PSA: using a VPN under Qubes for Dummies

Installing a VPN can be difficult, the mailing list and forum are full
of examples. Hence my advice:

  1. pick a provider that offers OpenVPN
  2. follow these instructions:
    GitHub - QubesOS-contrib/qubes-tunnel: Integration of vpn tunnels for Qubes OS
  3. be done with it

I don’t mean to imply anything about OpenVPN/Wireguard, various scripts
etc. This post is meant to safe the so-called “non-technical” user or
the one that has other stuff to do but needs a VPN qube NOW a lot of
time an nerves. The above works.

4 Likes

I also second this PSA.

I’ve used qubes-tunnel with OpenVPN and WireGuard servers that I control and qubes-tunnel is the simplest way to “VPN” on Qubes.

Unfortunately QubesOS-contrib does not get much attention.

I think sys-work will do for production then add network manager so they can connect to work vpn. Lastly, write a good doc for how to blacklist all ip except the one or some ip in the vpn or script to automatically adding firewall when connected to ovpn.

I like qube security, anonimity is another thing.

Is this recommended because it makes more use of the GUI?

Also, would this achieve ‘fail close’ should VPN fail? Or does this setup leak?

It doesn’t. I recommended it back then because I just needed something to work without spending days researching and this one did the trick.

Meanwhile I have become acquainted with an even simpler and better method based on the NetworkManager.

  1. create a VPN qube
  2. use NetworkManager to setup the OpenVPN connection
  3. set the firewall rules of the VPN qube such that it can only connect to the VPN server(s) and nothing else

This works without any scripts and if the VPN connection fails/dies the Qubes firewall makes sure no other traffic is possible (sine the respective VPN qube can only connect to the VPN server).

And yes… you can do this entirely in the GUI and you have visual feedback. For bonus points you can add a simple script to automatically connect / reconnect.

See this post by Micah Lee for details.

2 Likes

Okay thank you. This is probably exactly what I need for right now. I’m sure I’ll become more acquainted like you are with firewall and and openvpn from terminal as I too continue my journey :wink:

1 Like

Hi and thanks, ok I’m dummies but I didn’t think so much! Let’s assume that I have never installed a vpn in a linux environment! I follow this guide after several searches!
1 - install the debian-11 minimal template, update and clone it
2- in the clone where I open the terminal from qvm because I prefer not to have it passwordless, I add the qubes-contrib repo that have the expired key and make me waste hours to solve it but that’s another story …
3 I install the packages qubes-tunnel suggested in the guide, I create the vm and go to the services to add qubes-tunnel and there is no qubes-tunnel service to be activated in the machine, duoble check if it is installed yes it is … . stop … hours of research nothing … in the meantime my eyes burn because I have set Xft.dpi: 144 in x11-common of the template and but the characters are very small and I do not see anything, besides a problem of keyboard localization, which does not make me use the # character having accidentally activated the testing security repository precisely because I could not see it, my keyboard is not us however I know that on key three with shift it should exit but instead it inserts a space … oh well I will leave the security testing active
In any case, a happy Sunday everyone!

EDIT: systemctl list-unit-files give me the list of services enabled and qubes-tunnel.service is enabled enabled…ok good
i assume this ok an something about the services on qubes manager
must be added to create / recreate the list that I am not aware of

Not working with ipv6 or something other than default vpn/wg config which is blocked everywhere

The only way i find to get it working was using fedora template and network manager as described on post https://forum.qubes-os.org/t/psa-using-a-vpn-under-qubes-for-dummies/4244/5?u=carlito thanks to @Sven that share it
and work great . I will have set up it whit a minimal template, maybe some packet was missing…

Sven’s suggestion was to use the native capacity in Network Manager -
not to use the qubes-tunnel at all.
You may find this much easier , given your other issues.

Got it
i installed it whit network manager
However what other issue can give me ?
and how to do on minimal deb-11 ?

thanks

For a minimal template you will need to read this page

Many problems that people have in Qubes are actually not Qubes specific.
Using a VPN in Network Manager is one of those.
The only Qubes specific part is that you have to do this in the template.

For Debian you will want to install an additional package, relevant to
your VPN. For example network-manager-fortisslvpn for Fortinet VPN,
network-manager-openvpn for OpenVPN. There are Gnome versions of these

  • e.g. network-manager-openvpn-gnome

I personally couldn’t get qubes-tunnel working for protonvpn but I found the following instructions very helpful.

The second set under Set up a ProxyVM as a VPN gateway using iptables and CLI scripts was a cleaner solution to me. I’m using a fedora 34 template.

For a minimal template you will need to read this page

Many problems that people have in Qubes are actually not Qubes specific.
Using a VPN in Network Manager is one of those.
The only Qubes specific part is that you have to do this in the template.

For Debian you will want to install an additional package, relevant to
your VPN. For example network-manager-fortisslvpn for Fortinet VPN,
network-manager-openvpn for OpenVPN. There are Gnome versions of these

  • e.g. network-manager-openvpn-gnome

The page you linked return 404 right now , anyway i have already read the minimal guide doc.
journalctl grepin qubes* network-manager and openv-vpn was enabled enabled i haven’t try to install network-manager-opnevpn-gnome i also don’t have any graphical server…
maybe is firewall related or certificate

your response actually scared me… you know why ?

Not at all enlighten me?

Not at all enlighten me?

i was setting protonvpn but i did’t mention it!

1 Like

=0 haha well there you go. Nice to know there are multiple ways to skin this cat.

the guide you posted was very useful, as well as interesting,
don’t know about the ways to skin cat -.- i think is a proverb from your location maybe ? to say various method to make thinks ?
thanks!

1 Like

No problem, glad I could help.

Yes, it’s an english saying! It means there are multiple ways to solve a problem.