Continuing the discussion from Secure VPN VMs in Qubes OS:
The official Firewall documentation recommends to have separate VPN and firewall VMs.
sys-net <--> sys-firewall-1 <--> network service qube <--> sys-firewall-2 <--> [client qubes]
I have successfully set up a Mullvad vpn Qube using Qubes-vpn-support (that I have read many recommendations on searching the forum) and Wireguard (does Mullvad even still support openvpn? I can’t find configurations files for it). The GitHub page, however, states that no “separate firewall VM” is required. Does it refer to what’s called “sys-firewall-2” in the documentation? Or have I misinterpreted? How can this be, given the three arguments the documentation makes in favour of such a model? If the answer is in the Readme’s “firewall notes” I’m not able to link the dots…
Secondary question: what’s the best way to change the vpn server in such a setup? Since I’m still not capable to drift too far away from the guide, what I have thinked of is to copy a new .conf file to the vpn qube and use
sudo cp mullvad-us1.conf /rw/config/vpn/vpn-client.conf
again, like I did in the setup. Is there a better way?