How to Easily Change VPN Server w/ sys-vpn?

deeplow · July 22, 2021, 9:29am

Continuing the discussion from Qubes-vpn-support and firewall infrastructure:

Do We Need Firewall-qube After Sys-VPN? (Qubes-vpn-support)

Secondary question: what’s the best way to change the vpn server in such a setup? Since I’m still not capable to drift too far away from the guide, what I have thinked of is to copy a new .conf file to the vpn qube and use
sudo cp mullvad-us1.conf /rw/config/vpn/vpn-client.conf
again, like I did in the setup. Is there a better way?

Uqube · July 22, 2021, 1:36pm

You could do the copy with a command in dom0 e.g.:
qvm-run sys-vpn ‘cp whatever.conf /rw/config/vpn/’

Then wrap that in a script that also shuts down and restarts sys-vpn or reconnects the vpn properly. You could then assign the script a shortcut.

You could go the whole hog and setup an rpc call that prompts for a vpn location but I never got round to that

h110w · July 22, 2021, 2:01pm

Recently I have switched to installing the ProtonVPN Linux app in a VPN qube. I use this app to switch servers. It has a kill switch too. I just have a script that launches the app when the qube starts. I think mullvad has a Linux app as well which could be the easiest way to switch servers.

I also found this guide really helpful, but it is for openvpn not wireguard.

When I ran wireguard I just had it locked to one server. But had multiple qubes, each pointing to different servers then I would just switch VPN qubes.
I’m sure there is a way to do it with wireguard, but I gave up in the end.

Newb · August 5, 2021, 12:24pm

For now I’ve settled down with a couple of wireguard proxyvms and an openvpn proxyvm.

The latter has been created following the guide mentioned by h110w: I’ve added some servers to it so that I can easily switch between them with network manager. It’s not as practical as the official app, but I’ve read arguments against using it in the forum. The guide mentions that the firewall stops working well if you create more than 20ish rules, thus effectively limiting me to 20ish servers, does anybody know if that’s still the case?

Wireguard proxyvms have been setup with Qubes-vpn-support. I’d like to learn how to make a script like that proposed by Uqube and I’ll dig into it when I have more time, but I fear that would not be super-practical anyways, since after every server switch I’d still have to wait for appqubes+firewall+proxyvm to shutdown and restart, so I’ll end up rarely switching server anyways. For now I’ll use them with a fixed server like h110w said.

Thank you both for your help!

Sven · August 6, 2021, 3:42am

Hi @Newb,

maybe you like my solution: I got a qube for each server…

sys-njalla
sys-ivpn-dallas
sys-ivpn-chicago
sys-ivpn-germany
sys-ivpn-sweden
sys-ivpn-japan
etc

and a simple script:

#!/bin/bash
# switch from $1 to $2

qvm-start --skip-if-running sys-$2
qvm-prefs sys-vpn netvm sys-$2
qvm-shutdown --quiet sys-$1

… that’s it. I use it like this:

[user@dom0]$ switch-vpn ivpn-sweden njalla

These qubes are based on a template obviously and hence tiny (98 MB) so
they don’t need a lot of space and you always run only one at a time so
you also don’t use more memory.

What’s not to like?

BTW, that also solves the “too many servers in the firewall list” issue.

h110w · August 12, 2021, 1:18pm

I really like wireguard over ovpn so there is another solution I am currently working on at the moment where I will use rofi/dmenu to switch between wireguard config files and then it runs a script that removes the ip addresses of the previous config file rom the firewall rules in the VPN qube and adds the new ip addresses of the new config file. I will keep you posted with my progress