you need to use OpenVPN in TCP mode as Tor can’t route UDP packets (used by OpenVPN in UDP or by WireGuard which is exclusively using UDP)
Hey Solene you are amazing.
Quick question: is safer making vpn configuration with app or openvpn, when the app is open source ?
Safer in what regards?
Using openvpn or plain wireguard is less error prone, but the app is offering kill switch, DNS changes etc… that you may forget or implement in a wrong way.
The App binary could be compromised, which would be less likely for a package such as openvpn.
In absolute, the app is less secure, in practice I think it’s more convenient and as secure.
1 Like
Thank you for your answer.
Is there a way I could make ProtonVPN in this case start in system try so I won’t see the app displayed when the qube starts automatically.
Also can I disable this keyring asking everytime the qube starts.
Thank again!
Hey solene, I followed your steps above. The VM is created successfully, protonvpn starts automatically and connects successfully. But none of my internet traffic from my “personal” qube is showing I am connected to a vpn. What did I miss?
hi, did you assign those qubes the proton qube as a netvm?
Hello, net qube in qube manager basic tab is set to sys-net. I originally had it set as sys-firewall. Under services tab I have both qubes firewall and network manager checked off. firewall rules are set to default (allow all outgoing connections).
it seems you don’t fully understand what you are doing at the moment, I recommend you to read carefully Networking | Qubes OS and potentially Firewall | Qubes OS to understand the process. Otherwise you may expose information and it may be dangerous (depending on your threat model).
If you followed the guide, you created a new qube that is connecting to proton vpn, if you want a qube to have its network traffic router through the VPN, you need to modify its net vm to the proton vpn qube 
1 Like
Thank you for your patience! I will read what you have recommended. Thank you for your time!
I should follow this.right?
Not really, the guide is for wireguard and you need OpenVPN. It’s pretty close though, just import your configuration in network manager, make sure to generate one that use TCP and you should be fine.
Store a temporary password in gnome-keyring then login to protonvpn with your credentials. Restart the VM and enter your gnome-keyring credentials. Open seahorse and reset the keyring password with no password. This has worked for me.
1 Like
This only worked for so long. So, a different method:
Add the below to the bottom of .bash_profile, with “somepass” being your chosen filler password.
echo -n "somepass" | gnome-keyring-daemon --replace --unlock
On reboot, you’ll be asked to enter the password again; but this time there will be a box to check whether your wish to keep the keyring open on login. Click this. Reboot. Should disable all future gnome-keyring prompts.
2 Likes
Has anyone been able to get the ProtonVPN app working with a Fedora Minimal template?
What did you add to the template?
If I add qubes-core-agent-networking and wget to fedora-40-minimal I can get through the ProtonVPN installation instructions, but upon starting protonvpn-app from xterm, I get a lot of errors indicating that ProtonVPN couldn’t find an acceptable implementation for killswitch.
I wanted to slim down the size of the StandAlone based on fedora-40-xfce which takes up about 8.5GB.
have you tried
dnf install NetworkManager NetworkManager-wifi network-manager-applet wireless-tools dbus-x11 tar tinyproxy iptables which dconf dconf-editor
and
dnf search NetworkManager [openvpn|openconnect|openswat|…]
Per:
I got it worked. I run xterm as root from dom0 (qvm-run -u root name_of_your_proton_minimal_qube xterm) and installed following packages: qubes-core-agent-passwordless-root, qubes-core-agent-networking, qubes-core-agent-network-manager, network-manager-applet, wget. You don’t need more packages.
In case you are interested i can share my salt configuration for minimal template and proton-vpn-qube. You may need to add the app to autorun so you don’t have to run in from terminal.
1 Like
Salt files are always appreciated
I think there is a more elegant way to implement the salt configuration e.g. qusal by bend-grande. But the script below thanks to Qubes Salt Beginner’s Guide I can understand: I copy several lines from your repo (GitHub - kennethrrosen/qubes-for-journalists: QubesOS wiki and simple setup scripts for use by journalists and media organizations.) too:
step-by-step instruction for everybody less familiar with the procedures:
- copy the text below to create files fedora-40-minimal-clone.sls and proton-vpn-minimal.sls in a dispvm with the the name like disp1234 in the user directory
{% if grains['id'] == 'dom0' %}
minimal-template-clone:
qvm.clone:
- name: fedora-40-minimal-clone
- source: fedora-40-minimal
minimal-template-config:
qvm.vm:
- name: fedora-40-minimal-clone
- prefs:
- default_dispvm: none
- audiovm: none
- require:
- qvm: minimal-template-clone
{% elif grains['id'] == 'fedora-40-minimal-clone' %}
minimal-packages:
pkg.installed:
- pkgs:
- qubes-core-agent-passwordless-root
- qubes-core-agent-networking
{% endif %}
and for proton-vpn-minimal is this:
{% if grains['id'] == 'dom0' %}
protonvpn-present-id:
qvm.present:
- name: proton-vpn-minimal
- template: fedora-40-minimal-clone
- label: red
- class: StandaloneVM
protonvpn-prefs-id:
qvm.prefs:
- name: proton-vpn-minimal
- netvm: sys-firewall
- memory: 800
- maxmem: 800
- autostart: True
- provides-network: True
protonvpn-features-id:
qvm.features:
- name: proton-vpn-minimal
- enable:
- service.network-manager
- service.qubes-firewal
- set:
- menu-items: protonvpn-app.desktop
{% elif grains['id'] == 'proton-vpn-minimal' %}
protonvpn-install-deps:
pkg.installed:
- pkgs:
- wget
- network-manager-applet
- qubes-core-agent-network-manager
- pkg.uptodate:
- refresh: True
protonvpn-install:
cmd.run:
- name: |
wget https://repo.protonvpn.com/fedora-40-stable/protonvpn-stable-release/protonvpn-stable-release-1.0.1-2.noarch.rpm
dnf install -y ./protonvpn-stable-release-1.0.1-2.noarch.rpm
dnf install -y --refresh proton-vpn-gnome-desktop
setup-autostart:
file.symlink:
- name: /home/user/.config/autostart/protonvpn-app.desktop
- target: /usr/share/applications/protonvpn-app.desktop
- user: user
- group: user
- force: True
- makedirs: True
{% endif %}
-
activate sls user configuration in dom0 terminal in case you did not do it already with this:
sudo qubesctl state.sls qubes.user-dirs -
run in dom0 terminal to copy text only to dom0 home directory from dispvm. *change the disp1234 to your dispvm.
qvm-run --pass-io disp1234 'cat /home/user/fedora-40-minimal-clone.sls' > fedora-40-minimal-clone.sls
qvm-run --pass-io disp1234 'cat /home/user/proton-vpn-minimal.sls' > proton-vpn-minimal.sls
- copy sls files to salt directory: run from your dom0 user this:
sudo cp fedora-40-minimal-clone.sls /srv/user_salt/
sudo cp proton-vpn-minimal.sls /srv/user_salt/
- run these commands to create your 2 new qubes:
sudo qubesctl --targets=fedora-40-minimal-clone state.sls fedora-40-minimal-clone saltenv=user
sudo qubesctl --targets=proton-vpn-minimal state.sls proton-vpn-minimal saltenv=user
- enjoy
2 Likes
Using these instructions I successfully setup the ProtonVPN app on a standalone Fedora minimal template and the disk usage reported by Qubes is about half the size of a similar one based on a Fedora XFCE template.
Disk Usage:
fedora-40-xfce ~9000MiB
fedora-40-minimal ~4600MiB
This is still monstrous in size compared to a WireGuard AppVM (between 100~200 MiB) but with the official app you get access to the ever-changing list of Proton VPN servers.
2 Likes