I created a AppVM, mullvad-vpn, where I installed Mullvad. I configured the Wireguard connection using CLI and bind-dirs /etc/mullvad-vpn to make the configuration persistent. This works as I had hoped. Whenever this AppVM starts Mullvad automatically connects and I can browse the internet using this AppVM’s Firefox browser. However, I want to use this AppVM as a NetVM for other Qubes, e.g. qube-a. In Qubes Manager, I set qube-a's NetVM to be mullvad-vpn. But when trying to connect to any website from qube-a's Firefox the wheel just keeps on spinning and no connection is made. Note that I enabled network-manager service for mullvad-vpn and so far I did not add any firewall rules. Did I do anything wrong? Any advice?
I was having similar problems just the other day. I posted this thread (with no replies) Wireguard in Qubes 4.1
I just changed to HVM and it worked… so thank you! But I also noticed that, unlike OpenVPN, I also need Network Manager enabled in my VPN proxy VM. So both HVM virtualization and Network Manager seem to be necessary to get my AppVM browser to connect via Wireguard through my proxy VM.
OpenVPN seems to work for both PVH and HVM - with or without Network Manager (obviously if I don’t set up my VPN using Network Manager).
So the million dollar question… do you have Network Manager enabled in the VM that is providing the Wireguard network to your browser?
Yes, the VPN proxy VM is using HVM and has the network manager enabled. However, it does not work 100% of the time. Feels more like hit or miss… Accessing the internet from within the proxy VM always works but not necessarily in my app VMs…
@robblink_akker Wireguard connectivity has been hit and miss for me as well. Support says it should 100% work. Try an HVM standalone instead of using bind-dirs. That’s Mullvad’s official recommendation for Qubes VMs and it seems to work the best. The CLI multihop works well too but you need to edit the multihop port and the endpoint public key with the key listed on their server page. I also set the browser proxy to run through another wireguard hop via socks5. So it allows for a “triple hop”. Good luck.