Is my Protonvpn official app truly working in Qubes 4.2?

Hello, I’m Qubes OS beginner user, I can’t understand VPN setting user guide of v4.2 in this forum, because I made Forum account.

First, English is not my first language, so probably my question text is unnaturally.

My use case is keep multi pseudonyms.
I must active difference multi accounts on web, because I install Qubes OS.
My threat what are to brake pseudonym, tagging to my real name, and tagging between my using multi pseudonyms.

Whonix (Using account create)
disp-Qube 1 > VPN Qube 1 > sys-firewall > sys-net (pseudonym 1)
disp-Qube 2 > VPN Qube 2 > sys-firewall > sys-net (Pseudonym 2)
disp-Qube 3…

I must keep separate between all disp-Qube and VPN Qube, if their were tagging, my threat model is end.
My threats are Google, Facebook, Discord, Reddit, and other all SNS and selling private data companies.
In my model, I paranoid online privacy, but don’t worry to physical threat that much.
And I don’t play game in my Qubes OS machine, don’t worry graphic and speed performance.
So I must use in VPN Qube, difference VPN services(Mullvad, Proton, iVPN and other).

I use FreeBSD over the decade, I can use command line, but I fully unknown nftable rule, I can’t understand VPN setting user guide of v4.2 in this forum.
Mullvad is yet design for 4.2 Qubes nftable app, but Proton not yet.
I installed to Protonvpn official GUI app in VPN qube and set kill switch(call it sys-vpn here), add services qubes-firewall, qubes-network, network-manager, through sys-vpn connecting to disp-Qube is been succeeding network access, check my IP on disp-Qube browser, display the Protonvpn server IP.
But user guide of v4.2 Protonvpn in this forum, guidance of without official app, or change iptable to nftable.
I didn’t their task, I only installed Protonvpn official GUI app and add services qubes-firewall, qubes-network, network-manager(I use fedora-39-minimal template).
I fully unknown nftable rule, because I don’t know truly disp-Qube network access through sys-vpn, enable kill switch, my IP protecting.
Is my sys-vpn in Protonvpn truly working?

I must work my projects full-time, can’t join Qubes OS source develop and contribute, but if my projects succeed in future, I hope become to Qubes Partner as my projects!

Sorry…I hope write ‘nftable’, firstly misspelled as nfs.


What do you mean by “nfs”? It’s a network file system name (literally, nfs is the acronym of Network File System).

You could still use ProtonVPN with Network Manager instead of their App if you want, given they allow you to connect through OpenVPN or Wireguard without the App.

Sorry…I hope write ‘nftable’.
If use Protonvpn on Qubes OS v4.2, many guide direct exchange iptable to nftable in this forum.
But I see as if work Protonvpn official app in my sys-vpn Qube.
I suspect truly my IP protecting.

Protonvpn official app can be simply change VPN server, so I think use it.
And I fully unknown nftable rule, understanding iptable to nftable is very hard…

You can add this in your sys-vpn qube to the file /rw/config/qubes-firewall-user-script, this will block all traffic that doesn’t belong to the VPN. Let’s say it’s a kill switch at Qubes OS level, even if the App doesn’t work correctly, the kill switch will be always enabled.

# Prevent the qube to forward traffic outside of the VPN
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop

I hope this helps.

I use both Mullvad and Proton to do precisely the same thing you are doing.

If you use this formula you can get WireGuard working with Mullvad and Proton.

The nature of WireGuard is such that no “kill switch” is needed, it is much better than OpenVPN in this regard.

And it’s always nice to meet a fellow FreeBSD user :slight_smile:

The killswitch doesn’t work. It leaks.

I did a workaround and addressed the killswitch leak with the hardening rule from the wireguard guide above.

1 Like

Thank you best advices, privacy firiends!

I had been learning rules of nftable on v4.2, and I think minimal Qube is best privacy option, disk usage of the debian-12-minimal is smaller than fedora-39-minimal, so I used debian-12-minimal template.
Because minimal template is more less attack surface, security and privacy hardened.

First, I installed packages following to @eBread user guide, I run apt install qubes-core-agent-networking qubes-core-agent-network-manager wireguard resolvconf iptables.

Second, I follow advice @nealr, I set wireguard following to @solene user guide, and hardened.
Edit /rw/config/qubes-firewall-user-script in the Protonvpn template, finally I make and set up Proton-AppVM firewall of the Protonvpn endpoint in wireguard configuration files, and I only enable network-manager in Proton-AppVM.
I didn’t enable qubes-firewall and qubes-network, and I was enable network-manager on Proton-AppVM, didn’t on Protonvpn template.

I run WorkVM of using Proton-AppVM as NetVM, Proton-AppVM is auto run and connect network to the sys-firewall and auto enable Protonvpn wireguard.
My WorkVM are been succeeding network access through Proton-AppVM, checking my ip and DNS are the Proton server in Mullvad Browser on my WorkVM, as if see my Protonvpn on Proton-AppVM is truly working, and my ip and DNS are protecting.

I have question, if my connection setting is right?
The default sys-firewall is use default-dvm template, so I think Proton-AppVM same of sys-firewall, I change Proton-AppVM disposable template after follow @solene guide and hardening.

fedora-38-xfce(Default Qubes OS v4.2 template) > default-dvm > sys-firewall > sys-net
Hardened Protonvpn template > disp-Proton-AppVM(Before change to disposable, I set the firewall to the VPN endpoint and configured the Network Manager) > Protonvpn Qube(Using disp-Proton-AppVM template) > sys-firewall > sys-net

Is my setting right?

And one more question, model of changing VPN server.
I must change connecting VPN server, for example my use service is block access from country or VPN server.
I hope separate between any my pseudonym accounts and other VPN providers in my use case, so if I have already access using Protonvpn, I will not use other VPN provider .
So I make multi disp-Proton-AppVM.
For example I set firewall of the US Protonvpn endpoint and run nmcli command in one disp-proton-AppVM, set France other disp-Proton-AppVM before change disposable.
If I must change other VPN server, I change template of Protonvpn Qube(This is AppVM made from disp-Proton-AppVM, not Hardened Protonvpn template!) to France disp-Proton-AppVM from US disp-Proton-AppVM.

Is my thinking model right?

1 Like

You are describing creating one VM for each WireGuard configuration, and then using them as needed with AppVMs? If that’s what you mean, then yes, I settled on this.

I had never used NetworkManager, nmcli, etc prior to reading the guide by @solene - and I feel kinda foolish now. The handling of WireGuard is SO much smoother this way, I’ve been ripping out OpenVPN every time I come across any Linux instance anywhere in my systems that is still using it.

1 Like