Proposal: An 'Install VPN qube' option

VPNs are perceived as essential for those who are interested in security and privacy, so it’s safe to say that a large majority of newcomers who have made their way to Qubes want to use VPNs.

I’ve noticed a lot of posts about setting up VPNs, so I wonder if the devs have considered adding the ability to have a pre-configured OpenVPN qube set up during installation (along with other configuration changes this would entail). This way, all that’s left to do is to import the service’s *.ovpn config file, making things far less frustrating for new users who are less technically-inclined (since VPN-setup seems to be the biggest stumbling block), and might also lead to increased security since they won’t accidentally make mistakes while following instructions.

A disclaimer that pops up when the option is selected would simplify responsibilities.


I mean, you can already import OpenVPN configurations in sys-net

Or are you proposing a dedicated qube just for VPNs?

Could be a community template in the official repo…

sys-net is one of the weakest link in Qubes’ security since it’s both an HVM and receives unfiltered traffic. Increasing its attack surface by making it take on the role of VPN is not ideal (OpenVPN of all things, with all its bloat).

If you’re using sys-net as your VPN qube, you should reconsider–if not for the reasons I just listed, then just for the sake of compartmentalization.


Trust me. I’m not :stuck_out_tongue:

I was merely pointing out that it is possible in the current software.

I completely agree with everything that you’re saying about it being a bit silly.

I just want to add that I think it’s a great idea to have some kind of vpn qube option available by default. It took me a while to learn how to set up a VPN appVM.

Maybe it would be a good idea to have a VPN templateVM from which several appVM can be created. It can be very useful to have several VPN connections open at the same time.

I was thinking more along the lines of having Salt configure an appVM derived from the standard templates that’s slotted in the right position and ready to go (awaiting ovpn config). A user who requires multiple VPNs would just clone that appVM and import a different ovpn config.


Seems like a good solution! I don’t know what Salt is so I’m probably not the best person to figure out how to best set this up. But I’m all for making using VPN’s in Qubes easier for beginners.

1 Like

Going by the questionnaire they’ve asked us to fill out, they’re well aware that this is in high demand for the less experienced. Would be a great service to the community if they could get that up and running.

You can just create a cube that provides network and enable the service “network-manager” in services. The NetworkManager who sometimes is a pain comes handy in case of VPNs of different colors, they work mostly.
NetworkManager is infamous for configurations you dont want as you want to play with some services at the moment and statically set an ip using ip a or ifconfig.

But in the context of easy vpn setup NetworkManager is quite useable.
Tip: use different colors for the vpn VMs so you can see which network icon in the top bar is which VPN.



Salt allows you to configure a machine (or thousands of machines) exactly how you want it, in shockingly fine detail, while you sit and twiddle your thumbs (assuming you wrote the scripts properly). :upside_down_face:

Yeah, you can, but you kind of need to know your way around Qubes OS first to be able to do that. You also kind of need to be willing to tinker with your machine, and potentially break stuff in the process.

You and I are no stranger to that, but it would probably scare away a lot of “newcomers”.

I know people who write code who are paranoid about digging through their system files, even on testing machines. I can only imagine what it would be like for someone new to Qubes OS.

On a sidenote, they write Python and YAML for work, and are scared to learn C, so maybe that’s why they’re scared of touching system files… :joy:

I like that idea. It is very underutilised.

Is there anything to be said about this being like an option on first boot setup (anaconda), as well as a salt configuration?

That would give a GUI option as well.

“Create VPN Qube” - “Add VPN Config”

1 Like

Also you can make your VPN VMs HVM mode VMs and then you add one of your many NICs to each VM so you can also route the VPN out to other machines for tests, having some honeypots (old victim machine running Windows XP) and you run wireshark in your VM, if you like.
It is just fun to have quad nic boards in your workstation, as I have.

But there are many options like having the VPN on routers and connect the nets to the workstation or one may also use vlan and one nic but then you can not play the nice PCI insulation game.

So with multiple nics each VM can get one or more nics that are independend.
So you could have a red net and a black net connected to different nics on the machine while the red net routs to red VMs and the black net to blackVM.
Depending on the red net you may dare to use qubes here and trust a vintage cpu and iommu to separate your data accordingly.

But at least for education qubes with quad nic boards is a cool tool.

1 Like