Qubes 4.3 Mullvad as a network qube

User Support General
, ,
1

I don’t post on forums so I’m sorry if I format something incorrectly
As per the title I am attempting to setup Mullvad as a system service (If that’s the right way to put it) where I can set it as the networking qube for other qubes and they route all their traffic through mullvad (AppQube → sys-Mullvad → sys-firewall → sys-net → world wide web)

I tried following the Mullvad documentation and got very close (sys-mullvad launches on start and connects to the designated Mullvad server) but it does not act as a networking qube (even though the option is toggled)

The steps I took:

  1. created template Qube sys-Mullvad as a template of fedora 42
  2. enabled option to act as network Qube whose net Qube is sys-firewall
  3. downloaded Wiregaurd in my fedora Qube
  4. configured wiregaurd with the Mullvad .conf file so on launch the Qube connects to the Mullvad server (in the sys-Mullvad Qube) (as per the official documentation)
  5. did NOT configure any iptables ( im on 4.3)
  6. configured firewall to only allow udp/tcp traffic to said mullvad server

current issue:
sys-Mullvad Qube behaves seemingly exactly as desire, boot on start, auto connect to Mullvad. But it does not work as a network Qube (Qubes that select sys-Mullvad are totally unable to access the internet)

I’m wondering if there is any more current documentation on this sort of setup, changing MTU on AppQube doesn’t solve the issue

sudo nft list chain ip qubes dnat-dns in my sys-Mullvad Qube returns the list of my dns redirection rules which go as follows

ip daddr 10.139.1.1 udp port 53 dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.1 tcp port 53 dport 53 dnat to 10.139.1.1
ip daddr 10.139.1.2 udp port 53 dport 53 dnat to 10.139.1.2
ip daddr 10.139.1.2 tcp port 53 dport 53 dnat to 10.139.1.2

which doesn’t really seem right to me but I’m not good with linux networking, it just seems that it’s routing all traffic to itself?

If anyone could provide insight that would be appreciated very much

2

If it helps I provide a Mullvad package that creates a sys-mullvad qube
ready to use. (It also loads disposables for use with Mullvad and the
Mullvad Browser.) You can get the package here.
Source is on GitHub and although that
is salted, you can see the method used. update_dns.nft flushes the
current chain and provides rules that redirect DNS traffic to the
Mullvad resolver.

That is for using the Mullvad app, but the principle will be the same.

You are trying to set up a wireguard connection, which is somewhat more
complicated than using the GUI. The steps you have taken are fine, but
you absolutely have to change the firewall settings - not iptables, but
nftables.

You’re right that the dnat-dns chain needs to be rewritten, and also you
have to redirect traffic from the downstream qubes to wireguard, block
forwarding, and so on. This is not easy for someone unused to networking
and nftables.

Note on the dnat-dns chain - the effect of this is to capture all
traffic to the set Qubes addresses and use dnat to forward them up the
networking chain. At sys-net, traffic which arrives for these IP
addresses is rewritten to go to the DNS resolver used by sys-net.

I never presume to speak for the Qubes team. When I comment in the Forum I speak for myself.
1 Like
3

Thank you for the response! I am relatively new to linux so I’m still learning how the networking works. I’ve worked semi extensively with networks so I am very comfortable with the basics and can comprehend the more difficult concepts, I’ll do some more work on this with your advice in mind. When I figure out a more proper solution I’ll update the post with my process. Thank you!

1 Like
4

Hello all, I have found a proper solution to routing Qube traffic through a Mullvad Qube. Some of the instructions are from the official Mullvad guide except their guide leads to an empty nftable with no instructions to properly route traffic. I would also like to mention Switch to Linux’s guide on how to route Qube traffic through a VPN for basically being the solution to the nftable problem. This guide is essentially the Mullvad and Switch to Linux guides stitched together.

Creating the VPN Qube

  1. Navigate to Qubes app menu > Qubes tools > Qube manager
  2. Click new Qube
  3. Qube type is Application
  4. Name the Qube, for this example I will name mine sys-mullvad
  5. toggle on: Launch Qube Settings after creation
  6. Select the Fedora template, it has to be Fedora
  7. For Network select Custom: sys-firewall, this is because if you leave it on Default: sys-firewall and your default changes this Qube could misbehave
  8. Under advanced options ensure toggle on: Provides network access to other Qubes
  9. Create the Qube but don’t start it, in the settings of this Qube ensure to toggle on: Start Qube automatically on boot
  10. Still in the settings navigate to the Services tab, drop down menu: network-manager, add: network-manager, toggle on: network-manager, Apply

Downloading Wiregaurd

  1. Navigate to Qubes app menu > Template > fedora-42-xfce (your Fedora may be another version, select your fedora template) open xfce terminal
  2. in fedora terminal run sudo dnf update, sudo dnf install wireguard-tools -y
  3. in Qubes manager, restart and then shutdown the fedora template Qube

Acquiring Mullvad config files

  1. Open a personal Qube (or disposable) and launch your firefox browser, then navigate to the Mullvad configuration generator
  2. At this point you must have a Mullvad account, log into your account and select the following options
  3. Platform: Linux, Generate key, Select one or multiple exit location: All countries, all cities, all servers, download zip archive (we will pull the specific server you desire from the generated file)
  4. Open the filemanager for the Qube containing the downloaded file, navigate to /home/user/Downloads/ right click the .zip and move to sys-mullvad Qube
  5. Open the file manager for sys-mullvad Qube, navigate to /home/user/QubesIncoming/YOUR_FOLDER and extract the moved .zip to /home/user/
  6. Navigate to /home/user/mullvad_wireguard* and take notice we have the configuration file for every server available

Choosing your server

  1. in your browser navigate to Servers
  2. filter for your country of choice, for the example I will choose Sweden
  3. decide on your server, I will be using se-got-wg-001
  4. make note of the server’s IPV4 address in the dropdown menu

Configuring your server

  1. notice in the top right corner of your QubeOs menu bar the double computer icon symbolizing sys-mullvad’s network-manager service (if you have a hard time finding it restart the sys-mullvad qube and watch the pop up notifications, if you are not seeing the network manager ensure it is added like we did in step 10 of the Creating the VPN Qube instruction)
  2. right click the sys-mullvad network manager, navigate to VPN Connections, add a VPN connection…
  3. In the Choose a VPN Connection Type menu you will scroll down to the very bottom and click Import a saved VPN configuration… (if you do not see the option it could be cutoff by the bottom of your screen, try clicking the option under Cisco Compatible VPN (vpnc) as it should be the import option)
  4. press create, it should open your file manager. navigate to /home/user/mullvad_wireguard*
  5. looking at the mullvad server list decide which server you want, I will be using se-got-wg-001.conf as this is Mullvad’s Swedish server.
  6. select your server .conf file and press open, it should populate the VPN configurer, hit save

finishing steps, firewall, and closing notes

  1. launch the sys-mullvad terminal and type sudo wg and ensure you see your interface and peer, if nothing shows up go back to the network-manager in the top right corner and make sure the vpn config is loaded and toggled on
  2. navigate to the Qube manager and open the settings for any qube you want connected to the VPN, for net qube select sys-mullvad and hit apply (if you are unable to access the internet after this step set the net qube back to sys-firewall and ensure you were able to access it in the first place)
  3. in the settings of your sys-mullvad Qube navigate to firewall rules, toggle on: Limit outgoing connections to … press add and input the IPV4 address listed either in your sudo wg endpoint address or the one on Mullvad’s website under your server of choice (its the same IP)
  4. “toggle on: Any” and hit ok then apply
  5. this will ensure all layer 4 traffic will not route to the internet unless connected to the vpn so you won’t end up like Hector Monsegur

Some important side notes, the VPN should come up automatically when the sys-mullvad Qube is (re) started

If you were to decide you want to add a new server in sys-mullvad by adding another config file you need to toggle of “automatically connect with priority” in the network managers custom VPN menu which we access during step 6 of configuring your server. You can left click on sys-mullvad’s network manager, going to edit vpn connection, dropping down wireguard and selecting the VPN you want to disable/enable automatic connection to and press the gear icon, and navigating to the “General” tab where our automatic priority option resides

If you decide to add another new server in sys-mullvad you will also need to re-do steps 1-5 in finishing steps to allow traffic going to the new VPN server

I hope this guide helps at least one person, I had a surprisingly difficult time figuring out how to configure this specific setup but it could be (probably is) a skill issue on my part. If anyone has any questions or issues please engage with the post I will try to help whenever possible.

5

I was able to figure out how to correctly populate the nftable without having to issue any nft commands, thank you for your guidance, it led me in the right direction!