Mullvad GUI App in Qubes

This is my first post and also first guide. Welcoming critiques from those more experienced!

I read that some people were having trouble getting wireguard to work with the Mullvad GUI App, so I took a stab at it, and it was just a matter of following an existent Mullvad guide for qubes to forward DNS requests properly for wireguard.

Here is a detailed guide, command by command:

In a debian-11-minimal template (with qubes-core-agent-passwordless-root already installed):

sudo apt install --no-install-recommends wget qubes-core-agent-networking libnss3 libasound2 iproute2 qubes-core-agent-network-manager wireguard openresolv
export https_proxy=http://127.0.0.1:8082 && export http_proxy=http://127.0.0.1:8082
wget https://mullvad.net/media/mullvad-code-signing.asc
gpg --import mullvad-code-signing.asc
gpg --edit-key A1198702FC3E0A09A9AE5B75D5A1D4F266DE8DDF

in gpg:
trust
5 ## sets to ultimate trust!
y
q

now verify & install mullvad:
wget --trust-server-names https://mullvad.net/download/app/deb/latest
wget --trust-server-names https://mullvad.net/download/app/deb/latest/signature
gpg --verify MullvadVPN-20xx.x_amd64.deb.asc ## make sure you get a good signature
sudo apt install -y ./MullvadVPN-20xx.x_amd64.deb

create a networking app-hvm based on this template & add network-manager service.
boot it and add these rules to /rw/config/qubes-firewall-user-script:

virtualif=10.137.0.xx ## replace 10.137.0.xx with the IP address of your vif interface (IP of qube in qube-manager)
vpndns1=10.64.0.1
iptables -F OUTPUT
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -F PR-QBS -t nat
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1

reboot. should work now. test an app-vm networked to it.
you also probably want to add the mullvad root directory to bind-dirs config to make it persistent, save your login/settings:

sudo mkdir -p /rw/config/qubes-bind-dirs.d
add binds+=( '/etc/mullvad-vpn' ) to /rw/config/qubes-bind-dirs.d/50_user.conf

reboot and it will be persistent.

NOTE: as many have commented including mullvad-- the app has had bugs and will have bugs… so it is decidedly safer to use a .conf file and another method such as qtunnel. my recommendation is to run the mullvad app behind a qtunnel qube, just in case it does leak, and this will give you an extra wg hop, too.

1 Like