Newer(ish) to Qubes

Hello guys!

I’ve been experimenting with Qubes for a little over a month now and from the little I have done I absolutely love it. I do enjoy Linux a lot however moving over to Qubes was a take back on privacy however there are a few things with Qubes that I just can’t seem to figure out due to the lack of knowledge I have surrounding Linux.

Here’s the thing’s that I have successfully done on my own and have figured out

  1. Managed to figure out how to install programs and keep them persistent after a Qube restart. (Installing in a Template)

  2. Set up Firefox with privacy addons (Trace, Cookie Autodelete, Chameleon, Font Fingerprint, User-Agent Switer, AdNauseam, WebGL, etc.)

  3. Set up Keepass for Work, Personal, and Vault.

  4. Install ZuluCrypt/Mount for Vault

  5. Install ClamTK for scanning files in untrusted environments

The issues that I’m having troubles figuring out or not having clear answers on are these

  1. I’m trying to set up the best anonymity for “Disposable Whonix”. I have figured out how to add a VPN to sys-net but i’m doubtful that’s the most secure way to do it by the documentation but i’m having a bit of trouble understanding that part.

There’s a few things i’m forgetting but i’ll add them as I go.

I apologize for the greenhorn post its just an awesome OS and really looking to learn more with it!

Hi @MoldyTaint, welcome to the Community! I’m glad you like Qubes!

There are a few related topics on this forum, for example, this and this. Note that VPN combined with Whonix is not necessarily more anonymous, it depends on your threat model.

It’s better if you create a new topic for each question, so future users will be able to find answers more quickly.

If you want to make your Qubes more secure, here are some tips and tricks: How to make your Qubes OS more secure (Best Practices) and "Now You're Thinking with Qubes".


Hello @fsflover! First thank-you for the reply, I appreciate it.


The second website is actually the one I was looking at before coming here and making a post. Getting them working together and synced is what kind of makes a a bit mind boggled especially with what form is essentially the most preferred way - dealing wiith my threat model isn’t necessarily the biggest deal at the moment as I’m still playing around with this as the threat model may actively change in the future - which is why I’m trying to prepare ahead of time. Nonetheless either way learning is always a fun topic and I absolutely love the idea of this software and Linux in general.

Even if you are just experimenting and playing around, some sort of threat model is implied. Otherwise, any effort to enhance privacy or anonymity would have no context or relevance. So it’s a good idea to define a threat model if only for testing purposes.

Regarding VPN setups, there are various approaches. You can set it up via Network Manager. You can use a VPN provider app. You can install OpenVPN or Wireguard and manually configure it. etc. Using the VPN provider app is generally the easiest but I personally don’t trust it as much because those apps can be buggy.

I prefer to install openvpn or wireguard in a dedicated VM and manually configure it with a firewall to block non-VPN IP traffic and a script to force DNS requests to use my VPN servers. Then I configure my appVM to use the VPN VM as the netVM.

Check out the Mullvad guide to setting up a VPN in Qubes. Tweak according to your own provider protocol.

You can also check out Micah Lee’s guide for a different approach.

Oh, and regarding Moldy Taint. I’m no expert but I would opt for a hot bath followed by a spray or powder that is formulated for such conditions. ymmv :laughing:

1 Like

For VPN, I recommand RiseUpVPN for your TOR.

Oh, something that is often overlooked. Be sure to use the Tor-compatible TCP via port 443 for your VPN if you are sending Tor packets through your VPN tunnel.

Hey everyone! Sorry for the late replies, I ended up getting a little busy.

To address everyone:

@necker I understand threat models. Hypothetically speaking daily use (Personal, Work) Containers are able to use the proton VPN just fine as there’s nothing being done on there. The VPN is configured on the sys-net through advanced network manager - Regarding TOR/anonymous browsing lets get it as private as it comes - Threat model Speaking out against government has terrible reactions or other things of the sorts. Also, the hot shower, spray is not needed…you see being a misanthropist helps tons. :rofl:

@HPOA909 I have figured out how to use ProtonVPN with openvpn. I’ve used ProtonVPN for a long time now. Thank-you though!

@necker Again - I’m having trouble figuring how to enable the TCP port for 443 for TOR. If you have a reference that is easy to follow that would be awesome!

You’re welcome, mate.

Not advised. sys-net is designed to compartmentalize network hardware (ex. ethernet or wifi card). Unlike application or proxy qubes, it is directly connected to your system hardware which makes the VM vulnerable to certain types of attacks. As such, it’s best to dedicate sys-net to your networking hardware and configure it to provide a network for a sys-firewall VM. And then configure a separate VM for your VPN which uses sys-firewall as a netVM. Then connect your appVM to your VPN VM. This isn’t just a good idea - it is how the developers of Qubes OS recommend setting up a VPN service in Qubes (see documentation).

Tor is already configured to use TCP through port 443. You don’t have a choice. However, your VPN service might default to UDP through some other port or arbitrarily switch between TCP and UDP. So be sure to set your VPN to exclusively use TCP/433 if you want to use your VPN with Tor. Check with your VPN provider for guidance.


That’s the part i’m having trouble wrapping my head around. Creating another VM and connecting them all is what’s confusing me.

It’s coming to the point to where if I’m not able to decipher the documentation any further I’m about to hop on fiver and have a guy walk me through it on a more personal level. I know Qubes isn’t for learners but at the same time I really want to push myself.

That’s precisely who Qubes is for… I assure you, we are all learning here. :slight_smile:

Connecting VMs to form a VM network is easy. Let’s use the example I gave in my last post.

appVM -> vpnVM -> sys-firewall -> sys-net

The appVM runs your browser. vpnVM is configured with your VPN service. sys-firewall protects your browser VM and VPN service VM (in case sys-net is compromised) and it ensures that the traffic to and from your VPN and to and from the internet is managed properly.

To connect those VMs, there is a simple rule based on adjacency. Think of each pair of VMs like links in a chain (ex. sys-firewall -> sys-net forms a link). The VM closest to the internet (on the right) “provides a network” for the VM on the left. (ex. sys-net provides a network for sys-firewall). You need to specify that in the VM settings. In sys-net settings (Qubes Manager → settings → advanced tab) check the box that says “provides network”.

The next step is to configure the VM on the client side of your routing map (on the left). In this example, it’s sys-firewall. So far, we only told Qubes that sys-net provides a network. Now we configure the “netVM” setting in the sys-firewall settings. i.e. choose which VM sys-firewall will use for it’s network connection. In sys-firewall settings (Qubes Manager → settings → basic tab) choose sys-net from the netVM menu.

Now sys-firewall is “connected” to sys-net. When you start sys-firewall, sys-net will automatically start first and make a connection to the internet. Then sys-firewall will connect through sys-net.

Now do the same thing for vpnVM -> sys-firewall and appVM -> vpnVM. i.e. sys-firewall and vpnVM both provide networks. In vpnVM settings, choose sys-firewall as the netVM. In appVM settings, choose vpnVM as the netVM.

When you are done configuring everything, you can simply start your browser app and all four VMs will automatically boot up, beginning with sys-net and connect to the internet.

If you are still confused, just ask.

Hey! Sorry for a late reply, Life gets a little chaotic. You are nothing but a lifesaver. How you explained that was perfect. Between how you explained that, setting that up along with that “Chainlinking” I was able to make a new VM along with naming it sys-VPN and limiting the applications etc. I believe I have everything I need for the basics for thise thanks to you! I have Personal, Work, and Untrusted running through appVM → sys-VPN → sys-FIREWALL → sys-NET. I checked everything one by one and everything is working and changing to the IP’s as expected.

The one thing I’m not understanding is the whonix-ws/whonix-gs. What might be the diffrence between the ws/gs?

Also as the same "chainlinking, what might be the most suitable for the disposable anon running with the VPN as well?

Hey glad that helped!

Whonix is a Linux distribution based on Debian and optimized to connect to Tor. The Whonix workstation template (whonix-ws) is the Whonix version of an appVM template. It has Tor Browser pre-installed. VMs based on that template are optimized to connect to a VM that is based on a Whonix gateway template (whonix-ws) - the Tor version of a proxy VM (similar to sys-vpn, except if connects to Tor). anon-whonix → sys-whonix are the default VMs based on whonix-ws and whonix-gw respectively. They form the backbone of your Tor connection. They are best used “out of the box” without adding additional packages or extensions.

re: “disposable anon”, I assume you mean a disposable version of anon-whonix (whonix-ws). The netVM needs to be a VM based on whonix-gw (ex. sys-whonix). It won’t work if you try to connect it to a VPN. If you want to send Tor traffic through your VPN servers, you can try something like:

anon-whonix → sys-whonix → vpn-firewall → sys-vpn → sys-firewall → sys-net

The above will work without vpn-firewall, but it’s likely a good idea to use it. Just clone sys-firewall and drop it in.

With the above configuration, your ISP will first connect you to your VPN server. The ISP will only be able to see encrypted traffic going back and forth to your VPN. It will not be immediately obvious to your ISP that you are using Tor. Once your VPN connection is established, your Tor traffic will be routed through your VPN tunnel and websites you visit with Tor Browser (from within anon-whonix) will see your Tor IP but won’t know anything about your VPN.

tl;dr anon-whonix → sys-whonix are based on whonix-ws and whonix-gw, respectively. They are to Tor what appVM → sys-vpn are to VPN. Connect anon-whonix (disposable or not) to a whonix gateway such as sys-whonix. If you want to connect Tor to a VPN, just add sys-vpn to the VM routing chain.

Hey! Sorry for the lack of response, life gets in the way sometimes. With 4.1 coming out and running on 4.0.1 R4 I ended up reinstalling 4.1 with a fresh install.

At this time I have fully working everything as before with the vpnVM like you described earlier. I haven’t set up the anon part yet but have that on my todo list as a learning experience.

I really do appreciate all the help that you have given me so far here - it has been super helpful, especially with the explanations. The explanations are what triggered the learning for me the most!