ProxyVM for OpenVPN with multiple VPN configs

I’m using Qubes-vpn-support by @tasket to setup my VPN service, which happens to be ExpressVPN.

My main issue is that I need multiple configs for different locations to run simultaneously, so that I can have different VMs with IPs from different geographical locations at the same time.

I found a way that works but it is very inefficient: Basically I create a ProxyVM for each config location I want. However, each of these consumes about 500MB of RAM while running which is hardly ideal.

Is there a way to do this from a single ProxyVM?

You can use minimal template and it’ll consume 150-200 MB RAM.
But there is a way to do this from single VM as well. But it’ll require setting up some routing for this.
I don’t have a ready to use guide for Qubes but here is an example of such setup:

There will be Qubes-specific changes you’ll need to make such as how to determine which virtual interface is associated with which AppVM and how to configure them right.
It’s not an easy task but it’s possible.

Sure, the standard network manager can handle such situation by default.
it may however in conflict with the Qubes-vpn-support.

(And of course in this case your VPNs must not force their own defaut gw)

The instructions, for settings in the Services tab, explicitly says: “Do not add other network services such as Network Manager.”

So that doesn’t sound encouraging?

I was thinking of discussing this possibility in another post.

This is what I originally tried, but for some reason I it does not work in debian-11-minimal. The openvpn test fails in this template. I assume it needs some additional package but I have no idea what.

Does anyone know? It works fine in debian-11.

Your other suggestion would be like trying to roll my own Qubes-vpn-support, which is too advanced for me.

Someone did make a solution with network manager:

Qubes OpenVPN using Network Manager #48 . I may try it out, though @tasket raised some objections I couldn’t fully understand.

Fails in what way? Could you be more specific?
Also, you should not run the test in the TemplateVM, but in the VPN AppVM.

I just tried with my minimal template and everything works as expected.

Please confirm you have run the following in your VPN AppVM and not in the template:

sudo openvpn --cd /rw/config/vpn --config vpn-client.conf --auth-user-pass userpassword.txt

Install qubes-core-agent-networking package.

Qubes OpenVPN using Network Manager #48 .

That is an old, outdated issue.
once upon a time, the NetworkManager was not allow you to have multiple VPN-s up and running at the same time… But there is no such limitations any more, it’s just works out of the box with a lot of different type of VPN vendors.

You should try and setup a new proxyVM using the standard and default network manager, and see how it meets your needs.

The Qubes-vpn-support is NOT just a simple VPN, and it replaces the default network manager based one for several reasons… But that not that everybody needs, I believe.

That is interesting about the NetworkManager.

However, I believe I need the Qubes-vpn-support. For example, “Provides a fail closed , antileak VPN tunnel environment”. I don’t think I would get this failsafe just using NetworkManager?

Yes, of course I meant I ran it in the AppVM.

OK. I deleted my debian-11-minimal and did everything all over again.

The openvpn test worked, in the AppVM, before installing Qubes-vpn-support. However, after installation, when I try the same command I get:

Also the AppVM is using over 600MB of RAM even though it’s based on debian-11-minimal. So this wouldn’t solve anything even if it worked.

Yes, did that.

• Users have occasionally reported openvpn being unable to perform DNS lookups for the VPN provider’s domain. This may be due to the way Qubes passes DNS requests up through various netvm layers on their way to the upstream network. Some workarounds that may improve DNS access are: 1. Populating /etc/resolv.conf with the DNS address of your physical ISP; 2. Installing the resolvconf package; 3. Enabling egress as described in the Firewall notes below.

GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS

My minimal template had these:

gnome-keyring
network-manager
network-manager-openvpn
network-manager-openvpn-gnome
notification-daemon
openvpn
policykit-1
qubes-core-agent-network-manager
qubes-core-agent-networking
qubes-core-agent-passwordless-root

Note that, although installed, network manager was NOT running.

That does sound like a possibility. But everything works flawlessly with my proxy-VM based on debian-11, so I’m not sure if there is point to putting more time and effort.

Yeah, that’s right.
However ‘fail safe’ - whatever you mean about this, is the opposite of multiple VPNs running at the same time.

You can chose the solution you need, but you can’t have it boot at the same time.

Maybe it’s this issue:

Qubes 4.1 - VPN over Tor netvms: ARP request does not get resolved properly · Issue #7123 · QubesOS/qubes-issues · GitHub
VPN over Tor via Proxy-VM will not connect · Issue #7261 · QubesOS/qubes-issues · GitHub

You can configure iptables to drop the connection when not connected to a vpn, thus achieving fail-safe:
(run the following commands as root in your sys-net dvm-template if it’s disposable, or in sys-net if it’s not disposable)

export fw_script="/rw/config/qubes-firewall-user-script"

echo "iptables -I FORWARD -o eth0 -j DROP" >> $fw_script
echo "iptables -I FORWARD -i eth0 -j DROP" >> $fw_script
echo "ip6tables -I FORWARD -o eth0 -j DROP" >> $fw_script
echo "ip6tables -I FORWARD -i eth0 -j DROP" >> $fw_script

chmod +x $fw_script

I read the Qubes community documentation about this.

The first method is Set up a ProxyVM as a VPN gateway using NetworkManager which presumably allows multiple configs since it uses NM. I plan to try it next.

The other method Set up a ProxyVM as a VPN gateway using iptables and CLI scripts seems to be the same as Qubes-vpn-support? So it will not support multiple configs?