PSA: using a VPN under Qubes for Dummies

Sven · May 26, 2021, 7:34pm

Installing a VPN can be difficult, the mailing list and forum are full
of examples. Hence my advice:

pick a provider that offers OpenVPN
follow these instructions:
GitHub - QubesOS-contrib/qubes-tunnel: Integration of vpn tunnels for Qubes OS
be done with it

I don’t mean to imply anything about OpenVPN/Wireguard, various scripts
etc. This post is meant to safe the so-called “non-technical” user or
the one that has other stuff to do but needs a VPN qube NOW a lot of
time an nerves. The above works.

icequbes1 · May 27, 2021, 4:33pm

I also second this PSA.

I’ve used qubes-tunnel with OpenVPN and WireGuard servers that I control and qubes-tunnel is the simplest way to “VPN” on Qubes.

Unfortunately QubesOS-contrib does not get much attention.

51lieal · May 27, 2021, 5:27pm

I think sys-work will do for production then add network manager so they can connect to work vpn. Lastly, write a good doc for how to blacklist all ip except the one or some ip in the vpn or script to automatically adding firewall when connected to ovpn.

I like qube security, anonimity is another thing.

anon93834559 · October 22, 2021, 1:26am

Is this recommended because it makes more use of the GUI?

Also, would this achieve ‘fail close’ should VPN fail? Or does this setup leak?

Sven · October 22, 2021, 5:40pm

It doesn’t. I recommended it back then because I just needed something to work without spending days researching and this one did the trick.

Meanwhile I have become acquainted with an even simpler and better method based on the NetworkManager.

create a VPN qube
use NetworkManager to setup the OpenVPN connection
set the firewall rules of the VPN qube such that it can only connect to the VPN server(s) and nothing else

This works without any scripts and if the VPN connection fails/dies the Qubes firewall makes sure no other traffic is possible (sine the respective VPN qube can only connect to the VPN server).

And yes… you can do this entirely in the GUI and you have visual feedback. For bonus points you can add a simple script to automatically connect / reconnect.

See this post by Micah Lee for details.

anon93834559 · October 23, 2021, 10:05am

Okay thank you. This is probably exactly what I need for right now. I’m sure I’ll become more acquainted like you are with firewall and and openvpn from terminal as I too continue my journey

carlito · October 24, 2021, 7:35am

Hi and thanks, ok I’m dummies but I didn’t think so much! Let’s assume that I have never installed a vpn in a linux environment! I follow this guide after several searches!
1 - install the debian-11 minimal template, update and clone it
2- in the clone where I open the terminal from qvm because I prefer not to have it passwordless, I add the qubes-contrib repo that have the expired key and make me waste hours to solve it but that’s another story …
3 I install the packages qubes-tunnel suggested in the guide, I create the vm and go to the services to add qubes-tunnel and there is no qubes-tunnel service to be activated in the machine, duoble check if it is installed yes it is … . stop … hours of research nothing … in the meantime my eyes burn because I have set Xft.dpi: 144 in x11-common of the template and but the characters are very small and I do not see anything, besides a problem of keyboard localization, which does not make me use the # character having accidentally activated the testing security repository precisely because I could not see it, my keyboard is not us however I know that on key three with shift it should exit but instead it inserts a space … oh well I will leave the security testing active
In any case, a happy Sunday everyone!

EDIT: systemctl list-unit-files give me the list of services enabled and qubes-tunnel.service is enabled enabled…ok good
i assume this ok an something about the services on qubes manager
must be added to create / recreate the list that I am not aware of

0xxf0 · October 24, 2021, 9:52am

Not working with ipv6 or something other than default vpn/wg config which is blocked everywhere

carlito · October 24, 2021, 12:49pm

The only way i find to get it working was using fedora template and network manager as described on post https://forum.qubes-os.org/t/psa-using-a-vpn-under-qubes-for-dummies/4244/5?u=carlito thanks to @Sven that share it
and work great . I will have set up it whit a minimal template, maybe some packet was missing…

unman · October 24, 2021, 1:55pm

Hi and thanks, ok I’m dummies but I didn’t think so much! Let’s assume that I have never installed a vpn in a linux environment! I follow this guide after several searches!
1 - install the debian-11 minimal template, update and clone it
2- in the clone where I open the terminal from qvm because I prefer not to have it passwordless, I add the qubes-contrib repo that have the expired key and make me waste hours to solve it but that’s another story …
3 I install the packages qubes-tunnel suggested in the guide, I create the vm and go to the services to add qubes-tunnel and there is no qubes-tunnel service to be activated in the machine, duoble check if it is installed yes it is … . stop … hours of research nothing … in the meantime my eyes burn because I have set Xft.dpi: 144 in x11-common of the template and but the characters are very small and I do not see anything, besides a problem of keyboard localization, which does not make me use the # character having accidentally activated the testing security repository precisely because I could not see it, my keyboard is not us however I know that on key three with shift it should exit but instead it inserts a space … oh well I will leave the security testing active
In any case, a happy Sunday everyone!

Sven’s suggestion was to use the native capacity in Network Manager -
not to use the qubes-tunnel at all.
You may find this much easier , given your other issues.

carlito · October 24, 2021, 2:33pm

Got it
i installed it whit network manager
However what other issue can give me ?
and how to do on minimal deb-11 ?

thanks

unman · October 24, 2021, 3:22pm

For a minimal template you will need to read this page

Many problems that people have in Qubes are actually not Qubes specific.
Using a VPN in Network Manager is one of those.
The only Qubes specific part is that you have to do this in the template.

For Debian you will want to install an additional package, relevant to
your VPN. For example network-manager-fortisslvpn for Fortinet VPN,
network-manager-openvpn for OpenVPN. There are Gnome versions of these

e.g. network-manager-openvpn-gnome

Dreadloc · October 24, 2021, 4:09pm

I personally couldn’t get qubes-tunnel working for protonvpn but I found the following instructions very helpful.

github.com

Qubes-Community/Contents/blob/master/docs/configuration/vpn.md#set-up-a-proxyvm-as-a-vpn-gateway-using-iptables-and-cli-scripts


How To make a VPN Gateway in Qubes
==================================

<div class="alert alert-info" role="alert">
  <i class="fa fa-info-circle"></i>
  <b>Note:</b> If you seek to enhance your privacy, you may also wish to consider <a href="/doc/whonix/">Whonix</a>.
  You should also be aware of <a href="https://www.whonix.org/wiki/Tunnels/Introduction">the potential risks of VPNs</a>.
</div>

Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.

Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)

### NetVM

The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:

- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)

This file has been truncated. show original

The second set under Set up a ProxyVM as a VPN gateway using iptables and CLI scripts was a cleaner solution to me. I’m using a fedora 34 template.

carlito · October 24, 2021, 4:44pm

For a minimal template you will need to read this page

Many problems that people have in Qubes are actually not Qubes specific.
Using a VPN in Network Manager is one of those.
The only Qubes specific part is that you have to do this in the template.

For Debian you will want to install an additional package, relevant to
your VPN. For example network-manager-fortisslvpn for Fortinet VPN,
network-manager-openvpn for OpenVPN. There are Gnome versions of these

e.g. network-manager-openvpn-gnome

The page you linked return 404 right now , anyway i have already read the minimal guide doc.
journalctl grepin qubes* network-manager and openv-vpn was enabled enabled i haven’t try to install network-manager-opnevpn-gnome i also don’t have any graphical server…
maybe is firewall related or certificate

carlito · October 24, 2021, 4:47pm

your response actually scared me… you know why ?

Dreadloc · October 24, 2021, 10:25pm

Not at all enlighten me?

carlito · October 24, 2021, 10:32pm

Not at all enlighten me?

i was setting protonvpn but i did’t mention it!

Dreadloc · October 24, 2021, 10:36pm

=0 haha well there you go. Nice to know there are multiple ways to skin this cat.

carlito · October 24, 2021, 10:47pm

the guide you posted was very useful, as well as interesting,
don’t know about the ways to skin cat -.- i think is a proverb from your location maybe ? to say various method to make thinks ?
thanks!

Dreadloc · October 25, 2021, 12:28am

No problem, glad I could help.

Yes, it’s an english saying! It means there are multiple ways to solve a problem.