He might not want vpn1 to know his destination, and vpn2 to not know his actual ip… Depending on his own threat model and the precautions he takes to subscribe to the vpns, this may or may not be achievable.
To each their own!
How to set up a new AppVM or a vpn? There are guides for both and seems like you already created one of each, so it’s the exact same process, just different vpn providers. But the ovpn files work in the same way.
When you create an AppVM, if you don’t explicitly set a netvm, it’ll use the default netvm.
You can check it with:
[user@dom0 ~]$ qubes-prefs default_netvm
To check the netvm used by a particular qube run:
[user@dom0 ~]$ qvm-prefs QUBE-NAME netvm
You can change the netvm used by a qube by adding the name of the new netvm at the end of the command above.
So if you want a chained setup like browser-vm > vpn-2 > vpn-1 > sys-firewall > sys-net
you need to do the following:
[user@dom0 ~]$ qvm-prefs vpn-1 netvm sys-firewall
[user@dom0 ~]$ qvm-prefs vpn-2 netvm vpn-1
[user@dom0 ~]$ qvm-prefs browser-vm netvm vpn-2
I used arbitrary vm names, you need to use the exact name you have on your system.
Also keep in mind that unless you change this set up, vpn-2
will always connect to vpn-1
from now on. If you wish to separate them you’ll need to change the netvm associated to vpn-2
to sys-firewall
(in the second command, replace vpn-1
with sys-firewall
).
Finally, if you want to change the default netvm to vpn-2
for new qubes (and old qubes that have the netvm property set to default), simply run:
[user@dom0 ~]$ qubes-prefs default_netvm vpn-2