Mullvad VPN App 4.2 setup guide

Yes, the script will capture the DNS edited in /etc/resolv.conf and update the nftables rules.

Could you edit the guide to make the change? :slight_smile:

Sure. Do you want me to put in the original script or do you want the more compact idea I talked about in my previous post?

I think using /usr/lib/qubes/qubes-setup-dnat-to-ns is better in case Qubes OS will change something related to DNS handling in the future.

I agree, using the Qubes OS scripts feels less hacky. The compact version would be better IMO :thinking:

I wonder if this is required for Proton VPN as well, it should, right?

Actually, it would be nice if this “dns watch” was a qubes os service we could enable in the qube! I’ll fill a github issue to ask it as a request, and try to figure an implementation.

I agree that this would be the best script to implement, but I’ve done some testing and while it works fine on Debian, it doesn’t on Fedora. qubes-setup-dnat-to-ns always uses systemd-resolved on Fedora, and only falls back to reading /etc/resolv.conf if it cannot reach the systemd service (which is why it works on Debian, since the service does not exist). This means that the DNS IP is not updated in the nftable dnat-dns chain when changing options in the application, which makes the script useless on Fedora. The original script works on both distributions, so even if it’s not the best, maybe it’s better to use it for now?

No idea, never used their app and if I remember correctly, they seem to rely on Network Manager anyway. So Qubes should update the IP with the VPN up/down event I guess.

That would be a good idea, yes. It would make a lot of services work out of the box.

indeed, but Mullvad VPN app also create an entry in network manager IIRC

sure, please go ahead :+1:

Probably. They list “network-manager” as supported, but I don’t remember the app using it even when it was enabled.

It’s now available in the guide.

1 Like

Ok I just used this script and everything is working fine with fedora 39.
I tested with changing the dns filters in the app, then restarting the sys-vpn qube, everything works great now.

insert this script into /rw/config/rc.local

sudo systemctl restart systemd-resolved
sudo /usr/lib/qubes/qubes-setup-dnat-to-ns

1 Like

you just added it and it works? great :thinking: you need to restart the qube when you make changes though, not sure if it’s a big deal for you.

yeah thats the only problem, I can live with that, but if the DNS could change on the fly without restarting the qube that would be great, it seems to only effect the DNS filtering in the app that you have to restart the qube,

I have updated the guide with a script that does just that. Check out the “Fix DNS” part to get it.

ahh nice, i didnt see that. perfect thanks

Did you manage to successfully install the mullvadapp into an appvm? I tried the guide you shared, but it didn’t work. I also tried this

sudo mkdir -p /rw/config/qubes-bind-dirs.d
echo -e “binds+=( '/opt/mullvad-vpn)\nbinds+=( ‘/etc/opt/mullvad-vpn’ )” | sudo tee /rw/config/qubes-bind-dirs.d/50_user.conf >/dev/null

Thanks for this guide :slight_smile:

1 Like

@curbs94

I updated the post on PrivSec: Using Mullvad VPN on Qubes OS | PrivSec - A practical approach to Privacy and Security

It uses systemd path now :slight_smile:

@solene

I think you might wanna switch to using a systemd path setup instead of inotify and rw/config/rc.local. It will be much cleaner :grin:

3 Likes

I didn’t write that part, feel free to send an update :slight_smile:

i created a mullvad app qube, but I have problems with the dns. The same problem that you have described in this guide. ivpn guideIf you have time you can upload the section again for a mullvad qube? @solene

if ! grep “QUBES OS” /opt/ivpn/etc/firewall.sh >/dev/null
then
sudo sed -i ‘/-set_dns/a
#QUBES OS - specific operation
systemctl restart systemd-resolved || echo “Error: systemd-resolved”
/usr/lib/qubes/qubes-setup-dnat-to-ns || echo “Error: failed to run /usr/lib/qubes/qubes-setup-dnat-to-ns”’ /opt/ivpn/etc/firewall.sh
fi

Did you try the “Fix DNS” part of the guide?

Yes it works very well now, but only until the MTU step. Just like the first attempt, after I finished the MTU step, I’ve got the dns problem again. As before the fix dns step. The app itself has an MTU setting. What is the value for this setting?

I also built a kill swich with the qvm firewall. Does it make sense in addition to qvm firewall to configute the kill swichstep?