How do i set up Qubes so a VPN connects first always?

Great. can i use debian 11 as a template in that proxyVM, or do i need to use fedora?

Follow the documentation.

I will read more. Right now it does connect to vpn in the cube, but i get this also:
● qubes-vpn-handler.service - VPN Client for Qubes proxyVM
Loaded: loaded (/usr/lib/systemd/system/qubes-vpn-handler.service; enabled; vendor preset: disabled)
Drop-In: /usr/lib/systemd/system/qubes-vpn-handler.service.d
└─00_example.conf
Active: activating (auto-restart) (Result: exit-code) since
Process: 1311 ExecStartPre=/usr/lib/qubes/qubes-vpn-setup --check-firewall (code=exited, status=1/FAILURE)
Process: 1322 ExecStopPost=/usr/lib/qubes/qubes-vpn-setup --post-stop (code=exited, status=0/SUCCESS)
CPU: 19ms

I read it runs on Fedora 30, Debian 9 and 10 template-based VMs. I will try debian 11 though as i am on now… Or get the 10… I will get this to work i just started…
I think i need udp instead of tcp also…

edit:
This is too advanced for me… Firewall rules. I’m one of those that needs a step-by-step guide. :wink:

Firewall notes

The proxy-firewall-restrict script builds on the internal rules already set by Qubes firewall in a Proxy VM, and puts the VM in a very locked-down state for networking.

On Qubes 4.x this script is linked to /rw/config/qubes-firewall.d/90_tunnel-restrict and you can add a custom script in the qubes-firewall.d folder to include your own rules.

For userspace VPN protocols such as OpenVPN, traffic originating from the VPN VM is controlled by group ID of the running process; only qvpn group is granted access. However, this restriction can be safely removed if necessary as it exists only to prevent accidental clearnet access from within the VPN VM and does not affect anti-leak rules for connected downstream VMs. Enable the Qubes service ‘vpn-handler-egress’ for the VPN VM to disable this group restriction.

ICMP packets are allowed for local traffic by default. If you think blocking ICMP is necessary you can enable the Qubes service ‘vpn-handler-no-icmp’. Note this does not affect downstream VM (forwarded) ICMP traffic; blocking this can be done with the qvm-firewall tool.

p.s: I have managed to set this up, and it should be as secure as your link. Those scripts would make that faster:

How would a good leak proof firewall script look like?
This guide:

" Firewall notes

The proxy-firewall-restrict script builds on the internal rules already set by Qubes firewall in a Proxy VM, and puts the VM in a very locked-down state for networking.

On Qubes 4.x this script is linked to /rw/config/qubes-firewall.d/90_tunnel-restrict and you can add a custom script in the qubes-firewall.d folder to include your own rules.

For userspace VPN protocols such as OpenVPN, traffic originating from the VPN VM is controlled by group ID of the running process; only qvpn group is granted access. However, this restriction can be safely removed if necessary as it exists only to prevent accidental clearnet access from within the VPN VM and does not affect anti-leak rules for connected downstream VMs. Enable the Qubes service ‘vpn-handler-egress’ for the VPN VM to disable this group restriction.

ICMP packets are allowed for local traffic by default. If you think blocking ICMP is necessary you can enable the Qubes service ‘vpn-handler-no-icmp’. Note this does not affect downstream VM (forwarded) ICMP traffic; blocking this can be done with the qvm-firewall tool."

This guide is easier to set up for me then the script: