I followed instructions about making a sys-vpn qube where it suggested making an app VM. But the app vm does not persist when packages are installed (‘command not found’). Same thing with Standalone. Then I tried to add networking to a new Template, but I got the warning about exposing Dom. So what is going on? What is the safe way to persist a vm with networking? Thanks!
Install the software in the template VM the the sys-vpn is based on if your goal is to have changes persist through the root directory.
If you changes are in the home directory, and you also have a disposable sys-vpn, then you need to make changes in the App VM the sys-vpn is based on.
FYI this is a FAQ and addressed in the documentation. Its linked all over the forum take a look through.
Good luck!
1 Like
Yes I am aware. I’ve actually been attacked in the wild when I bypassed the warning which then disabled the entire OS.
So why didn’t installing in a Standalone persist? There is a finer point here worth experienced time. The documentation doesnt explain that. An App VM never should have been recommended as a design to host a VPN qube.
It does, you obviously don’t know what you’re doing.
It’s very simple to install softwares in a template and then link an AppVM to it. I currently use 2 VPN AppVM without any issues. What you need to know is that /rw (which include /home) is persistent, this is where you need to put your configuration files. When it’s done, use /rw/config/rc.local to start the VPN or use something like GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS
Without knowing more I cant help.
It’s part of the design of a Standalone that installing will work - I
have not found any case where it does not.
For most people a template based qube works fine as a vpn gateway. It’s
hard to comment on your case because you have given little information.
You have not said what instructions you followed, what sort of vpn
you were trying to install, what steps you took, and so on.
You should almost never need to expose a template directly to the
network - in most cases you can manage by either copying files in to the
template (qvm-copy), or by using the proxy listening on localhost:8082
(e.g. by setting http_proxy=http://127.00.0.1:8082)
That’s what I’m looking for. That is not obvious. If everything were self-explanatory, why have a forum?
I am just empirically reporting the facts. I tried installing Proton VPN in F37 Standalone with Whonix as networking for the install. There is nothing wrong with that. That should have worked. Micah Lee used Mullvad VPN with Qubes. Protonvpn-cli worked after the install but after I rebooted, I got ‘command not found.’
Would this method be suited to Proton VPN? Your answer still doesnt explain how r/w permissions can forget their “w” after reboot and cannot “r” what was previously installed. No, something deeper here.
StandaloneVMs are fully persistent so that’s not possible. Make sure it’s actually a StandaloneVM and not an AppVM.
Try to follow this: