Intro

This guide explains how to setup a a VPN with ProtonVPN app on Qubes OS 4.2 using a Fedora template.

A cool thing with ProtonVPN is that they have a Free offer, although it comes with limitations it’s nice. They seem also a legit service to use as per the trustable source Private VPN Service Recommendations and Comparison, No Sponsors or Ads - Privacy Guides

If you want to set up a ProtonVPN using WireGuard without the App, see Wireguard VPN setup

Setup

Qube creation

• Create a dedicated qube for the vpn
  • Name it as you want (I will name it sys-vpn-protonvpn-app)
  • Choose type “Standalone” with the template fedora-38 (or xfce flavor minimal flavor should work too)
  • Check “provide network access to other qubes” in the Advanced settings tab
• In the qube settings
  • Give it 800 MB of memory minimum
  • Add the service qubes-firewall
  • Add the service network-manager (this is required otherwise the App can’t establish VPNs )

Qube configuration

• Start the qube
• Follow the official guide to install ProtonVPN app
  • Basically 3 steps: download a rpm file, run dnf on it to add the repository and accept the new repository, install the app
  • If wget is missing (that’s the case on fedora 38 xfce by default), you can replace it by curl -OL or install it with sudo dnf install wget
• Automatically start the VPN program on qube boot
  • mkdir ~/.config/autostart
  • ln -s /usr/share/applications/protonvpn-app.desktop .config/autostart/
• Reboot the qube

ProtonVPN App

• If you get a prompt asking for a keyring password (by the qube), this is an extra linux security feature that keep program passwords in a keyring. It seems that you need to use it (by putting a password for the keyring) otherwise ProtonVPN won’t keep credentials…
• The ProtonVPN app should show up
  • Enter your credentials
  • Connect
  • Configure the App as you want

Killswitch configuration

You may want to force all qubes traffic to go through the VPN and block non-VPN traffic. ProtonVPN app offers a killswitch. However,
if the app crash, the killswitch wouldn’t be guaranteed to work. Here is how to make it more secure.

Add the rules below in /rw/config/qubes-firewall-user-script in the qube:

# Prevent the qube to forward traffic outside of the VPN
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop

Optional hardening: Avoid DNS leaks

You may also want to force using a defined DNS server (9.9.9.9 in the current example) and blocking all other DNS servers (this avoids dns leaks)

# Redirect all the DNS traffic to the preferred DNS server
DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"

Files to customize default settings are located here: ~/.config/Proton/VPN

What kind of settings would you customize by editing the file instead of using the GUI?

Like Netshield or Killswitch = On (Default = off). I use disposables, so I recall it doesn’t save my settings unless I set it in the config files.

The GUI allows to enable the killswitch but it doesn’t work for me. It’s enabled but filtering nothing.

Yeah it doesn’t work in Q4.2. It did in 4.1.

I can’t seem to get the app to save the credentials, even if I add a key ring password. Any suggestions?

Does it ask for the keyring password when you start the app?

Yep, and it still does ask for a new key ring password each time, plus it asks for an extra authorisation as if the key ring is already registered, plus I still have to enter the details into the app itself.

Try deleting /home/user/.local/share/keyrings/ , restart the qube (this makes sure the gnome keyring daemon is using a fresh blank keyring) and try again. I had this issue while making the tests, I solved with it.

Ok thanks, I’ll try it when I get back. This will probably solve it, as the qube was already setup since a while, I only used your tutorial for the advice regarding auto start the qube and saving the credentials. So the qube is possibly confused.

Very cool. Thank you. It worked!

Or after creating the AppVM and running ProtonVPN for the first time in a persistent state, just click through the prompt without filling anything. It should remember your decision and won’t prompt you again.

It wasn’t remembering that was the issue. But clearing the related key ring files (it had made several for some reason) solved the issue immediately.

I need to disable Proton App. The free versions are too slow. I think this means I need to restart the DNS, in I guess sysnet?

I have spend time reading through the Networking. I changed the pointer of Qubes back to sys-net. I can type into firefox, 1.1.1.1 and immediately the cloudflare web page comes up. Other web pages do nothing.

Thanks for the work on creating this Proton-App-Networking-Qube. and for reading this, and hopefully answering -how to reset DNS in net-sys.

did you enable an hardening from the guide? if not, disconnecting the VPN should be enough to have a working network again

you should not touch sys-net

did you try to restart the qube?

Thanks, I had restarted computer twice, and it persisted with Proton VPN as the internet connection. Because one of the first Qubes I had gone to still pointed to Proton VPN. I think the free Proton VPN server I was pointed at was really busy and slow. Which is why I need to pay for the service, or . . .

and why I am not spending time on hardening my sys-ProtonVPN-app.

I feel the creation of the Qube for sys-vpn-Proton VPN-app is a big moment for those who are Human Rights workers, and Journalists. With the App, and the availability of the a free service with Proton VPN from their earliest entry into the internet with Qubes gives some privacy, that was -sometimes beyond the technical capability of a non-technical person to achieve. As well as helpful to a finance or business person to get acquainted with the possibilities of using Qubes.

I created a list of some of the details of what I went through to get my Proton VPN going. Only meant for the true beginner to Qubes. Else Solenes is easier to read. This is meant to be like a step by step start. I would have to go through the entire process again to polish up the step by step list. But I will put this out anyway.

_______________________________________________________________________________\

Create Qube for sys-vpn-protonvpn-app from left side

first column chose gear
Choose Qubes Tools
Create new Qube

Choose standalone

More detail   

After creating Qube

Upper left Q
third column over “Service”
sys-vpn-proton-vpn-app
next column over, “Settings”

First Tab Net Qube, choose “sys-firewall (current)

second tab Set ‘initial memory’ to at least “800 mb”

Last Tab “Services”

Plus sign

Choose “network manager”
bottom “Apply” “OK”

upper left of Settings box. Click then “close”

So we install by Terminal

Upper left Q
third over list “Services”

bottom “xfce terminal”

to paste into terminal. Second tab: “Paste” Ctrl V does not work.

the copy and paste command described by Solene; I get wget not found. Same if I issue command with sudo.

Open Firefox in another Qube.
I enter into the search box. “how to install wget on fedora”

I get the advice:

Installing the wget command on Fedora Linux using the dnf command
1. Open the terminal application.
2. Apply all pending updates using the dnf command: $ sudo dnf update.
3. Search for the wget: $ sudo dnf search wget. Outputs: …
4. Install the wget using the dnf command as follows: $ sudo dnf install wget.

third line errored off on me.

Still 4. ran that is sudo dnf install wget
Enter Yes to proceed with install

Mine finished with Complete

back to Solenes list.

wget https://repo.protonvpn.com/fedora-39-stable/protonvpn-stable-release/protonvpn-stable-release-1.0.1-2.noarch.rpm

sudo dnf install ./protonvpn-stable-release-1.0.1-2.noarch.rpm

enter “y” to proceed

there are instructions for those who already had app installed on Solene’s list.

I went to sudo dnf install --refresh proton-vpn-gnome-desktop

Do you use a dedicated qube for the app? If so, just use sys-firewall for the qubes instead of the VPN

Thank you for the detailed guide! I am new to Qubes and Linux too and I have 2 questions. 1 ) It looks like the kill switch in the proton app worked for me (In order to be sure what is the best way to check it? I used https://www.dnsleaktest.com/). 2) If my understanding is correct, the net qube should be changed to the proton vpn qube for qubes that need vpn?