Mullvad VPN App 4.2 setup guide

sparks · December 14, 2025, 10:38am

Thanks again @solene for this similar with Proton VPN I could not get this to work in Debian 13, but succeeded with a Fedora 42 Template, except instead of

I installed the Mullvad App in the Fedora 42 Template and made the sys-mullvad-app be the Service Qube. At first I kept having DNS issues in the App Qube, but that was because I overlooked this line:

Perhaps re-phrasing this as sudo dnf install inotify-tools would save some people (like me ) time in accidentally missing things?

Everything seemed to work except for saving of the account login code, but after doing this suggested fix, it saves the login code.

onoffonoff · December 16, 2025, 3:55pm

With the latest release of the Mullvad app it appaers they have removed ability to select a port to connect to on the Wireguard server. Which makes using the Qubes Firewall editor in the QUbes manager a no-go without listing all potential ports used by Mullvad

Is there a way when using the “kill switch” nft rules to allow the VMs behind sys-vpn-mullvad-app to access specific RFC1918 ip address ranges (when VPN is off) so I can do data transfer?

Previously I was using 3 rules via the qubes manager

any to port_number  udp  # vpn to connect
any to port_number tcp # vpn to connect
rfc1918 to any any   # be able to reach my home systems when VPN is disconnected

DVM · December 18, 2025, 10:56am

It’s still possible, they just moved it inside the “Anti-censorship” submenu for some reason.

Lilly7585 · December 30, 2025, 10:42am

In case it’s helpful for others, here’s the steps I took to get Mullvad VPN app working in a dedicated appVM using Fedora 42 minimal:

Create new template from unaltered Fedora 42 minimal template, open root terminal

$ sudo dnf install qubes-core-agent-networking qubes-core-agent-network-manager qubes-core-agent-dom0-updates network-manager-applet

You’ll need to type “y” and then hit Enter to proceed
Bind directories for Mullvad’s configurations

$ sudo mkdir -p /etc/qubes-bind-dirs.d
$ echo 'binds+=( '\'''/etc/mullvad-vpn''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf

From Using Mullvad VPN on Qubes OS | PrivSec - A practical approach to Privacy and Security
Install Mullvad VPN;

$ sudo dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
$ sudo dnf install mullvad-vpn

You’ll need to type “y” and enter to proceed at some point
Fix DNS issues (see here: Using Mullvad VPN on Qubes OS | PrivSec - A practical approach to Privacy and Security)

$ nano /etc/systemd/system/dnat-to-ns.service

Paste below:

[Unit]
Description=Run /usr/lib/qubes/qubes-setup-dnat-to-ns
StartLimitIntervalSec=0

[Service]
Type=oneshot
ExecStart=/usr/bin/systemctl restart systemd-resolved
ExecStart=/usr/lib/qubes/qubes-setup-dnat-to-ns

$ nano /etc/systemd/system/dnat-to-ns.path

Paste below:

[Unit]
Description=Run /usr/lib/qubes/qubes-setup-dnat-to-ns when /etc/resolv.conf changes

[Path]
PathChanged=/etc/resolv.conf
Unit=dnat-to-ns.service

[Install]
WantedBy=multi-user.target

$ sudo mkdir -p /etc/systemd/system/systemd-resolved.conf.d/
$ nano /etc/systemd/system/systemd-resolved.conf.d/override.conf

Paste below:

[Unit]
StartLimitIntervalSec=0

$ sudo systemctl enable dnat-to-ns.path

Shutdown template
Create new AppVM using the template created above, with networking = sys-firewall and CHECK “launch settings after creation” and CHECK “Provides network access to other qubes” in “Advanced”
Qube settings (leave everything else as-is);
- Check “Start qube automatically on boot”
- Private storage size = 5GB
- Advanced: Uncheck “include in memory balancing” (leave initial mem at 400 and 2 CPU)
- Services: add “network-manager” and “qubes-firewall”
- Applications: add “Mullvad VPN”
Start Mullvad appVM, log into Mullvad VPN and configure settings, then configure other appVMs to use the Mullvad AppVM as network