys-vpn from connecting to the internet if the vpn is down.

iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP