How to set non-Tor qubes to automatically run over Proton VPN? (using WireGuard protocol)

  1. How I can set the internet connection for all non-Tor qubes to run through Proton VPN (WireGuard protocol) by default and not require re-signing in every time? (e.g. in disposable qubes)
  2. How can I have the VPN auto connect on startup?
  3. Can the VPN server be easily changed as if I were using the Proton VPN Linux app?
  4. If there are multiple ways of achieving this, which would be the simplest and most secure ways?

I’m somewhat new to Qubes and appreciate any and all information!

  1. If your setup is correct, your VPN should run in its own qube (e.g. sys-vpn), which will act as the gateway.
    Each qube you want to use the VPN with must have its net qube set to the qube running the VPN.
  2. Check if the protonvpn app gives you the ability to auto login, otherwise you can script the login and hardcode it to something like /rw/config/rc.local.
  3. If you want to change the server location, use the protonvpn app inside the qube containing the VPN to do it.
  4. The best way, as mentioned in the first part, is to use a specific qube for your VPN. You can use the VPN provider’s software, or use a Wireguard configuration file if they provide one, and use something like Qubes-vpn-support or follow this guide.
1 Like

A qube running the Proton app that functions as a gateway for other qubes sounds like the perfect setup! So if I’m to create this system VPN qube, what do I set on these windows to allow only for the minimum privilege required?

Side note, the Proton app does provide the option to auto login and Proton does provide WireGuard and OpenVPN files but using the app would make it easier to change servers.

What have you decided to use for your VPN setup? The protonvpn application, the qubes-vpn-support project or the wireguard guide?

I’ll go with the Proton VPN application method since it’ll allow for easier server switching. I edited my previous message with more details a little late, my bad

No worries. If you are using the application, the best way to install it would be to use a StandaloneVM. I’m not sure where the application places its configuration file, so I can’t tell you how to create bind-dirs in an AppVM setup.

So, create a new StandaloneVM based on debian-12 with “provides network” enabled. It will do a full clone of the template to create it’s own isolated system. Once that’s done, proceed with the installation of the protonvpn application, following the Linux steps. Login to your account and check if it can connect to a server.

If it works, create a test qube of type AppVM and set its net qube to your StandaloneVM. Start a browser inside it and see if you can access the Internet.

Got it. Can it be a Fedora VM though? Fedora receives updates quicker so I’d prefer it

Yes of course. If you prefer Fedora, you can do it with that.

1 Like

Alright, so I’ve installed Proton VPN and this folder showed up in my Home directory. Would the configuration file be inside of it? If so, how do I create bind-dirs in an AppVM setup?

These are normal folders from the /home/user directory. Which one are you talking about in the screenshot?

I was referring to the bottom folder that says Proton VPN. If this isn’t where the config files are, how can I search for them? And what’s the purpose of setting up an app VM for this?

This is a .rpm file associated with the Fedora package manager. This is the file you downloaded and used to install the application itself. Configuration files are usually added to /etc/ or at the user level in ~/.config, but it can be stored anywhere, it depends on each application.

The point of creating a qube for your VPN setup is part of the Qubes way of compartmentalizing everything. This way you can get every qube to use the VPN by setting their net qube to use the VPN instead of installing the VPN app on every single qube. It’s also better for security, because the VPN is isolated from the client, which means it’s very hard to alter (e.g. turn it off).

1 Like

Thanks for the info! I’m away from my machine at the moment but when I do find the config file’s location, what just follow the instructions for setting up an app VM and it’s straightforward or is there anything that I should keep in mind?

If you want to use an AppVM, you will need to install the VPN application into a template instead. The best way to do this is to clone the base template (fedora in your case) and install everything you need into it. Then you can create a new AppVM based on that template. Anything outside of /home will be deleted every time you shut down the AppVM, so you will need bind-dirs if the configuration is stored outside of there.

My first account’s responses got blocked for 17 hours for being new.

Alright, the process seems clear so far. For now, I’m working on locating the .desktop and config files.

In the meantime, the VPN installed a GUI app but when I hover my mouse over Start > VPN qube, I don’t see the option to open the VPN. How do I go about searching for programs installed in this template and opening them if it doesn’t have a desktop environment? Opening the app would allow me to log in and connect.

Thanks for this! I tried checking settings but the app’s not there. I also tried using the command to have it detected but it didn’t seem to work. I made sure to reboot the templates.

Do you think the System tray icon section is necessary for the app to be visible? How to install a VPN on Fedora

I followed the installation you provided for Fedora (the first part, not the optional one) and was able to find it in the qube settings in “Applications” under the name “Proton VPN”.

When I opened the application, a systray icon appeared, so it seems to be working fine on my end.

I don’t get it. I deleted the old VPN qube, created a fresh one and here are the commands I used. It’s still doesn’t showing up under Applications in the settings. I also hit the refresh applications button but it still doesn’t show the app.