Ok, lets try.
- Create new template based on Fedora/Debian template. For example
qvm-clone fedora-33 mullvad-template. Start the shell in new template. - Copy the Mullvad installation .rpm to your template (download it with internet-connected appvm, verify signature, copy using Qubes tools (right-clock, copy to other appvm → mullvad-template)
- In the mullvad-template, convince the OS to install unsigned .rpm (at least the last time I tried it was unsigned). So something like
sudo rpm -ivh --nosignature MullvadVPN-2021.4_x86_64.rpm. Most likely some packages are missing, butrpmshould tell you. For examplesudo dnf install libXScrnSaver libnsl. The .rpm doesn’t have rpm signature, but the binary was verified with gnupg in the previous step. - Shut down the template.
- Next, create new appvm based on this template. Nothing special here, just normal appvm based on
mullvad-templatein this example. In the Advanced tab, click “provides networking”. In the services tab, addnetwork-servicewith the + button. - In the appvm, configure bind-dirs for
/etc/mullvad-vpnas explained here. Reboot. - In the appvm, start the GUI
/opt/Mullvad VPN/mullvad-gui. Configure it to your taste. Click “Lauch app on start-up” in the Preferences.
When I tried this, both wireguard and openvpn worked, but for me the wireguard hangs every now and then. Probably some network interface issue, not related to Qubes / Linux.
Now you can assign this new network-providing appvm to any client you want to use VPN.
You could make the appvm as standalone (skipping the template creation, and installing .rpm directly to standalone appvm, and no need to configure bind-dirs), but with this procedure you can create more VPN appvm’s that can run at the same time, all deriving from the common template mullvad-template.
Maybe I forgot something, so please try it out and let me know how it went.