Qubes Mirage VPN

Qat · June 8, 2025, 11:59am

Everyone knows and loves Mirage Firewall. Recently, I stumbled upon a mirage OpenVPN unikernel made for Qubes which didn’t seem to get much attention from the community. Their instructions are here.

I wanted to share this find and to know if people are using it, how it went, and with which vpns.

dexter05 · June 8, 2025, 1:19pm

Is there a WireGuard version? Tested for leaks?

Qat · June 8, 2025, 9:43pm

This seems to be OpenVPN only. I wouldn’t know if it was tested as there are only five total references to this I’ve found online.

palainp · June 30, 2025, 8:50am

I can confirm that it only targets OpenVPN because the code to use the vpn protocol has to be written with Ocaml. I tested a while ago and the tunnel can be established, and i can use it, but a bug causes the communication to break after a while. Unfortunately, this has not been deeply investigated yet due to time constraints.

To me, all client packets are transmitted through the tunnel, so there are no leaks. This could be an issue because the dns resolver needs to be modified in the clients appVM and doesn’t use Qubes’ default 10.139.1.[12]. I haven’t checked how this is handled with other vpn proposals.

unman · June 30, 2025, 12:21pm

I confirm the breakage after use.

I never presume to speak for the Qubes team.
When I comment in the Forum I speak for myself.

palainp · July 1, 2025, 1:16pm

Dear @unman , I updated the unikernel to the latest release of mirageOS and so far I don’t observe the tunnel crash anymore (but this may be related to a change in my openVPN server, or set of options used). Would you mind to try Update to Mirage 4.9 by palainp · Pull Request #18 · robur-coop/qubes-miragevpn · GitHub and let me know if you’re still experiencing tunnel issues (which would indicate that certain options are leading to errors, and help correct them ). If so, you can report your test in the PR or here (or both) according to your preference

James369 · October 22, 2025, 8:28pm

I tried this with ovpn configs from VPN Gate - Public Free VPN Cloud by Univ of Tsukuba, Japan
Followed the guide A MirageVPN client for QubesOS - MirageVPN - a VPN as an unikernel
but could not get it to work. Is anyone using this functionally atm?
The guide is suggesting making your own vpn server, but doesn’t seem to say that this can’t be used with any ovpn config?

KitsuneNoBaka · October 22, 2025, 9:53pm

For me it can’t create vif devices

palainp · October 23, 2025, 9:31am

Dear @James369 , I use from time to time the openVPN unikernel without any issue. So I tried with one ovpn config file provided at VPNGate and the unikernel fails with:

Fatal error: exception Failure("Invalid OpenVPN configuration : Error at byte offset 3465: \"cipher AES-128-CBC\\r\\nauth SHA1\\r\\n\\r\\n\\r\\n#################################################################\"")

I’ve opened an issue to understand what can be the root cause (see Fails to parse VPNGate default config file · Issue #288 · robur-coop/miragevpn · GitHub), and once fixed it should work normally.

James369 · October 25, 2025, 9:18pm

@palainp Wow thanks! how kind! what a great team.

github.com/robur-coop/miragevpn

Fails to parse VPNGate default config file

opened 09:26AM - 23 Oct 25 UTC

palainp

Dear robur-team, On the QubesOS forum, a user tried to use the qubes-mirage-ovp…n unikernel but failed [1]. The config files can be get on the VPNGate website, e.g. [2] for the configfile I used for testing. I tried and can reproduce the issue, which seems to come from parsing the config file and Qubes outputs: ``` Fatal error: exception Failure("Invalid OpenVPN configuration : Error at byte offset 3465: \"cipher AES-128-CBC\\r\\nauth SHA1\\r\\n\\r\\n\\r\\n#################################################################\"") ``` I don't know enough the codebase to hunt down what failed there, but I have the same result when I try to start the mirage-client unikernel here: ```bash $ ./dist/ovpn-client 2025-10-23T11:06:13+02:00: [INFO] [tcpip-stack-socket] Dual IPv4 and IPv6 socket stack: connect 2025-10-23T11:06:13+02:00: [ERROR] [application] error : Error at byte offset 3465: "cipher AES-128-CBC\r\nauth SHA1\r\n\r\n\r\n#################################################################" ``` Openvpn manages to open the connexion if I provide an additional command line argument as the server's cipher is absent from my default list: ```bash $ sudo openvpn --config configuration/openvpn.config --data-ciphers AES-128-CBC ``` Do you have any insight from the root cause? Maybe the same issue applies and I need to add support for AES-128-CBC? Best. [1]: https://forum.qubes-os.org/t/qubes-mirage-vpn/34296/7 [2]: https://www.vpngate.net/en/do_openvpn.aspx?fqdn=public-vpn-78.opengw.net&ip=219.100.37.53&tcp=443&udp=1195&sid=1761209597052&hid=15094269

quote: Indeed, the supported ciphers of MirageVPN are: AES-256-CBC, AES-128-GCM, AES-256-GCM and CHACHA20-POLY1305. You’d need to add the AES-128-CBC case in config.ml and likely at various pattern matches where AES-256-CBC appears.
I think this is far beyond my capabilities though So I guess I will have to find other configs that work with those ciphers then. I am looking forward to getting it to work though. I really love the idea of unikernel qubes.

palainp · October 26, 2025, 7:04am

I have a branch that adds this cipher. But now, it complains that tls-auth is absent from config file. I still have some work to get the tunnel up, but that sounds doable

James369 · October 30, 2025, 4:47am

Did you try to just delete the sha and cipher sections on config file before importing? And see if those are even needed? perhaps the server could figure it out?

palainp · October 30, 2025, 7:26am

Unfortunately, that won’t work.

AES-128-CBC encryption is not broken and is implemented in mirage-crypto, so I was able write the code for parsing the configuration file without any issues.

But Reynir, from Robur, then discovered that the absence of tls-auth/tls-crypt/tls-cryptv2 in the configuration file required a new code path for unauthenticated channels (OpenVPN Wire Protocol (work in progress), see the GH issue for details) which is handled by the openvpn client, but not by the mirage implementation.

Until this is written and pushed, the best way to proceed is to find a server and configuration file that contain a tls-auth line.

James369 · November 1, 2025, 10:20pm

You said earlier that you are using it, is that with any well known VPN providers?
It seems proton uses cipher AES-256-GCM
https://raw.githubusercontent.com/haugene/vpn-configs-contrib/main/openvpn/protonvpn/ch.protonvpn.tcp.ovpn
Although I am unsure about how to do auth-user-pass

snow2024 · November 2, 2025, 5:35am

If used Mirage what will be or need? vm <> firewall_1 <> vpn <> firewall_2 <> net or which one? I read is sec. if vpn vm is compromised, or for what?

palainp · November 2, 2025, 9:01am

Dear @James369 , unfortunately I use a private openvpn server and not publicly available config files. My configfile basically contains:

client
proto udp
explicit-exit-notify
remote X.X.X.X YY
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
auth SHA256
auth-nocache
cipher AES-128-GCM
tls-client
tls-version-min 1.2
tls-cipher TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256
verb 3

followed by <ca>, <cert>, <key> keys and a <tls-crypt> static key which authenticates me.

auth-user-pass appears to be a file containing your username/password on two lines. I suppose that in your case, this refers to your Proton VPN login credentials. In the miragevpn repository, there is a test file that incorporates this information instead of having to read another file:

<auth-user-pass>
testuser
testpass
</auth-user-pass>

But I haven’t tested how that can be used with mirage.