Mullvad VPN App 4.3 (and 4.2) setup guide

Community Guides
181

Thanks again @solene for this :pray: similar with Proton VPN I could not get this to work in Debian 13, but succeeded with a Fedora 42 Template, except instead of

I installed the Mullvad App in the Fedora 42 Template and made the sys-mullvad-app be the Service Qube. At first I kept having DNS issues in the App Qube, but that was because I overlooked this line:

Perhaps re-phrasing this as sudo dnf install inotify-tools would save some people (like me :woman_facepalming:) time in accidentally missing things?

Everything seemed to work except for saving of the account login code, but after doing this suggested fix, it saves the login code.

182

With the latest release of the Mullvad app it appaers they have removed ability to select a port to connect to on the Wireguard server. Which makes using the Qubes Firewall editor in the QUbes manager a no-go without listing all potential ports used by Mullvad

Is there a way when using the “kill switch” nft rules to allow the VMs behind sys-vpn-mullvad-app to access specific RFC1918 ip address ranges (when VPN is off) so I can do data transfer?

Previously I was using 3 rules via the qubes manager

any to port_number  udp  # vpn to connect
any to port_number tcp # vpn to connect
rfc1918 to any any   # be able to reach my home systems when VPN is disconnected
183

It’s still possible, they just moved it inside the “Anti-censorship” submenu for some reason.

1 Like
184

In case it’s helpful for others, here’s the steps I took to get Mullvad VPN app working in a dedicated appVM using Fedora 42 minimal:

  • Create new template from unaltered Fedora 42 minimal template, open root terminal
$ sudo dnf install qubes-core-agent-networking qubes-core-agent-network-manager qubes-core-agent-dom0-updates network-manager-applet
  • You’ll need to type “y” and then hit Enter to proceed
  • Bind directories for Mullvad’s configurations
$ sudo mkdir -p /etc/qubes-bind-dirs.d
$ echo 'binds+=( '\'''/etc/mullvad-vpn''\'' )' | sudo tee /etc/qubes-bind-dirs.d/50_user.conf

$ sudo dnf config-manager addrepo --from-repofile=https://repository.mullvad.net/rpm/stable/mullvad.repo
$ sudo dnf install mullvad-vpn

$ nano /etc/systemd/system/dnat-to-ns.service

Paste below:

[Unit]
Description=Run /usr/lib/qubes/qubes-setup-dnat-to-ns
StartLimitIntervalSec=0

[Service]
Type=oneshot
ExecStart=/usr/bin/systemctl restart systemd-resolved
ExecStart=/usr/lib/qubes/qubes-setup-dnat-to-ns

$ nano /etc/systemd/system/dnat-to-ns.path

Paste below:

[Unit]
Description=Run /usr/lib/qubes/qubes-setup-dnat-to-ns when /etc/resolv.conf changes

[Path]
PathChanged=/etc/resolv.conf
Unit=dnat-to-ns.service

[Install]
WantedBy=multi-user.target

$ sudo mkdir -p /etc/systemd/system/systemd-resolved.conf.d/
$ nano /etc/systemd/system/systemd-resolved.conf.d/override.conf
  • Paste below:
[Unit]
StartLimitIntervalSec=0

$ sudo systemctl enable dnat-to-ns.path
  • Shutdown template
  • Create new AppVM using the template created above, with networking = sys-firewall and CHECK “launch settings after creation” and CHECK “Provides network access to other qubes” in “Advanced”
  • Qube settings (leave everything else as-is);
    • Check “Start qube automatically on boot”
    • Private storage size = 5GB
    • Advanced: Uncheck “include in memory balancing” (leave initial mem at 400 and 2 CPU)
    • Services: add “network-manager” and “qubes-firewall”
    • Applications: add “Mullvad VPN”
  • Start Mullvad appVM, log into Mullvad VPN and configure settings, then configure other appVMs to use the Mullvad AppVM as network
1 Like
185

Hi. I just tried installing the qubes-core components on the minimal templates terminal but, no matter what, it won’t accept the password - even if I enter the correct one, even if I enter the root password.

186

Never mind. I found a way around it. I followed the rest of the instructions and successfully set up the VPN but, for some reason, my browser (connected to the vpn qube) isn’t reaching online. Could I have miss anything?

187

What was the “way around it”? Might be helpful for other users, or perhaps the instructions could be made more clear!

As for your browser not going online, in Mullvad VPN app, go to Settings > VPN Settings > enable “Local network sharing”. Did you try that? Does the Mullvap VPN app show as “Connected”?

188

Try setting socks5, 10.8.0.1 or 10.64.0.1 on port 1080 in your browser.

189

@solene Can qvm-firewall work with the application? I don’t understand how to add an ip for connecting an application when starting sys-vpn: I can add ip of the need servers when app is already running, but how can I add a rule to sys-firewall for connecting to an app when starting sys-vpn, because I need Internet to connect?

190

It’s certainly possible to add firewall rules when using the app but it will be really loose. I didn’t do the work to figure ports and IP with mullvad. But with Proton I ended up opening ports 443 in TCP and udp…

1 Like
191

I also have Proton app. Could you add a guide on using the app vpn (Proton or other app) and qvm‑firewall to your guide please? I’m afraid I will do something wrong, and I’m having internet problems when I try to do it correctly. Thank you

192

I wasn’t able to figure a proper list of IPs to allow that is certain to work with all features.

If you use the killswitch firewall rules within the vpn qube

# Prevent the qube to forward traffic outside of the VPN
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop

This should guarantee that no qube using it as a netvm will have traffic routed outside a VPN. Having firewall rules for the vpn qube itself does not bring too much, a breached app could use a VPN tunnel to exfiltrate data anyway.

193

I added several Proton server IPs and it works great when I connect, disconnect, and reconnect in the same location. However, if I change locations, internet drops and app can’t connect until I disable qvm‑firewall. Could you help me with this problem? What do I need to add to qvm‑firewall so it works when switching locations?

194

You’re writing it in guide, and I’d like to have maximum firewall protection. Help please :slightly_smiling_face:

195

Sorry I kept you waiting. By “way around it”, I went to https://duck.ai to ask how I can perform any sudo actions on a minimal template and was told I can run qvm-run -u root <template_name> <command> to do it.

Edit: Correction. I run qvm-run -u root <template_name> xterm to open a terminal in the template then run the rest of my commands there.

As for the VPN, I just switched on “Local network sharing” and it’s finally working. Thanks!

1 Like
196

I edited the guide to align with recent upstream changes and to update some outdated parts:

  • Removed the mention of OpenVPN, which was removed from the app in version 2025.14
  • Updated the link to the official Mullvad guide.
  • Renamed the MTU section to something generic since the app is now WireGuard only.
  • Changed the template to Fedora 42.
  • Added a mention of 4.3 to the introduction.
5 Likes
197

maybe a dumb question, but is there a specific reason why standalones are the method of choice for VPN Apps instead of installing it on a template and running it in its own AppVM?

1 Like
198

Hello, maybe a stupid question but my Mullvad install (with this guide) doesn’t seem to work too well with the Windows qubes I have. Perhaps it is due to them being Win11 or due to the general shakiness of the net stack seeing as even restarting the net cube for the windows qube seems to cause it getting confused and requiring a restart.

Could somebody perhaps suggest how I may go about troubleshooting this issue?

199

What do you mean by « doesn’t work too well »?

200

I do not favor standalones in this case, but always generate a template
to hold the VPN software. This allows for general VPN proxy
configuration, as well as single use VPN set up.
So “method of choice” is overstated.

In the Mullvad package I provide, I do exactly this - a template to hold
the software, a sys-mullvad for general use, and disposables which can
be used for Mullvad Browser, or for single use VPN.
source and packaged

On a general note I very rarely favor standalones over template based
qubes. I see little advantage, and templating gives overall benefits
imo.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

2 Likes