My main issue is that I need multiple configs for different locations to run simultaneously, so that I can have different VMs with IPs from different geographical locations at the same time.
I found a way that works but it is very inefficient: Basically I create a ProxyVM for each config location I want. However, each of these consumes about 500MB of RAM while running which is hardly ideal.
You can use minimal template and it’ll consume 150-200 MB RAM.
But there is a way to do this from single VM as well. But it’ll require setting up some routing for this.
I don’t have a ready to use guide for Qubes but here is an example of such setup:
There will be Qubes-specific changes you’ll need to make such as how to determine which virtual interface is associated with which AppVM and how to configure them right.
It’s not an easy task but it’s possible.
I was thinking of discussing this possibility in another post.
This is what I originally tried, but for some reason I it does not work in debian-11-minimal. The openvpn test fails in this template. I assume it needs some additional package but I have no idea what.
Does anyone know? It works fine in debian-11.
Your other suggestion would be like trying to roll my own Qubes-vpn-support, which is too advanced for me.
That is an old, outdated issue.
once upon a time, the NetworkManager was not allow you to have multiple VPN-s up and running at the same time… But there is no such limitations any more, it’s just works out of the box with a lot of different type of VPN vendors.
You should try and setup a new proxyVM using the standard and default network manager, and see how it meets your needs.
The Qubes-vpn-support is NOT just a simple VPN, and it replaces the default network manager based one for several reasons… But that not that everybody needs, I believe.
However, I believe I need the Qubes-vpn-support. For example, “Provides a fail closed , antileak VPN tunnel environment”. I don’t think I would get this failsafe just using NetworkManager?
Users have occasionally reported openvpn being unable to perform DNS lookups for the VPN provider’s domain. This may be due to the way Qubes passes DNS requests up through various netvm layers on their way to the upstream network. Some workarounds that may improve DNS access are: 1. Populating /etc/resolv.conf with the DNS address of your physical ISP; 2. Installing the resolvconf package; 3. Enabling egress as described in the Firewall notes below.
That does sound like a possibility. But everything works flawlessly with my proxy-VM based on debian-11, so I’m not sure if there is point to putting more time and effort.
You can configure iptables to drop the connection when not connected to a vpn, thus achieving fail-safe:
(run the following commands as root in your sys-net dvm-template if it’s disposable, or in sys-net if it’s not disposable)