yes, just create 3 qubes with protonvpn app
1 Like
Do I understand correctly:
- NOT PVPN inside the 3 qubes (work, perso, perso)
- But 3 additional qubes (minimal) with PVPN which each AppVM will go through ?
So following the guide here, but X times (one for each)
yes, then on you can use the three different VPNs with whatever qubes you want
This could be doable, but for security reasons it is not recommended
if you plan to always use the same VPN route for each of your qubes, I’d advise against the proton VPN app which sucks with regard to the ability to reduce firewall rules. Whereas if you download a WireGuard config to a static endpoint, you can reduce the firewall rules to that single endpoint + port.
ProtonVPN app requires port 443/tcp to be allowed 
1 Like
Hi there,
I tried to implement a manual VPN killswitch in addition to Proton VPN app’s one:
# block client-forwarded traffic to eth0
nft add rule ip qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
This will block client qube FORWARD traffic and works so far.
Now traffic generated on netVM itself (OUTPUT) still needs to be blocked, if not coming from ProtonVPN app process. For this I replicated Configuring a ProxyVM VPN Gateway , using a separate protonvpn group for the app:
Used rules:
# block output traffic, except for group 'protonvpn'
nft 'add chain ip qubes output { type filter hook output priority 0; policy accept; }'
nft 'add chain ip6 qubes output { type filter hook output priority 0; policy accept; }'
nft insert rule ip qubes output oifname eth0 counter drop
nft insert rule ip6 qubes output oifname eth0 counter drop
nft insert rule ip qubes output oifname eth0 skgid protonvpn counter accept
nft insert rule ip6 qubes output oifname eth0 skgid protonvpn counter accept
Starting ProtonVPN app:
# add user to sudo group, for change to protonvpn group
# (assumes passwordless-root and standalone vm for test)
user@protonvpn-app:~$ sudo usermod -aG sudo user # re-login after
user@protonvpn-app:~$ sudo -E -g protonvpn protonvpn-app
This does not work yet.
Inspecting nft list ruleset shows, that packet counter for eth0 skgid protonvpn counter accept rule increments, so there definitely are matches … but apparently not all needed packets. I would have expected, ProtonVPN app process does all network-related connections. Is this maybe due to Proton VPN apps dependency on NetworkManager?
Any ideas are welcome.
You certainly need to allow network manager too. Proton VPN app creates a network manager entry to establish the VPN.
3 Likes
Thanks @solene , this probably isn’t worth the hassle then.
FORWARD rules and the app’s killswitch already work well.
1 Like
Sorry for the noob question but when i try to add the rules to the qubes-firewal-user-script it says:
Error saving file.
Error opening file “/rw/config/qubes-firewall-user-script”: Permission denied.
The file on the disk may now be truncated!
Use sudo:
1 Like
hahahahahahaha tyvm i needed a good chuckle today
1 Like
@solene - thank you for putting this guide together - great stuff.
ProtonVPN works great, but I’m stuck configuring DNS (NextDNS) in the new qube - NextDNS provides a number of configuration options, but none of them reconcile with the Optional hardening syntax example provided in the guide. I’m hoping someone can look at the info provided by NextDNS below and recognize how to configure the qube. I want to configure the DNS in the ProtonVPN qube so that when I switch to a different Net qube, the DNS settings switch back as well.
Recommended install from NextDNS
Use the following in /etc/systemd/resolved.conf:
[Resolve]
DNS=45.90.28.0#xxIDxx.dns.nextdns.io
DNS=2a07:a8c0::#xxIDxx.dns.nextdns.io
DNS=45.90.30.0#xxIDxx.dns.nextdns.io
DNS=2a07:a8c1::#xxIDxx.dns.nextdns.io
DNSOverTLS=yes
Other info provided by NextDNS
DNS Servers
45.90.28.30
45.90.30.30
DNS-over-TLS/QUIC: xxIDxx.dns.nextdns.io
DNS-over-HTTPS: https://dns.nextdns.io/xxIDxx
IPv6
2a07:a8c0::8b:656b
2a07:a8c1::8b:656b
Quick Update
Here are a few things I tried that do NOT work:
- Installing the recommended install from NextDNS (see prev post) to the dedicated VPN qube.
- Installing the recommended install from NextDNS to the disposable template (in a split browser setup).
- Using the NextDNS Command-Line Client to install to the dedicated VPN qube.
sh -c "$(curl -sl https://nextdns.io/install)" - Using the NextDNS Command-Line Client to install to the disposable template.
- Installing the recommended install from NextDNS to a new fedora-41 based AppVM.
- Installing the recommended install from NextDNS to a fedora-41 template clone and then using an AppVM based on that new template.
Here is something that did work… kinda:
Created a new AppVM based on fed-41 and used the NextDNS Command-Line Client to install. I confirmed on the NextDNS website that I was utilizing their service. I would not hold the state if I restarted the qube, however. I would have to reconfigure the client to get back to utilizing their service.
I also tried creating a new fed-41 template and using the Command-Line Client to install to the template. I then created a new AppVM based on this new template… but that just plain didn’t work.
Thank you for any help.
Noob question: Do I just copy paste this into the file manager?
/rw/config/qubes-firewall-user-script
And it seems to open some kind of text file.
Do I just copy these lines into that file and save?
# Prevent the qube to forward traffic outside of the VPN
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
Edit: I tried it and it seems to not allow me to save on exit.
It seems the kill switch has an advanced option: only allow internet access when conntec to Proton VPN.
I tried disconnecting from VPN through Proton and I wasn’t able to browse the web.
Oh. did the same thing. Operned that file in file manager, and pasted the two lines recommended. Got the same error message.
What exactly did you do?
You dont say what error message you received.
If it was a message about permissions, then edit the file as root. e.g.
use sudo vi from a terminal to open the file for editing.
I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.
Yes. It was error message about permission.
So I run this?
sudo vi /rw/config/qubes-firewall-user-script
And then add in the lines?
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
Yes
1 Like
This may be the incorrect place for this but I’m trying to update this standalone to fedora-41 in place
when I sudo dnf --releasever=fedora-41 distro-sync --best --allowerasing
I get this error:
Errors during downloading metadata for repository ‘fedora’:
- Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-fedora-41&arch=x86_64
It tries two other mirror and they all 404. I have an internet connection and the kill switch is off while I do this.
Any suggestions?
I suggest that you try to specify a proxy, like:
all_proxy=http://127.0.0.1:8082 http_proxy=http://127.0.0.1:8082 https_proxy=http://127.0.0.1:8082 sudo dnf --releasever=fedora-41 distro-sync --best --allowerasing
Probably only one is needed, but it’s hard to predict which!
If you want to run more commands through the proxy, you can run, one at a time:
export all_proxy=http://127.0.0.1:8082
export http_proxy=http://127.0.0.1:8082
export https_proxy=http://127.0.0.1:8082
sudo dnf --releasever=fedora-41 distro-sync --best --allowerasing
Still 404s 
[user@sys-vpn-protonvpn-app-2 ~]$ export https_proxy=http://127.0.0.1:8082
[user@sys-vpn-protonvpn-app-2 ~]$ export http_proxy=http://127.0.0.1:8082
[user@sys-vpn-protonvpn-app-2 ~]$ export all_proxy=http://127.0.0.1:8082
[user@sys-vpn-protonvpn-app-2 ~]$ sudo dnf --releasever=fedora-41 distro-sync --best --allowerasing
Fedora fedora-41 - x86_64 49 kB/s | 154 kB 00:03
Errors during downloading metadata for repository 'fedora':
- Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-fedora-41&arch=x86_64 (IP:)
Error: Failed to download metadata for repo 'fedora': Cannot prepare internal mirrorlist: Status code: 404 for https://mirrors.fedoraproject.org/metalink?repo=fedora-fedora-41&arch=x86_64 (IP: )