Guide to setup a ProtonVPN ProxyVM for Qubes OS R4.3.0-rc2

Community Guides
, ,
1

Disclaimer: this is my first attempt to write a guide.
I tried to configure ProtonVPN in Qubes 4.3 with basic OpenVPN and
it was in fact very simple and seems to work fine.
I’d be very grateful if anybody has security improvements or other suggestions.

Guide to setup ProtonVPN ProxyVM for Qubes OS R4.3.0-rc2

In this guide I will detail how to configure a ProxyVM to tunnel all connections through Proton VPN.

This is based on OpenVPN and not on tools from ProtonVPN.
This is based on the official “Linux/OpenVPN” instructions from Proton.

See: How to manually configure OpenVPN for Proton VPN in Linux | Proton VPN

Step 1 - Create the VM

Create a standalone VM using the Debian13-xfce template.

Use the default as NetVM.

Remember to click Provides Network.

After creation, go to Qube Manager, <ProtonVPN>, Settings-> Services and add Network Manager.

Step 2 - Install OpenVPN

Open the ProtonVPN terminal.

sudo apt install openvpn

sudo systemctl disable openvpn.service

Reboot ProtonVPN.

Step 3 - DNS Related Configuration


sudo apt install openresolv

sudo apt install wget

sudo wget "https://raw.githubusercontent.com/ProtonVPN/scripts/master/update-resolv-conf.sh" -O "/etc/openvpn/update-resolv-conf"

sudo chmod +x "/etc/openvpn/update-resolv-conf"

Step 4 - Download ProtonVPN OpenVPN configuration files

Go to your ProtonVPN account and find your credentials (username/password).

NOTE: These are specific for OpenVPN and they are not your usual username/password for accessing all Proton services.

In ProtonVPN create a file with two lines, one for the username the other for the password.


cd /rw/config/

sudo mkdir vpn

cd vpn

sudo nano ProtonCredentials

# write username on the first line

# write password on the second line

From ProtonVPN download your desired server configuration file. For example the “Switzerland UDF” file is called `sudo apt install

From ProtonVPN download your desired server configuration file. For example the “Switzerland UDP” file is called `sudo apt install

From ProtonVPN download your desired server configuration file. For example the “Switzerland UDP” file is called ch.protonvpn.udp.ovpn.

Note: You might want to choose a TCP configuration file, depending on your needs.

Place this file in /rw/config/vpn/

Now edit this file to include the reference to the credentials:


sudo nano /rw/config/vpn/protonvpn.udp.ovpn

# Find the line "auth-user-pass"

# Edit to:

auth-user-pass /rw/config/vpn/ProtonCredentials

Start the VPN service

Start the service with:

openvpn --cd /rw/config/vpn/ --config ch.protonvpn.udp.ovpn --daemon

Now go to Qube Manager and set as ProtonVPN as NetVM of some appVM.

Open Firefox in appVM and visit https://www.dnsleaktest.com/ to check that everything works as expected.

If it does, add the following line to /rw/config/rc.local to automatically start the VPN when ProtonVPN VM starts:


sudo /rw/config/rc.local

# Add

# openvpn --cd /rw/config/vpn/ --config ch.protonvpn.udp.ovpn --daemon
2

Did you deliberately pick openvpn instead of wireguard, or is it just happenstance?

3

I went for OpenVPN because Proton (here: Linux | Proton VPN) gives simple instructions for it without GUI tools or Proton tools.

There are also instructions for wireguard but (unless I am mistaken) they use Proton tools (GUI or cli).

4

This page talks about using wireguard with protonvpn on terminal. You don’t seem to need tailor-made protonvpn software for that.

1 Like
5

Indeed, you can download a WireGuard configuration and import it in network manager and you are done.

The GUI is practical if you want to easily switch between servers without having to download a config for every single server.

1 Like
6

Thank you @tanky0u and @solene !

After some experiments, I have managed to configure the Wireguard VPN and I find it better than the OpenVPN configuration above. The latter stops working after the machine goes to sleep. Instead the Wireguard configuration works fine, it appears.

This is what I did:

  1. Create a standalone Debian 13 machine vpn, with “Provides Network” option and service “Network Manager”.
  2. sudo apt install wireguard
  3. nmcli connection import type wireguard file <configuration file> where the configuration file (.conf) has been downloaded from ProtonVPN website.
  4. Look in the configuration file for a line that looks like: Endpoint = 5.5.5.5:67890. Then go to the Settings (Qube Manager) of the vm vpn , then to firewall, and limit all outbound connections to 5.5.5.5.

That’s it!
With the above commands, the VPN connection (re-)starts automatically when vpn starts or after the machine wakes up from sleep.

NOTE: If I understand correctly, this setup still allows leaks for ping/ICMP packets. But this should not be an issue if you plan to use the VPN after tor. Indeed Whonix automatically blocks all such packets (as well as UDP packets).

Further read: Wireguard VPN setup

7

And DNS as well.

Wireguard is using UDP so it won’t work over Tor.

1 Like
8

@MellowPoison ouch! Thank you, I didn’t know.

I guess I will the try to setup again OpenVPN but - unlike my top post - trying to use nmcli to manage better automatic reconnections after sleep.

Thank you

9

So I just did that.
I want to report the result, maybe it’s useful for others too.

There is a subtle difference wrt the wireguard in the configuration of the Network manager. Namely, the username and password, are not included in the .ovpn configuration file (they are in an external credential file) and the Network manager does not properly read the external credentials file and gives a “invalid secrets” error. So I had to use nmcli commands to register username/password.

  1. Create the standalone Debian 13 VM, with “Provides Network” and service “Network Manager”
  2. sudo apt install openvpn
  3. sudo apt install network-manager-openvpn
  4. Copy the ProtonVPN configuration file (conf.ovpn) to /rw/config/vpn/conf.ovpn
  5. Use nmcli to import the configuration file:
    sudo nmcli connection import type openvpn file /rw/config/vpn/conf.ovpn
  6. Set username and password using nmcli:
nmcli con mod <UUID> vpn.user-name <USERNAME>`
nmcli con mod <UUID> +vpn.data "password-flags=0"
nmcli con mod <UUID> vpn.secrets "password=<PASSWORD>"

Finally, check conf.ovpn to see which IP addresses it uses, and whitelist them in the proxyVM firewall settings.