Over the last year I have made a partial switch from NordVPN to Mullvad, now using the Nord for the cellphones still, but Mullvad for the desktop boxes. The main reason for trying Mullvad was for their support of Wireguard, which I wanted to try. Wireguard hasn’t been fully satisfactory though in my experience with one of my email clients (Posteo). Mullvad user support blamed Posteo, although Posteo has worked flawlessly without the use of Mullvad. So I am now considering the use of ExpressVPN exclusively (with OpenVpn). I haven’t paid for an account yet, as there seems to be a problem with making ExpressVPN persistent on restarts. It appears as if part of the installation can be persistent, but the final few stages of the installation process need to be recompleted each time the computer is rebooted, which I do each morning. Contacting the ExpressVPN user support, resulted in being informed, that I would indeed need to reenter the final setup stages on each reboot. I’m using Qubes 4.1 with Debian vm’s and templates. Has anyone found a way to make this vpn persistent?
Do you want to have all network traffic going out through ExpressVPN or only some Qubes going through it.
Did you try to do a proxy vm with openvpn? I remember seeing a way to get an openvpn configuration file from ExpressVPN.
Yes Bishop, I want to have all network traffic going out through ExpressVPN, except my one “clearnet” vm. I have been using Micah Lee’s method for a separate Mullvad vpn vm and it has worked well, except that it doesn’t seem to work if set up on a debian vm. Therefore I have still needed to keep fedora just to make my vpn vm persistent. But with ExpressVPN I’m unsure if there is actually a way to make it persistent, other than by trying to somehow install it in my ubiquiti router. I gather ExpressVPN has some linux support, but not for Qubes.
I could be that you are installing it on an AppVM instead of a template and because of that things are getting erased. See TemplateVMs | Qubes OS
If you could detail the exact steps you followed it could provide more insight to what the problem might be.
I’ve moved this to the Testing 4.1 category. Please do post in this category in the future as it could well be a 4.1 related bug.
Thanks deeplow. I didn’t get as far as paying for a subscription, so that I could actually install ExpressVPN, as I ran into the question of whether I could actually use it in Qubes (and also I was in the middle of a house move, with the desktop box packed up for the movers.) But I did contact the ExpressVPN support service. They kindly replied and I have taken the liberty of copying their reply below. I have also included their link for working with Qubes (they don’t actually support it yet.) I believe their reference to using sys-net is new, since I contacted them, although I may have just missed it before. And I have included a second link below to the page, which lists the extra steps required each time Qubes is rebooted, to get ExpressVPN up and running again.
I would prefer not to install ExpressVPN on my Ubiquiti router, as it is already full of subnets, vlans and one of their UAP addon devices. I’m unsure of how to proceed from here, or if ExpressVPN is even a viable consideration with Qubes. Thanks
Thank you for contacting ExpressVPN Support.
I understand your concern for today and I appreciate you taking the time to contact us.
Yes, I can confirm that you need to perform the setup every time you reboot as indicated on the website for Qubes OS.
We highly recommend that you set up the VPN on a router for a more seamless experience. You can find our app-supported routers on this page: https://www.express-vpn-links.com/vpn-software/vpn-router
Also, while we currently don’t have that feature wherein apps available on Qubes OS, we appreciate you taking the time to let us know what you’re looking for.
I’ll add this to our feature request list for the Product Team to consider in future versions of the product.
Most of the improvements we make come from ideas and suggestions like yours, so thank you for letting us know!
If you want to give ExpressVPN a try, you can sign up here: http://www.express-vpn-links.com/order
If you are not satisfied with the service, just contact us within 30 days and we’ll give you a full refund.
I just tested ExpressVPN with openvpn using GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS
It works well on a debian-10-minimal on QubesOS 4.1
The hardest part was to find the openvpn file on the ExpressVPN website. Click on setup in the upper right corner and then chose Manual Configuration. You will be able to see the username password you will be using and to download the OpenVPN configuration file.
Hope it helps!
Stalled out part way through the process Bishop. I now have an ExpressVPN account, have my openvpn config file in the debian10 minimal template’s QubesIncoming folder and have my username and password for ExpressVPN to use with the openvpn file. But on trying to complete tasket’s “sudo mkdir -p /rw/config/vpn” command in the debian 10 minimal’s XTerm, it is prompting me for a password for sudo. I have tried my usual Qubes login password but it seems there is another password needed for sudo in XTerm, which I’m sure I’ve never entered anywhere.
This is because you are using a minimal template with minimal templates you need to really know what packages you are missing. In this case you are missing the passwordless-root-package. Read more here.
In that case, since minimal template has no ‘sudo’, you could issue the command from dom0 using qvm-run:
qvm-run -u root sys-vpn 'mkdir -p /rw/config/vpn`
Or you can use qvm-run that way to launch an xterm shell instead, which will have root access.
Still having some problems I’m afraid. Using tasket’s https://github.com/tasket/Qubes-vpn-support link, I seem to have everything completed up to and including copying my .ovpn file to a new vpn-client.conf in the /rw/config/vpn folder. But doing the suggested test, using the suggested
sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass userpassword.txt
results in an error message stating sudo openvpn: command not found.
Also so far I cannot find the Qubes-vpn-support folder, called upon to be copied to the proxy vm as referenced in step 3. I have logged into GitHub and have found the general section, Qubes-vpn-support, but am then stuck. I’m not a coder I’m afraid, so I’ve no idea how to continue. Many thanks for sticking with me on this.
You will need to install the ‘openvpn’ package into the template used by the proxy. Then shutdown the template and restart the proxy.
Since you’re not familiar with git, the best way to download Qubes-vpn-support is to click on the ‘Code’ button near the top of the github page, then select ‘Download ZIP’. If you didn’t download it in the proxy VM, you’ll need to do a Qubes copy of the zip file to the proxy before extracting it there.
Thanks very much tasket. I will give it a go. cheers