I was just curious, is it possible to use either a different VPN service with each VM or a different server of the same VPN company with each VM?
Yes, this is possible and easily done in Qubes. Of course, there isn’t just one way of doing this.
One of the first things I did when using Qubes on a daily basis was using dedicated proxyVM for different appVM/Qubes, for example email accounts, banking and web browsing etc.
Personally, I liked to set these up like explained here:
Pro: Once set up you don’t have to worry about leaks anymore and there’s a popup notification as soon as the link to the server has been established and also should it go down. It reconnects after suspend and you basically don’t have to do anything anymore once it’s been chosen as a NetVM for a specific appVM (like your email account).
Con: It takes a little to set up a few of these but it really isn’t difficult. The only thing you have to keep in mind is to follow the documentation closely. Most of the scripts can be used as is via copy&paste but of course you have to insert your username and password and your specific *.ovpn file (see point 6.:
openvpn-client.ovpn must be exchanged with your e.g. “iceland.ovpn” file.)
It’s always the same server so maybe use one that isn’t prone to being overloaded. Of course, using always the same server can be an advantage for specific services.
You could also use the software of your provider within each Qube but that would require choosing the server after starting the software. This could be useful for a video Qube and streaming TV shows or sports events from different countries.
Just keep in mind that not all software solutions from your VPN provider do work without leaks, at least not without some adjustments. Sometimes you have to check a box for some leak-proof “measures”.
I think the script solution is the best because it isn’t that complicated and you can see what it is doing. (Closed) software solutions from your provider might have a shiny GUI but you don’t always know how they work.
Also, I think some people have written more sophisticated scripts in order to change servers (at least within one country) more easily (for example, if one server goes down) but I didn’t engage myself in those solutions (yet).
Linking here a related discussion on this:
I haven’t seen people do this yet, but I’m sure someone has already tackled it. Maybe @tasket has some thoughts on this.
You can do this as easily as using different sys-firewalls for groups of
qubes, or indeed using different sys-net routes.
You should think carefully about why you want to do this - if you
genuinely want to separate out your online activities, then you probably
want to have (at least) 2 sys-net qubes using alternative routes to the
net - don’t connect them to the same router and don’t connect them to the
same power supply. Using a burner mobile connection would be good.
Set up your sys-net/sys-firewall pairings and assign qube groups to
Use multiple templates, differently configured.
Have a vanilla qube and use it heavily for normal use - I mean what
other users will do, unconnected to your other activities. You can
script this if you will.
Use different VPN suppliers and/or accounts: Just set up a VPN gateway
on each line, or use different gateways.
Consider using a VPN client installed in each qube.
Be consistent in your usage and don’t be tempted (for whatever reason)
to switch a qube from one group to the other.
Don’t mix usage after you have set up the qubes in their groups: guard
against accidental use. Anything you can do to help enforce this would
be good. Have multiple desktops. Colour code them. Force qubes to
appear on the relevant desktops. (Switch to KDE, and use Activities to
make this simple.)
As to the use of VPNs, be careful what you choose and don’t trust anyone
who says they don’t log. Experience shows this is rarely true.
Payment may be an issue, and an identifying vector.
If your profile is such that this really matters to you, then I would
use multiple VPN accounts and providers, and change frequently.
You WILL have identifying habits - you need to break them: don’t let
your use of infrastructure become another identifying feature.
Thanks for those suggestions. That seems a little complex for me. I’ll stick to using whonix as much as possible.
And create 2 different ProxyVM’s named differently say one called Mullvad one called NordVPN (for example). Should work out of the box once all network traffic is enabled within the Qube Settings option for both Qubes.
But I haven’t tried it I only use one VPN-VM so to speak.
As @unman says, this is very easy. The model is different machines - each machine (VM) can do what it wants re. connections. Each AppVM’s or DispVM’s NetVM can be what you want:
- a sys-net (NOT RECOMMENDED!)
- a sys-firewall (you can have as many as you want)
- a vpn (also as many as you want)
NetVM can also be changed on the fly (but if concerned about anonymity/privacy this is NOT a good idea). For example if you booted your bank AppVM only to discover that your bank has started blocking your vpn-X and you need to change to ISP or another vpn-Y… (Also a side note: When this happens the error message from the website is usually completely uninformative - basically “it didn’t work - try again later”, which you can do forever… And the entity’s Customer Service reps haven’t a clue…).
In fact, as @unman also says, it’s actually too easy - very easy to “go” where & how you didn’t actually want to, or for sure shouldn’t have accidentally. And easy to lose any anonymity/privacy you’re striving for, or have built up over time. Even when using good tech like Whonix or @tasket’s. (Good tech is of course important, but how you use it is far more important…) Tread carefully!
It’s definitely extremely simple but you have to manage identities in extremely strict way. I myself use three VPN providers.
hai, please kindly help me with similar VPN and proxyVM issue.
your vpn vendor might limit you to 5 devices, but you can just set up one openvpn appvm with Tasket’s script, then just clone the appvm and change the geolocation, and repeat,
or if your using wireguard on a router, you can just use socks5 to geolocate with no limitations on device numbers …