Yay! 
Thanks for this Guide
no. i didn’t touch anything firewall rules. But I’m using kicksecure VM insted of Fedora.
yes. sys-net has internet access.
1 Like
sorry I can’t help you, I don’t know what kicksecure is doing. Maybe the qubes integration doesn’t work well.
I hope I don’t end up having this problem …
I really want KickSecure iso as a VM so to go in battle hardened when connecting to Google products such as GMail so to finish migrating stuff off GMail due to the Black Hat Cyber Stalking and Hacking me seemingly being well equipped with Google exploits specifically as a specialty however his other specialties include hacking servers, networks, and Operating Systems and using Python scripts as his main language it seems — so I don’t want to risk finding out if he has Hypervisor exploits as I would rather have a hardened Debian like KickSecure than a butt bunky Debian going out there to log back into GMail. I am banking on KickSecure having good enough armor on lol than the naked Debian that is expected for us to use on Qubes as default.
i will try by debian.
First of ann thanks for this guide Solene, not realising it was here I spent the better part of a day trying to work out how to make the gui appear before realisng your guide was here. It was far, far, more gratifying that it really should have been the first time I got your instructions working.
Part of the issue is I think the way that proton have written their instructions is that there is a line (the --refresh desktop one) which is essential, but the way proton have it on their website is that it implies that it might only need to be done if one had already installed it. Another is that wheneever I typed a question into the command line it immediately redirected me to the CLI app help. I’m sure there must have been a time when google wasn’t as perpetually useless as it seems to have become, but whenever that was it seems a long time ago now.
I seem to have come across a curious instance. When I clone a template and then install all the software on it with the intention of creating subsequent disposable Protonvpn-Appvms it doesnt seem to work, I need to then reinstall al the software on it as if the template had reverted to its creation state. Certainly the proton-vpn gui doesnt launch. But when I create clones of the protonvpn-template then it all works normally, that is to say the vpn app launches as one might expect. I have checked to ensure that the Appvms are based upon the ProtonVPN template and they are. It just seems curious why that might be.
you may try to log out and log in, if you clone them they will appear as the same device and won’t be able to connect at the same time. I got this issue with the VPN provider I’m working for and it took us a while to figure what was going on 
That probably why I seemed to have issues with accessing whonix and the clearness at the same time with them this morning then. I gave up in the end and got out tails. Of which version 6 seems very snazzy if but for the fact that, oxymoronic as it may seem, its easier getting sound/bluetooth working in qubes now than it is in tails!
Thanks for the comprehensive answer 
thank you !!finally I succesed to make sys-protonvpn app with debian.
but I want to use this vpn firewall with Tor.
but when I conect like this, I fail to connect vpn surver.
sys-protonvpn → sys-whonix → sys-firewall → sys-net
How do you combine vpn and tor?
My goal is this
whonix ws → whonix gateway → protonvpn → internet
1 Like
you need to use OpenVPN in TCP mode as Tor can’t route UDP packets (used by OpenVPN in UDP or by WireGuard which is exclusively using UDP)
Hey Solene you are amazing.
Quick question: is safer making vpn configuration with app or openvpn, when the app is open source ?
Safer in what regards?
Using openvpn or plain wireguard is less error prone, but the app is offering kill switch, DNS changes etc… that you may forget or implement in a wrong way.
The App binary could be compromised, which would be less likely for a package such as openvpn.
In absolute, the app is less secure, in practice I think it’s more convenient and as secure.
1 Like
Thank you for your answer.
Is there a way I could make ProtonVPN in this case start in system try so I won’t see the app displayed when the qube starts automatically.
Also can I disable this keyring asking everytime the qube starts.
Thank again!
Hey solene, I followed your steps above. The VM is created successfully, protonvpn starts automatically and connects successfully. But none of my internet traffic from my “personal” qube is showing I am connected to a vpn. What did I miss?
hi, did you assign those qubes the proton qube as a netvm?
Hello, net qube in qube manager basic tab is set to sys-net. I originally had it set as sys-firewall. Under services tab I have both qubes firewall and network manager checked off. firewall rules are set to default (allow all outgoing connections).
it seems you don’t fully understand what you are doing at the moment, I recommend you to read carefully Networking | Qubes OS and potentially Firewall | Qubes OS to understand the process. Otherwise you may expose information and it may be dangerous (depending on your threat model).
If you followed the guide, you created a new qube that is connecting to proton vpn, if you want a qube to have its network traffic router through the VPN, you need to modify its net vm to the proton vpn qube
1 Like
Thank you for your patience! I will read what you have recommended. Thank you for your time!
I should follow this.right?
Not really, the guide is for wireguard and you need OpenVPN. It’s pretty close though, just import your configuration in network manager, make sure to generate one that use TCP and you should be fine.