New user, confused on VPN stuffs

Hi all,

I am having some trouble as a Qubes/Linux novice. I know how to @DuckDuckGo/Googler. Yes I RTFM, over and over, and will continue to until it makes sense. I am not a rocket philosopher or a drooling idiot (right now anyways). This is my humble request for a mentor or 20.

My goal is to setup a WireGuard VPN to my provider and a disposable VM for all VPN related connectivity. I am confused on the instructions provided by the docs as it seems I’m either inept or too ignorant (most likely) to understand the instructions. I would truly appreciate some hand holding here. I will be as specific as I am able. I am determined to learn, get away from Winblows for my daily driver, and stop being a moron online with my privacy. My Linux experience is limited to the enterprise environment (all one-off systems) – mainly Debian/CentOS with the simplest sys-admin responsibilities. Like checking on hardware status, searching conf files, deleting home folders for the lawls, etc. I should really invest some time into learning how to “Hello Kitty” a linux box…

Safely connect to websites/APIs that actively block Tor connectivity. I would like to use my “trusted” VPN provider via the WireGuard protocol. OpenVPN is fine, but I want to push myself to learn new things.

I assume the traffic flow would be:
MyDumbAppHere ==> AppVM ==> vpn-wireguard-provider (+on at boot?) ==> sys-firewall ==> sys-net ==> dom0 ==> NIC ==> Interbawls?

If that assumption is correct, I need to create ‘vpn-wireguard-provider’ but I don’t know if it needs to be an AppVM or a TemplateVM. I may want multiple VPN tunnels, so I assume TemplateVM. How do I handle multiple VPN tunnels? I.E. I want one set of DispVMs to use Iceland and a different DispVMs to use Mexico City. Is this multiple TemplateVMs (one per tunnel)?

I hope my ignorance isn’t too cringy and appreciate any help you can provide.

Welcome :slight_smile:

Great choice, qubes should be perfect for this.

This is not critically necessary to use qubes, but qubes helps a lot when learning linux as you can fuck up an endless number of vms without impacting your operation. Wanna try something on a productive system? Copy production qube, brick it (or not) and delete the old one/bricked one.

You need to install wireguard in the template, as only ~/ and some other user level directories are persistent across reboots of AppVMs.

Then create AppVMs (that have the “provides network” option set in the Settings).

Create an AppVM for every VPN you have. Then you can set the netvm in your dvm template to the individual vpn qubes.

This assumption is correct. Regarding the (+on at boot): You can set configure your qubes to autostart at boot, but it is not really necessary imo. If you start a qube, all netvms will start too. For example if i disable all qubes autostart and start a whonix disposable, sys-net, sys-firewall and sys-whonix will start automatically. Those netvms will keep running if your “source” qube gets shutdown.

As you are new to qubes here are some information about qubes as this might be confusing at first.

Templates: Full persistence across everything.

Standalones: As Templates, persistence.

AppVMs: Inherit everything from the Template, but overwrite ~/home and some other user related directories. Those are persistent across reboots. Installed software with the package manager will get lost after rebooting because of this.

DVM: disposable vm template. Those are internally AppVMs that have a flag “can be used as a disp template” set.

Note that you cannot set this flag in the qube manager gui. So if you want to create your own disp templates, copy an existing one and switch the base template, or use the command line in dom0 to set the flag with qvm-prefs <your-dvm> template_for_dispvms True

Disposable: Is an AppVM that is only temporary and will get wiped upon shutdown. It is a copy of your DVM

Oh and one thing:
Using VPNs after Tor… is tricky to do right, depending on threat model. However if your only adversary is the common surveillance capitalism, aka advertisement bullshit, then you are more or less safe with that, if it works. read about some ppl here having problems with that setup.


This has been very confusing. Thank you! I was getting the impressions (from the Docs) that this was an advanced thing and should only be done in the most specific of circumstances.

I think we are saying the same thing :slight_smile:

That makes sense. I wasn’t sure if that was an automatic thing or not. Every day I’m more and more impressed with this OS and where it has come from.

I thought so, just trying to wrap my head around which VM is important for specific things (i.e. configs, installed apps, etc). Which is still a little confusing at times depending on my perspective.

Yeah… that’s just asking for trouble. Not my goal at all. I’ll probe well in advance and with (what I think) are proper precautions. This would be in parallel/seperate from Tor connectivity. I really only want to hide from capitalist orgs. I’m not educated enough to know how or have the inclination to hide from governments.

P.S. Is there an IRC/BBS (showing my age here) for newbies like me to ask really dumb questions? More specifically, that don’t block Tor?

Thanks so much for the reply and guidance!

For the sake of helping myself, what is the easiest way to get a screenshot from dom0 to here?

Actually you can, and the only command upon this that might be needed to execute in dom0’s terminal is

$ qvm-features <my-dvm-template> appmenus-dispvm 1

Tha’ts confusing. I can set in GUI but I have to use Terminal?

This is one of the many safety Qubes features. I am ex-Windows user too, and started only recently with Qubes and Linux. One of the first things I determined to do is to say goodbye to my conformism in using secure OS, reasonably as Qubes is if I want to digitally survive.

It is advised for different "issues’ and issues always to create separate topics, due to better visibility so other users could find the answer easier.

Acknowledged. Thank you for the course correction.

For those stumbling across this in the future:

Copy to AppVM you are using to post a message on here.


Yes. You can either type both commands in terminal upon creating app qube, or the way I stated: using GUI instead of the first command (because I create qubes (VMs) via GUI Qube Manager, and when I am already there, I just check this option too).
I just wanted to point that it is not correct that you cannot do create disposable template by checking this option. You can, and it’ll work, but if you want to use disposable qubes based on dvm-template (so called dispxxx), you would have to execute the other command in terminal.

Can you elaborate on this please?

I’d like to, but I need to know what isn’t already clear enough?

1 Like

Oh i found it! Thanks! Have not found it when i was searching it a while back so i just used the terminal…

Well, not really. It is in the advanced tab, but i would not say this is advanced stuff but just normal “one usually wants disposable with different netvms” use case scenarios.

So config usually is in the AppVM/DVM-Template. In linux there are multiple locations for configuration.
Some applications have their config in /etc/, which is Template territory, and others have it in ~/.config/ which is AppVM/DVM-Template territory.

I am not aware of an IRC, but there is an unofficial matrix room, and all matrix homeservers (i care about) accept Tor users. You will find it by searching for QubesOS.

You can just create a normal screenshot. This is saved in ~/Pictures/. You can transfer it to any qube with qvm-copy-to-vm <qube> <file>

1 Like

Gotcha. It’s like someone thought this out…

This is exactly the difficult part new qubes user get fed up with.

So Disposable: Your disp1234 machines, that have no persistence.
Those are started internally by launching a copy of your disposable template (for example whonix-ws-16-dvm).
This is usually what one wants to use productively.
The menu items are created with the command @enmus mentioned.

DVM: The AppVM that is the template. Sometimes you want to run the template itseld instead of those volatile childs to set config or whatever for your disp1234 qubes.
They have their own menu entry.

So you have one qube, the disposable template, that created 2 menu entries. One for the disposable, fully volatile childs, and one for running the template itself with ~/ persistence.

Sorry for being so dense. Are you saying that I\ would need to execute the install commands on the DispVM?

Clear as mud. Kidding of course. That’s a total re-wire of my brain. makes a lot of sense tho.

I will explain it with a practical example.

Your whonix disposables.

disp1234 is the actual volatile disposable qube that runs usually your Tor browser and you browse with it.

It is created by launching a copy of whonix-ws-16-dvm. That one is the disposable template. Internally just an AppVM that has the flag the system knows that you want to spawn those disp1234 things out of it, and create the additional menu item for doing so (with the command line unfortunately)

This whonix-ws-16-dvm inherits the main system from its template, whonix-ws-16.

So say you want to do 2 things:

  1. You want to have libreoffice installed in all your whonix disp1234 qubes.
  2. You want a picure of Stallman in your home directory.

You would have to:

  1. Launch the template of your disp-template (whonix-ws-16), to install libreoffice there, as it is part of the system.
  2. Launch the dispVM-template (whonix-ws-16-dvm) and store your stallman picture in the home there

Then you can launch your disposables (disp1234) and find the picture in your home directory, that is inherited from the disposable-template, and the application libre-office, which is inherited from the base template.

If you install your libreoffice in your disposable-template (whonix-ws-16-svm) it will not be persistent, as it is installed outside of ~/.

If you store your stallman picture in the home directory of your base template (whonix-ws-16) it will get overwritten by the home directory of your disposable-template, when you launch your actual disposables (disp1234).

1 Like

No problem. Remember, I know where are your confusion comes from, most probably. I am an ex-Windows user.
I think, as @Suspicious_Actions already told you, disposables are somewhat advanced. and I’d stop here if I were you, because we deal here with the term almost unknown in Windows:


Once you are sure what does this mean in terms of Qubes and Linux, everything will be easier later, especially with disposables.

Yeah this disposbale setup is really radical at first. I think everybody is confused with that at first, but it makes sense when one gets it once :slight_smile:

Better start with thinking about how AppVMs work, and after understanding that, you can simply “add the disposable” mechanism in your mind, by thinking “disposables are just copies of AppVMs that now are called disposable-templates or DVMs” and you get the dvm-template approach.

Think of a disposable as a prepaid SIM. You buy it for one call, and you trash it, and buy another one for the next call. All the time you are using mobile phone’s “dvm-template” infrastructure, but each time you have another SIM number thus being (theoretically) more secure because no additional charges (damage to your computer system) can be done to your account, and if you reset your phone to factory defaults, no traces of using previous SIM card can be evidenced. Your “dvm-template” mobile phone is using your mobile provider’s “template” infrastructure by connecting to it (dvm-template based on a template). What you get by this are automated settings for Wifi, GSM, etc, you know the process.

Does this banal analogy makes sense at all, or it brings additional confusion. Please let me know if so, so I could delete the content of this post. Please apologize if sounds offending, it’s not my intention, but to introduce you as fast as possible to the matter, not knowing your pre-knowledge.

1 Like