Internet shuts down after a few minutes – firewall suspected

Yes, this should work with wireguard. The setup your using is nested. A nested VPN is basically a VPN inside a VPN just like your setup. It provides double encryption. But you need to make sure your DNS is configured correct (your VPN providers DNS) otherwise this setup can leak your DNS, which you don’t want.

Please check this first:

Go to your sys-firewalls and sys-vpn’s → settings → advanced tab and check if provides network is checked. If not check it.

THIS IS AN EXAMPLE OF THE SETUP

I am by no means an advanced Qubes user so please don’t take my word for it and read Solene’s excellent guide: * Wireguard VPN setup

SYS-NET

FW-EXT → VPN1 + ADDRESS + VPN2 IP ADDRESS

1. qvm-firewall [appvm / sysvm name] add --before [rule number] accept proto=[udp/tcp] dsthost=[ip addrress VPN 2] dstports=[port number] comment=[insert comment]
2. qvm-firewall [appvm / sysvm name] add --before [rule number] accept proto=[udp/tcp]
   dsthost=[ip addrress VPN 1] dstports=[port number] comment=[insert comment]
3. qvm-firewall [appvm / sysnetvm name] add specialtarget=dns
4. qvm-firewall [appvm / sysnetvm name] drop icmp
5. qvm-firewall [appvm / sysnetvm name] drop

• → Qubes menu → VPN2 → setting → netqube: select SYS-NET → provides network: yes

VPN1 → VPN1 + ADDRESS + VPN2 IP ADDRESS

1 .qvm-firewall [appvm / sysvm name] add --before [rule number] accept proto=[udp/tcp] dsthost=[ip addrress VPN 2] dstports=[port number] comment=[insert comment]
2.qvm-firewall [appvm / sysvm name] add --before [rule number] accept proto=[udp/tcp]
3. dsthost=[ip addrress VPN 1] dstports=[port number] comment=[insert comment]
4. qvm-firewall [appvm / sysnetvm name] add specialtarget=dns
5. qvm-firewall [appvm / sysnetvm name] drop icmp
6. qvm-firewall [appvm / sysnetvm name] drop

• → Qubes menu → VPN1 → setting → netqube: select FW-EXT → provides network: yes

VPN2 → VPN2 ADDRESS

1. qvm-firewall [appvm / sysvm name] add --before [rule number] accept proto=[udp/tcp] dsthost=[ip addrress VPN 2] dstports=[port number] comment=[insert comment]
2. qvm-firewall [appvm / sysnetvm name] add specialtarget=dns
3. qvm-firewall [appvm / sysnetvm name] drop icmp
4. qvm-firewall [appvm / sysnetvm name] drop

• → Qubes menu → VPN2 → setting → netqube: select VPN1 → provides network: yes

FW-INT → VPN2 ADDRESS

1. qvm-firewall [appvm / sysvm name] add --before [rule number] accept proto=[udp/tcp]
2. dsthost=[ip addrress VPN 2] dstports=[port number] comment=[insert comment]

• → Qubes menu → FW-INT → setting → netqube: select VPN2

APP-VM
→ Qubes menu → app-vm → settings → netqube select FW-INT

I’m not sure about the setting for FW-INT, maybe someone else can advise on that