Set up a ProxyVM as a VPN gateway using iptables and CLI scripts with ProtonVPN

Is it possible to set up protonvpn with this guide?

Their core-servers .ovpn files use another dns right so there are issues with that guide am i right?
Has anyone tried and got it to work? I tried once and while some other VPN’s ovpn files did work, protonvpn’s ovpn files did not work.
How do you fix the issue? Or set up an even better VPN with a killswitch on Qubes with maybe wireguard. Which i have read is even better then openVPN.
Any good guide for that?

One thing that would improve Qubes is if a VPN setup was implemented by default, with a killswitch if needed, and if users just had to add or import some ovpn file, and everything was set up by default.

1 Like

Yes, it’s been running like a Swiss clockwork with every ovpn file I ever tested including Protonvpn.
Sometimes you have to try a 2nd time before giving up.

All the things you desire or want to improve are working with this script already. It just doesn’t set itself up magically.

As far as I know wireguard isn’t the magic bullet or unconditionally the better choice when compared with OpenVPN. But of course there are lots of options and some people here are using it with Qubes (I think Mullvad has this option). Just search for ‘wireguard’ here and you get several results.

I use this utility script , that lets you create multiple VPN app VMs and does all the configuration for you. It even lets you create and manage server profiles, so that you can select specific servers, automatically changes the server to which you’re connecting each time you reboot your VPN app VM ect… And a bunch of other pretty neat functionalities.

1 Like

At first glance this looks very similar to the CLI from the official protonvpn sources. I don’t see any additional benefits.

I’d be careful running scripts from sources I know nothing about.

I, of course checked the code myself, didn’t see anything harmful after a careful inspection of it. Although it seems similar to the protonVPN CLI, it is specific to QubesOS and works with most VPNs. It does all the configuration mentioned here for you, and lets you manage your VPN connections just like a regular utility. So it’s pretty useful, specially if you have several VPN app VMs, each connected to different servers, and configured differently. You can for instance, in one command, setup a VPN app VM to connect only and randomly to American servers using UDP.

1 Like

Have you try my guide here?

1 Like

Okay, it was just meant as a friendly advice for a new Qubes user to rather go with tested and trusted guides from the official documentation first.

Read and make yourself familiar with the docs and when you mastered setting up all these things and you’re still not satisfied then it might be nice to have additional options.

Maybe it could be a nice addition for the Qubes OS contributed packages:

1 Like

I just set up a proxyVM using core-servers just to see if anything had changed since I last set one up. Everything is working without problems if you stick to this guide.

You can clone the proxyVM and have as many different server configurations and assign them to specific appVM. The only thing you have to change in the clone is the specific IP adress in the *.ovpn file.

I like this solution because I make lots of different sys-vpn-* and assign them to appVM. Once configured you don’t have to do anything anymore.
I use country-configs as well where the best server is automatically chosen and sometimes I use the CLI from protonvpn when I need a specific server fast.

1 Like

I use protonvpn, but I only download protonvpn-cli and install the qube, which I call protonvpn-qube. Then I throw the VPN at qube as a network administrator. In this way, I was able to successfully secure the connection without a DNS leak or rope leak, but after this article my privacy concerns increased. Do you think what I’m doing is a problem for privacy?

To be honest, it’s been a while since I used the protonvpn-cli in Qubes because at the moment I’ve been experimenting with other stuff in 4.1. If it’s leak proof than it shouldn’t be a problem but it depends on what you’re doing.

I’ve been using protonvpn-cli mostly with a video-qube where I stream live sports events or something similar trivial.

For mail accounts I have different sys-vpn-* that are constantly assigned. I don’t want to set anything up when I use them on a daily basis so the script is leakproof and convenient.

It’s more of a personal preference because I’ve used them for years and didn’t try out many alternatives. I used several software solutions from providers that had improved greatly over the years but in Qubes I preferred the script solution.

1 Like

Thanks for all of your answers… That’s wierd. Good it worked for you! The core servers have two connections… I thought there where issues with DNS or something, but if you got it to work, i can try some more soon. :slight_smile:
I just had better luck with another ovpn file last time, but i need to check again… Thanks!

Great tip. Thank you! I will try that out sometime. Another time. I have already set up a proxyvm as a vpn gateway with iptables and cli scrips.

That’s also an alternative. Good info!

Could you post some of the settings in your ovpn file or the whole file or what you want to share?
Some example… This could work right?

script-security 2
up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf

redirect-gateway def1
auth-user-pass pass.txt
script-security 2
up ‘ up’
down ‘ down’

auth-user-pass /rw/config/vpn/pass.txt

But it says there should be only one up and down, so the lines up /etc/openvpn/update-resolv-conf
down /etc/openvpn/update-resolv-conf
could make an error am i right? I think i had some error last time with that…

What I don’t get is that you say the script worked for you with other .ovpn files. That almost rules out every mistake you can make.

It doesn’t make sense to post my ovpn file here because you don’t have to change a lot (and of course because of the sensitive information regarding your account).

Let’s check the to-do-list:

  1. You do have openvpn installed in your template your proxyVM is based on and the service disabled like explained?
  2. You did either rename your ovpn file to ‘openvpn-client.ovpn’ or (like I do) don’t change the name of the file and change it in the script ( [6. Set up the VPN’s autostart.] in line 3
    VPN_OPTIONS='--cd /rw/config/vpn/ --config openvpn-client.ovpn --daemon'
    to the respective file name of your protonvpn.ovpn file.
  3. In your protonvpn.ovpn file you only have to add
    redirect-gateway def1 and look for the line starting with auth-user-pass and add pass.txt. Also remove the 3 lines starting with script-security 2 before the certificate (this does not affect functionality), because we will add this part at the end:
    script-security 2
    up ‘ up’
    down ‘ down’
  4. In your pass.txt file you did put your actual username and your actual password, didn’t you?

You can copy & paste the rest and of course, follow the guide closely. For example, don’t forget to make the scripts executable.
If you made no simple mistakes it should connect after restarting your proxyVM.

When there is an error message post it here or take a look at the logs of your proxyVM.


  1. Yes.
    $ sudo apt-get install openvpn
    Reading package lists… Done
    Building dependency tree
    Reading state information… Done
    openvpn is already the newest version (2.4.7-1).
    0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

  2. Yes i did rename it to: openvpn-client.ovpn

  3. Yes i did.

  4. Yes, i did.

There is some issue i can’t explain. One ovpn file works with the default settings, while the protonvpn don’t work for me…
How can i troubleshoot the issue? Some log or command? It’s probably some simple mistake somewhere. In the ovpn file of the protonvpn file… Did you try the core-server ovpn file, or their regular ovpn file? You could send me a pm with your settings if you wanna. Or send some random file you edited… Up to you… then i can try if that works or not. Thanks

Did you read the documentation?
Take a look at point 2:

(…) Test your client configuration: Run the client from a CLI prompt in the ‘vpn’ folder, preferably as root. For example:

sudo openvpn --cd /rw/config/vpn --config openvpn-client.ovpn

Watch for status messages that indicate whether the connection is successful and test from another VPN VM terminal window with ping. (…)

The whole procedure is explained in detail, I don’t think it can be more clearly.

I don’t get your fixation with the secure-core servers. Yes, they do work, like every other ovpn files I tested. Like I said before. Did you ever take a look at the files? Everything is explained in there, also the additional options like special suffixes to your OpenVPN username for selecting the exit IP corresponding to a specific server, ad blocking and anti-malware filtering etc.

You don’t need all this but you could at least take a look. If you compared your beloved secure-core files to any server config you’d see that this is not so special.

Sorry, I don’t think I can help you any further because I am wondering if you even are a paid subscriber of protonvpn.

It is possible that a certain server is down or at 100% so you should at least try another and just see if it connects before doing all the other stuff.

There are people trying wrong username & password (no, it’s not the login-data for your account) and other possibilities but it could be anything, so I say good luck.

I’ve got the same issue(apparently by default it uses another DNS rather than protonvpn’s DNS)
Were you able to solve the problem ? If you were able to solve it help me please

If you have set the sys-vpn properly this should not be possible.
If you want help with this issue, please give some detail -
What method have you used to set up the vpn?
what is the “another DNS”?
Is this “another DNS” accessed through the VPN?
How have you confirmed this problem?

1 Like

I followed the second part of this guide: Contents/ at master · Qubes-Community/Contents · GitHub , “Set up a ProxyVM as a VPN gateway using iptables and CLI scripts”.

As far as I know ProtonVPN provides its own DNS when a client is connected to their servers, and I thought that Qubes OS was trying to use another DNS provider, and I thought this was the source of the problem. I’m not sure :sweat_smile:

I used ping and error ping: Temporary failure in name resolution occured. So I thought the issue was with DNS.

Sorry if something I say is inaccurate, I’m new to Qubes OS.

Thank you and all other Qubes OS team members.