Over the last year I have made a partial switch from NordVPN to Mullvad, now using the Nord for the cellphones still, but Mullvad for the desktop boxes. The main reason for trying Mullvad was for their support of Wireguard, which I wanted to try. Wireguard hasn’t been fully satisfactory though in my experience with one of my email clients (Posteo). Mullvad user support blamed Posteo, although Posteo has worked flawlessly without the use of Mullvad. So I am now considering the use of ExpressVPN exclusively (with OpenVpn). I haven’t paid for an account yet, as there seems to be a problem with making ExpressVPN persistent on restarts. It appears as if part of the installation can be persistent, but the final few stages of the installation process need to be recompleted each time the computer is rebooted, which I do each morning. Contacting the ExpressVPN user support, resulted in being informed, that I would indeed need to reenter the final setup stages on each reboot. I’m using Qubes 4.1 with Debian vm’s and templates. Has anyone found a way to make this vpn persistent?
Do you want to have all network traffic going out through ExpressVPN or only some Qubes going through it.
Did you try to do a proxy vm with openvpn? I remember seeing a way to get an openvpn configuration file from ExpressVPN.
Bishop
Yes Bishop, I want to have all network traffic going out through ExpressVPN, except my one “clearnet” vm. I have been using Micah Lee’s method for a separate Mullvad vpn vm and it has worked well, except that it doesn’t seem to work if set up on a debian vm. Therefore I have still needed to keep fedora just to make my vpn vm persistent. But with ExpressVPN I’m unsure if there is actually a way to make it persistent, other than by trying to somehow install it in my ubiquiti router. I gather ExpressVPN has some linux support, but not for Qubes.
I could be that you are installing it on an AppVM instead of a template and because of that things are getting erased. See Templates | Qubes OS
If you could detail the exact steps you followed it could provide more insight to what the problem might be.
I’ve moved this to the Testing 4.1 category. Please do post in this category in the future as it could well be a 4.1 related bug.
Thanks deeplow. I didn’t get as far as paying for a subscription, so that I could actually install ExpressVPN, as I ran into the question of whether I could actually use it in Qubes (and also I was in the middle of a house move, with the desktop box packed up for the movers.) But I did contact the ExpressVPN support service. They kindly replied and I have taken the liberty of copying their reply below. I have also included their link for working with Qubes (they don’t actually support it yet.) I believe their reference to using sys-net is new, since I contacted them, although I may have just missed it before. And I have included a second link below to the page, which lists the extra steps required each time Qubes is rebooted, to get ExpressVPN up and running again.
I would prefer not to install ExpressVPN on my Ubiquiti router, as it is already full of subnets, vlans and one of their UAP addon devices. I’m unsure of how to proceed from here, or if ExpressVPN is even a viable consideration with Qubes. Thanks
Hello,
Thank you for contacting ExpressVPN Support.
I understand your concern for today and I appreciate you taking the time to contact us.
Yes, I can confirm that you need to perform the setup every time you reboot as indicated on the website for Qubes OS.
We highly recommend that you set up the VPN on a router for a more seamless experience. You can find our app-supported routers on this page: https://www.express-vpn-links.com/vpn-software/vpn-router
Also, while we currently don’t have that feature wherein apps available on Qubes OS, we appreciate you taking the time to let us know what you’re looking for.
I’ll add this to our feature request list for the Product Team to consider in future versions of the product.
Most of the improvements we make come from ideas and suggestions like yours, so thank you for letting us know!
If you want to give ExpressVPN a try, you can sign up here: http://www.express-vpn-links.com/order
If you are not satisfied with the service, just contact us within 30 days and we’ll give you a full refund.
https://www.expressvpn.com/support/vpn-setup/app-for-qubes-os/
https://www.expressvpn.com/support/vpn-setup/app-for-qubes-os/#reboot
I just tested ExpressVPN with openvpn using GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS
It works well on a debian-10-minimal on QubesOS 4.1
The hardest part was to find the openvpn file on the ExpressVPN website. Click on setup in the upper right corner and then chose Manual Configuration. You will be able to see the username password you will be using and to download the OpenVPN configuration file.
Hope it helps!
Bishop
Stalled out part way through the process Bishop. I now have an ExpressVPN account, have my openvpn config file in the debian10 minimal template’s QubesIncoming folder and have my username and password for ExpressVPN to use with the openvpn file. But on trying to complete tasket’s “sudo mkdir -p /rw/config/vpn” command in the debian 10 minimal’s XTerm, it is prompting me for a password for sudo. I have tried my usual Qubes login password but it seems there is another password needed for sudo in XTerm, which I’m sure I’ve never entered anywhere.
This is because you are using a minimal template with minimal templates you need to really know what packages you are missing. In this case you are missing the passwordless-root-package. Read more here.
Thanks deeplow!
In that case, since minimal template has no ‘sudo’, you could issue the command from dom0 using qvm-run:
qvm-run -u root sys-vpn 'mkdir -p /rw/config/vpn`
Or you can use qvm-run that way to launch an xterm shell instead, which will have root access.
Still having some problems I’m afraid. Using tasket’s https://github.com/tasket/Qubes-vpn-support link, I seem to have everything completed up to and including copying my .ovpn file to a new vpn-client.conf in the /rw/config/vpn folder. But doing the suggested test, using the suggested
sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass userpassword.txt
results in an error message stating sudo openvpn: command not found.
Also so far I cannot find the Qubes-vpn-support folder, called upon to be copied to the proxy vm as referenced in step 3. I have logged into GitHub and have found the general section, Qubes-vpn-support, but am then stuck. I’m not a coder I’m afraid, so I’ve no idea how to continue. Many thanks for sticking with me on this.
You will need to install the ‘openvpn’ package into the template used by the proxy. Then shutdown the template and restart the proxy.
Downloading:
Since you’re not familiar with git, the best way to download Qubes-vpn-support is to click on the ‘Code’ button near the top of the github page, then select ‘Download ZIP’. If you didn’t download it in the proxy VM, you’ll need to do a Qubes copy of the zip file to the proxy before extracting it there.
Thanks very much tasket. I will give it a go. cheers
This is really so good article that you have shared with us. I have never read these kinds of articles in my experience. I have been finding expressvpn coupon and I got this page, that will help us a lot.
This is excellent. Before this, I installed the expressvpn app in the template.
But then everytime I started an AppVM I would have to reactivate expressvpn, which is a big pain.
Now that I have this setup I wonder how to use multiple locations (for the expressvpn server)?
I guess I would use a template for each location, but each one would need a different vpn-config file.
Can qubes-vpn-setup --config be used to specify which config file to use?
Last month I tested several VPN services and this one (ExpressVPN) failed for me: Using Google analytics, facebook trackers, google ads, etc. on their website is a no-go in my eyes. This test was still useful to try a vpn over vpn setup (which worked fine btw). As I sat hours on configuring the appropriate VM (instead of getting it done within 15 minutes) I tought I post here the steps for a better overview.
I. debian-11-minimal template
- First install debian-11-minimal, which will be used as a template (via dom0 terminal)
sudo qubes-dom0-update qubes-template-debian-11-minimal
- Install openvpn and qubes-core-agent-networking in the template. Install also the passwordless-root package or simply open xterm via dom0:
qvm-run -u root debian-11-minimal xterm
In xterm use
sudo apt install openvpn qubes-core-agent-networking
After the install finished, restart the debian-11-minimal template.
II. ProxyVM
- Create a new qube via qube manager, which will be the ProxyVM. This is here for ExpressVpn and it will be tied to the location/server Ireland IE, so lets call this qube ExpressVpnIE (it can be whatever you like).
Choose AppVM → debian-11-minimal as template → go to Advanced tab → Check Provides network access to other qubes → Networking can be set to sys-net or sys-firewall (it could be also an other working VPN qube) → Check Launch settings after creation and create qube.
- In the Settings menu go to the Services tab and choose “custom”, click +, and add
vpn-handler-openvpn
Click apply and ok.
III. Setup
The last stage is to copy three things to the newly created ProxyVM qube ExpressVpnIE: 1. The .ovpn config file downloaded from the ExpressVPN site 2. Qubes-vpn-support downloaded from github 3. and a file called userpassword.txt with the ExpressVpn data (this is NOT necessary if you prefer to type the openvpn username and password).
-
If you login the ExpressVPN site, there is a setup button in the upper right corner. Click this button, choose “Manual Configuration”. On the right panel the username and password will be shown. Save username and password in a file called userpassword.txt (two lines, just name and password) or write them down. There will be also different locations and the .ovpn file to download as well. Copy the .ovpn file and userpassword.txt to the newly created ProxyVM qube ExpressVpnIE.
-
Open the Qubes-vpn-support github site, download the .zip file via the green/upper right button and extract it. Copy the Qubes-vpn-support-master folder to the newly created ProxyVM qube.
-
Open ProxyVM root xterm via dom0
qvm-run -u root ExpressVpnIE xterm
create a folder called vpn in /rw/config
mkdir -p /rw/config/vpn
copy the .ovpn file with the desired location (here: my_expressvpn_ireland_udp.ovpn) in this folder and rename it to vpn-client.conf or create a symlink:
ln -s my_expressvpn_ireland_udp.ovpn vpn-client.conf
- cd to the Qubes-vpn-support-master folder and run
sudo bash ./install
This will ask for username and password. Either type here the data given by ExpressVpn. Or just type something, press enter and copy the userpassword.txt file to /rw/config/vpn.
After this step restart this qube and add it to an other qube as “Net qube”. Check if the IP is correct according to the configuration.
For other locations simply cloning the ProxyVM qube and changing vpn-client.conf + --config did not seem to work for me. I suppose using the steps under II. and III. again would be the way to create other qubes for different VPN locations.