Intro
This guide explains how to setup a a VPN with ProtonVPN app on Qubes OS 4.2 using a Fedora template.
A cool thing with ProtonVPN is that they have a Free offer, although it comes with limitations it’s nice. They seem also a legit service to use as per the trustable source Private VPN Service Recommendations and Comparison, No Sponsors or Ads - Privacy Guides
If you want to set up a ProtonVPN using WireGuard without the App, see Wireguard VPN setup
Setup
Qube creation
- Create a dedicated qube for the vpn
- Name it as you want (I will name it
sys-vpn-protonvpn-app
) - Choose type “Standalone” with the template fedora-38 (or xfce flavor minimal flavor should work too)
- Check “provide network access to other qubes” in the Advanced settings tab
- Name it as you want (I will name it
- In the qube settings
- Give it 800 MB of memory minimum
- Add the service
qubes-firewall
- Add the service
network-manager
(this is required otherwise the App can’t establish VPNs )
Qube configuration
- Start the qube
- Follow the official guide to install ProtonVPN app
- Basically 3 steps: download a rpm file, run dnf on it to add the repository and accept the new repository, install the app
- If
wget
is missing (that’s the case on fedora 38 xfce by default), you can replace it bycurl -OL
or install it withsudo dnf install wget
- Automatically start the VPN program on qube boot
mkdir ~/.config/autostart
ln -s /usr/share/applications/protonvpn-app.desktop .config/autostart/
- Reboot the qube
ProtonVPN App
- If you get a prompt asking for a keyring password (by the qube), this is an extra linux security feature that keep program passwords in a keyring. It seems that you need to use it (by putting a password for the keyring) otherwise ProtonVPN won’t keep credentials…
- The ProtonVPN app should show up
- Enter your credentials
- Connect
- Configure the App as you want
Killswitch configuration
You may want to force all qubes traffic to go through the VPN and block non-VPN traffic. ProtonVPN app offers a killswitch. However,
if the app crash, the killswitch wouldn’t be guaranteed to work. Here is how to make it more secure.
Add the rules below in /rw/config/qubes-firewall-user-script
in the qube:
# Prevent the qube to forward traffic outside of the VPN
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
Optional hardening: Avoid DNS leaks
You may also want to force using a defined DNS server (9.9.9.9 in the current example) and blocking all other DNS servers (this avoids dns leaks)
# Redirect all the DNS traffic to the preferred DNS server
DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"