(Looking for) Best Practice Guide: Using OpenVPN for Hack The Box / TryHackMe on Qubes OS

General Discussion
1

Hello everyone,

I am looking for a detailed, up-to-date guide on how to correctly set up and use OpenVPN on Qubes OS specifically for cybersecurity training platforms such as Hack The Box (HTB) and TryHackMe (THM).

I have already reviewed several existing VPN-related guides for Qubes OS (including general OpenVPN and networking documentation), but I have not been able to get a reliable, working setup for this particular use case. Most guides seem to be either too generic, outdated, or not focused on how these platforms actually expect the VPN to behave.

What I am trying to achieve:

  • A clean and secure VPN setup using OpenVPN
  • Proper separation of qubes (e.g., VPN qube, work qube, sys-firewall/sys-net interaction)
  • Stable connectivity to HTB / THM labs
  • Correct routing and DNS behavior
  • Understanding common pitfalls (tun interface issues, firewall rules, split tunneling, etc.)

What kind of responses I’m hoping for:

  • Step-by-step guidance (or a reference to a reliable guide)
  • Recommended qube architecture for this scenario
  • Troubleshooting tips for common OpenVPN issues on Qubes
  • Any security considerations specific to these platforms

If there is already a recommended or canonical approach for this use case, I would appreciate being pointed in the right direction.

Thank you in advance for your time and guidance.

1 Like
2

@solene

3

I have moved this away from all-around-qubes, since jt’s actually about Qubes. I also edited the title to make it clear this is a request and not an actual guide.

3 Likes
4

You can use my wireguard guide, just replace wireguard config by openvpn config in network manager. This take care of DNS, firewall and everything.

To go further, add a sys-firewall-vpn qube between the appvms and the VPN qube. It’s just a disposable providing network.

3 Likes
5

From what I have seen, sometimes these CTFs onky provide openvpn configurations. But you also have one for that. In terms of debugging maybe it would be useful if you could give these guides a shot and comment under the guide what specific problems you have and we can go from there.

3 Likes
6

Sure. I already tested this.

With Hack The Box, the default OpenVPN profile works correctly when imported via NetworkManager using:
nmcli connection import type openvpn file labs_username.ovpn

However, with TryHackMe, importing the default download file fails with the following error:

Cannot import VPN connection
The file download could not be read or does not contain recognized VPN connection information
Error: configuration error: unsupported blob/xml element

This suggests a compatibility issue between the THM OpenVPN profile and NetworkManager’s OpenVPN plugin.

I will investigate this further and follow up with more details once I identify the root cause.

1 Like
7

I could be wrong but having the openvpn connection to HTB / THM in a sys-vpn cube will mean that the tun interface will be within these cubes. This will make all your rev shells / metasploit listener very hard to do as they would need to run in the sys-vpn cube

1 Like
8

I think there’s a misunderstanding here.

sys-vpn acts only as a network provider (NetVM).

Even though the tun interface lives there, application qubes routing through sys-vpn still run their own processes locally.

Reverse shells or Metasploit listeners run in the application qube, not in sys-vpn, just like with sys-firewall or sys-whonix. As long as routing and firewall rules allow it, this setup works normally.

2 Likes