How do i set up Qubes so a VPN connects first always?

How would i set up Qubes so that a VPN is always on, with a killswitch in the whole of Qubes 4.1?
Right now i have created a standalone VPN appVM as the qubes documentation says, with iptables.
" Set up a ProxyVM as a VPN gateway using iptables and CLI scripts"

Then i switched the personal or untrusted to use a VPN in Qubes settings net cube.
But now i’m wondering if instead of setting cubes to use the VPN, is it not better to set all of qubes to connect through a VPN? And if i then use any Appvm, cubes, they will all connect through the VPN, and also TOR. So it’s tor-over-vpn.
The first connection is made to a vpn, and the second is tor through that VPN.

How do i set that up in Qubes 4.1? Could i just set the sys-net to use the sys-VPN and then all of qubes traffic goes through a vpn ?

that risky, if you run like that, it better to set sys-net as vpn itself though network-manager's vpn function (also not safe too)

Ok, is that the optimal way if you want all of the traffic to go through a VPN in Qubes 4.1?
Are there any documentation for this? I read in those that you can set up which cubes you want to use…
But if i use my way whonix would use tor-over-vpn instead of tor-internet as now…
And that would give more security as-well.

are there any clock problem?

What do you mean? No. And that’s irrelevant to my question…
I’m not asking about the clock…

I’m asking about how qubes work, and if i can get all of the traffic out from Qubes through a VPN that is always on, and that has a killswitch if it goes down.
I’m also wondering in what ways qubes is “leaking” the real IP as default? Everything apart from the whonix is “leaking” the real ip i’m guessing.

If i want a VPN as a filter, how do i set that up is my question. If anyone has managed that i would appreciate if you could help me with an answer.

yes, that irrelevant to your problem
just check if it suitable for long-term use

leaking to local network or internet?

Yes that’s irrelevant, and i don’t care about the clock…
I mean leaking outside of the Qubes OS… past my router. Hiding the real ip as in putting a lock on a house.
Answer if you have experience with this. Or anyone else. You are offtopic. Thanks

so only netvm are leaking

i thought this already enough

I use this: GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS

Then set up all of my non-whonix VMs to point to it (this diagram shows what the Networking drop down points to in each case):

All normal VMs → sys-vpn → sys-firewall → sys-net.

For whonix:

Whonix workstations → sys-whonix → sys-vpn → sys-firewall → sys-net.

The only caveats are that, by default, Qubes updates go directly via sys-net (templates) and sys-firewall (dom0). I don’t have any concerns about that, but others might.


1 Like

Thanks. Ok… But how do you use let’s say whonix as tor-over-vpn with that setup?
For tor-over-vpn you wouldhave to use tor browser in some appVM, but whonix could be better… It depends.

i throw up my hands at the “tor over vpn” vs “vpn over tor” discussion mostly because i don’t agree with everyone on what the terminology means. [not your fault! :slight_smile: but i can’t take it any more. :slight_smile: ]

Part of that involves “what does ‘->’ mean”? In my diagram above I was specific “this diagram shows what the Networking drop down points to in each case”. Just to be clear.


Same… I confuse them. I mean. I want a VPN as the first connection to the internet, and then after that a tor connection that goes inside of that VPN. The ISP can see a vpn, whonix would run inside. To my understanding that gives a little bit of “anonymity”, or security online.

I tried that yesterday, changed the whonix to the sys-VPN, but that did not work.

Right, that’s what my example shows, where the arrow indicates the networking drop down in qubes settings is pointing to:

For whonix:
Whonix workstations → sys-whonix → sys-vpn → sys-firewall → sys-net.


1 Like

Ok, i will try that! So those scripts create all of that? That would be great! I will try later on sometime… :slight_smile: Thanks for sharing!

That doesn’t make sense. sys-net is essentially your device controller for the hardware that allows you to connect to the internet. Either your wifi card or ethernet controller. There is no VPN service without something to plug into. One of the reasons sys-firewall is there is to prevent DMA attacks on your front end VMs (due to sys-net being directly connected to your hardware controller). So those two VMs are the bare essentials for secure connectivity. Then you add a VPN qube with your firewall IP tables configured and a kill switch, etc.

Also, don’t run any apps in sys-net and don’t connect any appVMs to directly to sys-net. sys-net and sys-firewall should be utilized as a pair and everything else should be in front of them.

1 Like

Thanks! Good to know! :slight_smile: Good to learn some.

Is that much less secure or what? Does not sound that bad… If it’s the only and best solution.

The updates sent from the repos are cryptographically signed (“Qubes distrusts the {networking} infrastructure”), so no less secure.

Some folks don’t want the ISP-level inspection (e.g. Comcast/Verison) to see Qubes being used, but I’m not personally worried about that. It’s just a linux distro.


The scripts configure sys-vpn. You personally change your network drop downs to point each VM to the right VM.