I want to use Mullvad as my NetVM for disposable VMs, but there is no option to do so as there is no qube settings for either of the (EDIT: Default) disp VMs. I am able to do so in newly created dispVMs.
Also, my template disp VMs have been set to sys-firewall by default. I thought you weren’t supposed to give internet access to templates? Why do they have net access by default (I never changed anything).
Also my newly created DispVM shows up with the other qubes that are not DispVMs. I was expecting it to show up at the top, with the other default DispVMs. Is this intentional?
You are correct in that templates are not supposed to be connected to the internet, they do that via proxies to receive updates and install software.
What is different about your DispVM templates, is that they still take their root from the main template, and are just a means to create disposable VM’s based on that origin “Debian-11” template, for example.
You can see that disposable templates are actually classed as “AppVM’s” not template VM’s when you create them, and so they draw their root filesystem from the main template. For this reason you are not exposing the root filesystem to the internet by having the disposable template assigned a NetVM.
So you should assign the Mullvad-VM as your networking VM for the Disposable template.
Someone more knowledgeable can correct me if I’m wrong, and if this wasn’t clear please ask me to clarify.
From Qubes documentation:
NetVM and firewall rules for disposable templates can be set as they can for a normal VM. By default a disposable will inherit the NetVM and firewall settings of the disposable template on which it is based. This is a change in behaviour from R3.2, where disposables would inherit the settings of the app qube from which they were launched.
Therefore, launching a disposable from an app qube will result in it using the network/firewall settings of the disposable template on which it is based. For example, if an app qube uses sys-net as its NetVM, but the default system disposable uses sys-whonix, any disposable launched from this app qube will have sys-whonix as its NetVM.
To further illustrate this, go in to your Qubes manager and look at what the ‘disk usage’ is for your disposable template, then go and look at what it is for your regular ‘fedora-36’ template.