I am using qubes version 4.2.2. I set up qubes-task and installed the mullvad qube. I connected the new sys-mullvad to my sys-firewall to access the internet, and then made it the net qube for my personal qube (debian 12). My personal qube can ping servers, but I cannot reach any website from a browser, so I assume it is a DNS problem(I am using librewolf with DNS over HTTPS turned off). The sys-mullvad qube can connect to VPN servers fine, it’s just when I try to use my personal qube I can’t reach anything. Other guides I have found are using fedora templates instead of the debian 12 minimal that is used by qubes-task. Is there any documentation or user guides that can help me make sure my personal qube is using mullvad’s DNS?
I’m having the same problem and suspect the script below would solve it, but I haven’t yet looked closely at @unman’s setup. DNS from the mullvad-dvm dispVMs was working when I first installed, but seems to have broken after recent updates. I can ping IPs from upstream of sys-mullvad, but I cannot ping URLs.
sudo nft list table qubes in sys-mullvad displays the following rules in the dnat-dns chain:
tcp dport 53 dnat to 10.64.0.1
udp dport 53 dnat to 10.64.0.1
which seems like it should work. By contrast, the above script would instead create the following rules in the same chain, specifically dnat-ing the destination addresses as well as the destination ports:
ip daddr 10.139.1.0/30 tcp dport 53 counter packets 0 dnat to $mullvad_dns_ip
ip daddr 10.139.1.0/30 udp dport 53 counter packets 0 dnat to $mullvad_dns_ip
Do you have any DNS blocking selected in the Mullvad VPN app? When I unselected each of the toggles under “VPN settings > DNS content blocking” in the app, sys-mullvad began forwarding all of my upstream DNS requests again. As noted above, 10.64.0.1 is hardcoded as the dns address in the sys-mullvad firewall, but Mullvad uses different DNS addresses for blocking. See the following for more info:
You can use this:
Or this:
To fix DNS.
I have all of the DNS blocking turned off. I’ll test the script in a bit and see if it works. Thanks!
I saw these. If I can’t get this set up to work I’ll probably end up going with one of these guides.
Also check if setting VPN Settings > Tunnel Protocol to Wireguard makes a difference. Openvpn uses 10.8.0.1 for DNS, not 10.64.0.1.
Most people I know who are using the package dont have issues once
they switch off (as recommended) Secure DNS in the Browser, so that DNS
is handled by sys-mullvad.
I’d be interested to know if this doesn’t work for you, and we can dig in
to that.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
I had Secure DNS switched off in the browser because I assumed that was the problem. I still couldn’t get DNS to work in my personal qube. I could ping DNS servers like cloudflare or google, but nothing worked when pinging a domain. In the terminal for sys-mullvad I could ping domains and it would resolve. Also the mullvad browser did not work for me as well. The dispVM would start and then shutdown without opening the browser at all. I ended up going with the privsec guide as I’ve been stuck without a VPN for a bit with these problems, but if there is anything I can do to help solve them let me know.
This suggests that your install failed at the “configure” stage, since
it’s there that the browser in dispvm stage is fixed.
If you still have the qubes hanging about, you could check this by
looking in .local/share/applications/mullvad-browser.sls in the
disposable template.
If the install failed, (and it obviously did), then you would have seen
this in the output. I dont have other reports of this failing without
notice, and browsers and ping work for other users.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.