I wanted to pass all connections through a VPN, so I was thinking of creating a VPN router like the one in this video. But can I create a sys-vpn that passes all connections through the VPN like sys-whonix?
If possible, what advantages and disadvantages does a sys-vpn have over a VPN router?
Yes, you can: Wireguard VPN setup Every qube that is connected to this (service) vpn qube will be routing its traffic to your vpn provider.
This is not a Qubes related question. But if you configure your VPN on a router your benefit is that all devices connected to this router will be using your VPN automatically, no need to setup VPN configs / apps on your devices. An other advantage is that you can connect unlimited devices to your router (VPN provider limits your number of devices per account). Obviously, your disadvantage is when you are using your notebook or smartphone outside your home network (your VPN router) your traffic will not be forwarded to your VPN provider.
All in all, yes it is possible.
It’s actually very simple.
Build one machine that has the firewall and all, make sure you have 2 connections on the sysVPN qube.
One is external, one is internal.
After that it’s simple, just have one connect to the “sys-net” that has the network adaptor. Otherwise you can attach the actual network adaptor by PCI into the sysVPN machine.
After this, the second NIC is the internal network.
This is how the sys-whonix systems work after all, so it’s very very very very very simple and takes about 30 minutes to set up properly.
They are both machines…
a sys-vpn has advantage because you have control over the system and the hardware and can do more with it. If it’s under-performing you can add more RAM or CPU or storage for the logs…
So you only have advantages.
If you want to add more things from outside the PC, you can add another NIC to the system, then add a HUB on the outside, and have other machines use the same VPN too.
So the sky is the limit.
A Raspberri Pi is limited, and you would have to buy another Pi.
If you neede more RAM, you would have to get another Pi. Upgrade the CPU, get another Pi. Upgrade storage, have to take the time to clone and more. Can’t just backup the system whenever you want to, even live.
I can only see advantages in that regard.
I can help you set up and get everything working if you want, I’ve set mine up many times in the past when I have been working for different businesses and used a VPN to connect to the workplace using Qubes.
Please let me know how to set it up!!
I use kicksecure for the service qubes and am a protonVPN user.
Do not use minimal.Instructions on Proton installation can be found here…
I would recommend for the installation you download all the required files and packages in a DVM and copy them to the Template so that the template doesn’t connect to the internet for the installation of the things that it needs.
This is an easy thing to do, if you need instructions or assistance with this part please let me know and I will assist further.
I have done this with other VPN connections in a similar method, but just using OpenVPN to do the connections to the remote networks, not using another third party software.
Check this out: WireGuard on Qubes OS | Mullvad VPN
sys-vpn on QubesOS is strange and fails sometimes. Lowering the MTU can be helpful as described in Mullvad’s troubleshooting section.
Here are the commands. This means that the template itself doesn’t connect to the Internet, as the virtuals shouldn’t. This gets proton set up fully.
T: (Template)
G: (Temporary Guest VM)
{T} = Template name here
{G} = Temporary Guest VM name here
G: su -
T: su -
T: apt update
T: apt upgrade
T: apt install openvpn
T: apt install dialog
T: apt install python3-pip
G: apt install python3-pip
G: mkdir prontonvpncli; cd prontonvpncli
G: pip download protonvpn-cli
G: cd ..
G: qvm-copy-to-vm prontonvpncli {T}
T: cd ~user/QubesIncoming/{G}/prontonvpncli
T: pip3 install ./*.*
T: vim /etc/sysctl.conf
---------- Insert the following. (I have this on all my linux guests by default)
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
net.ipv6.conf.tun0.disable_ipv6 = 1
----------
T: sysctl -p # Make sure that it is disabled
It is now installed, and you can shut down both virtuals.
Now create a virtual based on {T}
qvm-create --template {T} --label red sys-Proton-Gateway
Open settings for sys-Proton-Gateway, set enabled for “Provides Network”
Next, start and set up your account, this is an easy enough step to complete.
After the account is set up in the virtual, you will then have to copy the configuration files to the /rw/config folder. That way your configuration is saved for after the machine restarts.
Otherwise, you can copy the configuration files to the TEMPLATE so that they will always be there when you create a new virtual (Providing they are not saved in the HOME directory.
If they are stored elsewhere in the template, then they are in the root directory somewhere other than the home directory.
As I don’t have a PROTON VPN account I am unable to configure it at this time, but you can easily configure it each time the gateway is started.
After it’s all set up, connect a virtual to the gateway, and see what your external IP is.
Everything SHOULD be passing through the VPN.
If you get your actual external IP, then let me know and I’ll take it to the next stage and look further into the forwarding and all.
That’s how Debian works now. You will need to use a venv, or you can remove the following file to continue:
sudo mv /usr/lib/python3.11/EXTERNALLY-MANAGED ~/
I didn’t know what venv is, so I used the command below. It can now be installed with pip3.
I tried connecting sys-Proton-Gateway after sys-whonix.
sys-Proton-Gateway shows
Connecting to JP-FREE#3 via TCP…
Connected!
When I check the IP address here, it is not Japan.
It appears to be ignoring the VPN and connecting directly to the internet.
Did you set the VPN as the NIC for traffic?
If you didn’t, then you need to identify that NIC as the one for the traffic.
No i have not set it at all. Can it be set in the Qubes Manager?
No, just set it up in the initialisation script that runs after the VPN is created.
how can I make the script?
The provided solutions are good. But you can also install the vpn app inside a qube as if you were using a “normal” machine. Assuming you don’t want to do all the config yourself.
This is a great example I saw recently and I don’t see why it couldn’t work with other apps too.
Sorry, since they have paid slow on the topic I had posted earlier my issue is still not resolved and now getting worse because the big is causing issue and breaking the machines I had all the stuff on. Currently trying to recover the data to get you the script.
It is just a matter of putting it in the networking interfaces for the interface that it creates.
You can do this from the init script in /rw/config
That way the command just runs when that interface is instantiated.
You can just search for it on the internet if you would like if you don’t have the time to wait for me to rebuild my machine on new drives and wait for developers of qubes to resolve the issue with the system updater.