[qubes-users] What's the best way to run a VPN app on Qubes?


ATM I’m using standard Fedora qubes with NetworkManager enabled and OpenVPN in order to connect to a VPN. I’d like to switch to the VPN’s own full-fledged program to use features such as easy switching between exit servers and killswitch. I’ve previously used exclusively OpenVPN, but on Qubes, stuck in its own qube, I guess there isn’t really anything the VPN’s program can spy (other than traffic obv), and I reasonably trust this particular service.

The app comes as .deb/.rpm or, mercifully, source code. I’ve tried installing the .rpm but naturally I’d have to either do it on each restart, do it in the main Fedora template (which could compromise it), or do it in its own TemplateVM which would take up another 5 GB. Bind-dirs looks like an option but I’m not sure which files the .rpm install changes, and it looks like an update could easily break it.

Is there anything I’m missing? Looks like I’ll have to either waste another 5GB space on a new template for a single program (and run updates for that template regularly), or have to compile it from source, possibly every time there’s an update for the VPN program (not looking forward to that hehe). I’m thinking there has to be a better way…

– You received this message because you are subscribed to the Google Groups “qubes-users” group. To unsubscribe from this group and stop receiving emails from it, send an email to . To view this discussion on the web visit .

The things you may be missing here:

1. Its more secure to have a 'sys-vpn' VM dedicated to the VPN client.

2. Service provider apps generally don't work or don't secure a dedicated VM properly. They assume a PC network architecture while a Qubes proxy VM is more like a router.

From a security standpoint the best way is probably Qubes-vpn-support (see my github link below). But it doesn't have easy GUI switching between servers; you would have to 'cp' the config for the new server then 'systemctl restart' the service to switch.

Its possible to setup Network Manager in a dedicated VPN VM including added anti-leak firewall rules. See the Qubes vpn doc for details.