PSA: using a VPN under Qubes for Dummies

carlito · October 25, 2021, 7:12am

i have look a this config file and at the handler, i don’t like how credential are managed,
passing a path for a plein txt , i don’t know if openvpn can make use of more secure tool to call the credential… Network manager is better on this aspect

Dreadloc · May 7, 2022, 9:42pm

Apologies for the late response. I agree it seems like a clear vuln here. Do you have any suggestions? Maybe password securing the file and making it read and write only to user and no access to all other users might be a start?

fsflover · May 25, 2022, 7:47pm

Moved to User Support / Guides

Emily · July 24, 2022, 7:04pm

Thanks for the link.

In that guide he’s using mulivad. He’s calling the service in the script using:

nmcli con up mullvad_ca

Anyone know what I would replace that command with with if I was using ProtonVPN?

renehoj · July 24, 2022, 7:21pm

I have used ProtonVPN with nmcli it works if you download the ovpn config file and add it using network manager taskbar icon. If you call the connection proton, you can use ‘nmcli con up id proton’ to select the connection.

Both the protonvpn and protonvpn-cli clients work out of the box, I think they are easier to use, and it makes it much easier to select a specific server or use random servers. If you use nmcli you need to download a new ovpn config file every time you want to change vpn server.

Emily · July 25, 2022, 10:47am

I’m looking to get the auto-connect functionality every time the VM loads, and/or every time the vpn connect drops. Is there away to auto-connect using the CLI or GUI using bash?

renehoj · July 25, 2022, 11:22am

The way I autostart protonvpn-cli is by using a .desktop shortcut in /home/user/.config/autostart, it automatically connects the vpn when the sys-vpn qube starts.

I tried to use systemd or rc.local, but it was given me some issues because the cli client needs access to the gnome keyring using dbus, I got it working by making a delay that waits for dbus to be ready, but the desktop shortcut just seems like an easier way to get the same result.

Both protonvpn and protonvpn-cli are just frontends for network manager, it’s very rarely I get disconnected, but if it happens I just use the nm taskbar icon to manually reconnect. You probably can make a script that does it automatically, it’s only during boot that protonvpn-cli is a little tricky to use.

Emily · July 25, 2022, 11:22am

Will this work for DNS leaks? Or will those route around the firewall?

Emily · July 25, 2022, 4:40pm

I’m having a bit of trouble getting the GUI/CLI to work in 4.1. Are you on 4.0 or 4.1?

renehoj · July 25, 2022, 4:58pm

I’m using 4.1 with the debian 11 template

I did install network-manager-openvpn and network-manager-openvpn-gnome I’m not sure if they are needed.

I used this guide to install the vpn qube

github.com

Qubes-Community/Contents/blob/master/docs/configuration/vpn.md


How To make a VPN Gateway in Qubes
==================================

<div class="alert alert-info" role="alert">
  <i class="fa fa-info-circle"></i>
  <b>Note:</b> If you seek to enhance your privacy, you may also wish to consider <a href="/doc/whonix/">Whonix</a>.
  You should also be aware of <a href="https://www.whonix.org/wiki/Tunnels/Introduction">the potential risks of VPNs</a>.
</div>

Although setting up a VPN connection is not by itself Qubes specific, Qubes includes a number of tools that can make the client-side setup of your VPN more versatile and secure. This document is a Qubes-specific outline for choosing the type of VM to use, and shows how to prepare a ProxyVM for either NetworkManager or a set of fail-safe VPN scripts.

Please refer to your guest OS and VPN service documentation when considering the specific steps and parameters for your connection(s); The relevant documentation for the Qubes default guest OS (Fedora) is [Establishing a VPN Connection.](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)

### NetVM

The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:

- You have to place (and probably save) your VPN credentials inside the NetVM, which is directly connected to the outside world
- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)

This file has been truncated. show original

And I used this guide to install protonvpn client

Emily · July 25, 2022, 6:08pm

Were you able to get a Whonix → ProtonVPN to work?

renehoj · July 25, 2022, 6:13pm

I haven’t tried, but I assume you can change the netvm for sys-whonix to sys-vpn

Emily · July 25, 2022, 6:30pm

Its likely Proton is blocking Tor exit nodes. I couldn’t get it to connect using whonix. Proton->Tor config works though.

renehoj · July 25, 2022, 6:46pm

I just tried to switch sys-whonix from sys-firewall to sys-vpn, it works for me. anon-whoinx uses sys-whonix, and it connects without any issues, tor check confirmed I’m using a tor exit node.

I’m using a paid protonvpn subscription, don’t know if that could make a difference.

Username001 · July 25, 2022, 9:44pm

Hello guys I tried to install mullvad with tasket VPN support but it fails connecting. Is there any tutorial for mullvad and tasket VPN Support, I used proton before and it worked without problems, I did all the same things with mullvad but it doesnt work. Im not on my computer right now so I cant give details. @tasket

wahcha · May 11, 2023, 6:43pm

I think there’s a bug regarding openvpn in recent versions of NetworkManger on Fedora. I’ve had to use OpenVPN client from the command line as a workaround for now.

There are a couple writeups about it on the fedora forums. Here’s a link to one of them: