Proposal: An 'Install VPN qube' option

VPNs are perceived as essential for those who are interested in security and privacy, so it’s safe to say that a large majority of newcomers who have made their way to Qubes want to use VPNs.

I’ve noticed a lot of posts about setting up VPNs, so I wonder if the devs have considered adding the ability to have a pre-configured OpenVPN qube set up during installation (along with other configuration changes this would entail). This way, all that’s left to do is to import the service’s *.ovpn config file, making things far less frustrating for new users who are less technically-inclined (since VPN-setup seems to be the biggest stumbling block), and might also lead to increased security since they won’t accidentally make mistakes while following instructions.

A disclaimer that pops up when the option is selected would simplify responsibilities.


I mean, you can already import OpenVPN configurations in sys-net

Or are you proposing a dedicated qube just for VPNs?

Could be a community template in the official repo…

sys-net is one of the weakest link in Qubes’ security since it’s both an HVM and receives unfiltered traffic. Increasing its attack surface by making it take on the role of VPN is not ideal (OpenVPN of all things, with all its bloat).

If you’re using sys-net as your VPN qube, you should reconsider–if not for the reasons I just listed, then just for the sake of compartmentalization.


Trust me. I’m not :stuck_out_tongue:

I was merely pointing out that it is possible in the current software.

I completely agree with everything that you’re saying about it being a bit silly.

I just want to add that I think it’s a great idea to have some kind of vpn qube option available by default. It took me a while to learn how to set up a VPN appVM.

Maybe it would be a good idea to have a VPN templateVM from which several appVM can be created. It can be very useful to have several VPN connections open at the same time.

I was thinking more along the lines of having Salt configure an appVM derived from the standard templates that’s slotted in the right position and ready to go (awaiting ovpn config). A user who requires multiple VPNs would just clone that appVM and import a different ovpn config.

1 Like

Seems like a good solution! I don’t know what Salt is so I’m probably not the best person to figure out how to best set this up. But I’m all for making using VPN’s in Qubes easier for beginners.

1 Like