Setting up Mullvad vm template

Hi everyone
I’ve been wrestling with setting up a template vm with Mullvad. I mean, like all day and I’m sort of stuck.

Initially I followed Micah Lee’s guide: Using Mullvad VPN in Qubes

This set up pretty much perfectly except for two things

  1. Unless I’m reading his instructions incorrectly when I start my vm it doesn’t connect to Mullvad automatically. I get the network manager icon and I can connect via that, but it doesn’t connect automatically.
  2. I cannot get any other app vm to go via this newly created mullvad vm. When I try to route another vm via this I get a warning about problematic networking with regard to the disposable vm. The Yellow triangle with an exclamation mark.

I could not see what I had wrong that stopped other vms going via this newly created template vm with mullvad. The vm works ok in that I can launch a browser from within the newly created one and it is connecting via Mullvad.

So if anybody has an idea what I’m now doing here I’d appreciate it.

So not to be outdone I then went to the Mullvad guide here: Mullvad on Qubes OS 4 - Guides | Mullvad VPN

I have followed this one and its all good so far except for getting a vif ip address under the section “Add DNS hijacking script”. Either I am too tired, or this is beyond me but can anybody tell me what this means:
“To find out your vif* ip address, run ip a | grep -i vif in a terminal (make sure you have the AppVM assigned before you do this, otherwise it will not show up)”?

I am not getting anything to show up which I assume is because I haven’t assigned the AppVm.

Can anybody tell me what assigning the AppVm means? If I can get this I can power on through it I hope.

Networking is hard for me so I hope I’m not asking questions that are too basic.

If you have read this, I thank you. If you could offer me a pointer or two even better. i have the Micah Lee version still set up so if I can find out why I can’t get App VMs to go through it, great. If not I’ll go on with the Mullvad guide (if I can just learn how to assign this AppVm.

Hi Brad,

Try this:

super easy to use and works flawlessly

I suggest using wireguard and if you go to the Mullvad wireguard config file generator (in the help section) you can click the ‘advanced dropdown menu’ select multihop and choose and entry/exit server. This will generate a multihop wireguard config file which works perfectly with the guide above.

The multihop part is done on Mullvad’s side, meaning you will just connect to a single server from your qube and Mullvad will route your traffic to exit through a second server on their side, super neat!

Notes about this script, it fails closed if the connection drops and will only provide a vpn connection to qubes downstream from it (connected to it for network) this is great as you don’t want to be using your vpn-vm for anything other than providing a vpn connection other qubes

if you want you can enable a 3rd hop by using one of their socks5 proxies, for example if you have a vm for web browsing behind your vpn-vm:

Example using Firefox:

    Go to the Firefox menu.
    Click on Preferences.
    Scroll down to Network Proxy.
    Click on Settings.
    Select Manual proxy configuration.
    Make sure HTTP/SSL and FTP proxy fields are empty.
    In the SOCKS Host: field, enter for example, us3-wg.socks5.mullvad.net with port 1080.
    Click on SOCKS v5 and enable "Remote DNS" or tick "Proxy DNS when using SOCKS v5".
    Click on OK.
    Navigate to our Connection check in order to verify the exit location.

you can DM me if you’re struggling, IDK alot about Qubes but I have this part down

I followed Micah’s guide step-by-step and it worked fine. Mine doesn’t automatically connect either, but I find it a negligible inconvenience to click in to it, as that is a one time operation on startup.

I also have this warning about the Disposable template that the VM has is not set to the same networking, but this is only in the settings, and doesn’t have any impact on actually launching it. You can go to the ‘advanced’ tab and then see which disposable VM that AppVM has as its DispVM, and then navigate to that VM in the manager and set its networking to Mullvad VPN also. Fedora-34-DVM in my case.

So you are saying when you launch an AppVM that gets its networking through Mullvad VM and you open it, it refuses to connect and this error pops up in a large box on the right hand side? Does it refuse to allow you to hit “apply” to having that VM as the networking?

If yours is like mine, either set the Disposable VM’s networking to Mullvad VPN also or just ignore it and hit ok, it shouldn’t impact you actually being networked via VPN and is really just telling you “Hey bro, if you have an expectation that opening a link in a dispvm will be also guarded by VPN, you aren’t, so check your settings” rather than a hard error that prevents use.

You can also follow these instructions to set up mullvad using wireguard. As far as I’m concerned, this is the setup I’m getting the most use out of.

I haven’t used Micah Lee’s setup, but the first thing I’d verify is whether or not your vpn and firewall VMs allow networking. In the Qubes Manager check the advanced tab in Qubes Settings and make sure the box labeled “Provides network” is checked.

Thanks so much for taking the time to reply everybody.

I’m hopeful of getting Micah Lee’s method to work, primarily because its done.

Thanks for the confirmation about the connection issue. I agree, its no big deal, I was just checking to see that it wasn’t symptomatic of something else I’d done wrong. As you say, its no inconvenience at all to connect it.

VMs being unable to connect via the newly made Mullvad template seems to be a mystery really. I don’t know what the disp vms are connected via (but shouldn’t make a difference as you say). I have ‘provides network’ checked in the Mullvad vm so that’s not the issue. It let’s me click ‘apply’, and I don’t get an error in a box when I try to connect, it just doesn’t do anything such a browser not being able to connect to anything.

I’ll have another go at it this afternoon. Maybe I was tired and missed something, but I was being pretty methodical.

The Wireguard approach does interest me however so if I can’t this to go that’s where I’ll go.

I am still hoping that someone can tell me what ‘assigning an AppVm’ means in the Mullvad setup as I’m almost finished with that one as well.

I’m determined to get one working!

1 Like

Now, let’s make this VPN automatically connect whenever it boots up. Open a terminal in vpn-mullvad (click Qubes, Service: vpn-mullvad, vpn-mullvad: Terminal), and run:

sudo gedit /rw/config/autovpn.sh

This will open up a blank file using gedit (feel free to use whatever text editor you prefer). Copy and paste this script into it. You may need to change the line that says nmcli con up mullvad_ca to use the name of the VPN config that you added, assuming you chose a location other than Canada.

#!/bin/bash
while [ “true” ]
do
if nmcli con |grep -Fq tun0
then
echo “Already connected, sleeping 5”
sleep 5
else
echo “Connecting”
nmcli con up mullvad_ca
fi
done

Notice the bold part, this needs to be changed to your correct name for auto start to work

1 Like

Can you explain:

  1. The VM that works with your VPN, is that just opening a browser in the Mullvad-VPN-VM?
  • If so, perhaps you made the mistake that ephile has said, and failed to tick “provides network” when you first created the Mullvad VPN qube. You can see this at the start of Micah’s guide.

To check, go to your settings from Qubes Manager for Mullvad-VPN, then go to the ‘advanced’ tab. In the ‘other’ section in the bottom left of screen, you should see “Provides network” and it will either be ticked or unticked. If it is unticked you might have to re-create the VM, but at least you know it’ll work next time.

I don’t know what the disp vms are connected via

This is simple to check, but not critical to it working. But to fix, go in to your “Mullvad-VPN” VM settings. Then go to the advanced tab. In the bottom left box, you will see “default disposable template”.

Take note of what that is called, for me it is “Fedora-34-DVM”.

Now, exit the settings for the Mullvad-VPN, and in your Qubes Manager, scroll until you find the Disposable VM you saw listed there. Once you’ve found it, open its settings, and then change its networking to Mullvad-VPN (assuming you want to).

I don’t think you really want to be opening anything inside the Mullvad-VPN VM, because it is a networking qube, and not a workstation/appvm qube.

If you see this error in the future just repeat this process with that VM (unless you want to say, have a clearnet app vm, but open disposable links in a VPN vm etc.).

I hope that made some sense.

Most likely your issue is as ephile said though, you didn’t click the option in the initial creation of your Mullvad VPN to ‘provides network’ and so other Qubes aren’t able to get their networking through it.

Thanks for the replies everybody. Let me address them.

  1. Yes, I overlooked the part where I change it to my config name. In my case the config file is called ‘mullvad_ro_buh.config’ So to this end I tried changing the existing ‘mullvad_ca’ to both ‘mullvad_ro’ (didn’t fix the problem) and ‘mullvad_ro_buh’ (also didn’t work). And I even added the ‘.config’ to be really sure…yeh clutching at straws. I thought that I may have been onto something here but to no avail. For completeness however I also re-ran
sudo chmod +x /rw/config/autovpn.sh

Of interest is that with ‘mullvad_ro’ the vpn starts up with the network manager icon and I can connect the vpn manually. BUT…if if put ‘mullvad_ro_buh’ (ie with the ‘buh’) it connects automatically which is something that I didn’t have before. So it solved THAT issue. But it didn’t allow other vms to access the internet via this vm.
2. I do have ‘provides network’ checked in the ‘advanced’ ‘other’ tab. It has been checked from the start. I can launch Firefox within the Mullvad template vm and it connects to the internet without an issue via the country I have in the config. So it all works ok at that level. And I know that the file that I edited in ‘1’ above (ie ‘mullvad_ro_buh’) is working properly because it won’t let me disconnect now as it keep checking and reconnecting. Good._

So, there has to be some fundamental error that I have made. I overlooked one thing so maybe I overlooked something else. If anybody has any comments I’m really keen to hear it.

I rectified the disp vm issue which is really a side issue to what is happening by all accounts.

There is no doubt that the mullvad vpn template is working. Its something else unknown at this time. But it does connect automatically now which is great. If I can just get the others to play ball I’ll be away!

PS: I worked out the ‘assign AppVm’ thing with the Mullvad instructions but I’ve run out of time today and would prefer to fix the problem above.

Hello.

I tried using this solution https://github.com/hkbakke/qubes-wireguard. I’m stuck at the part where I have to run wg-appvm-conf but the terminal keeps telling me the WG_ADDRESS is unbound even though I put the address in the config file.

Anywhere I might’ve done something wrong?
If you need to know more, I’ll be happy to tell you.

You can use the gateway of the VPN service machine.

Once getting to the end of Mulls tutorial, rerun:

ip a | grep -i vif in a terminal 

The vif interface appears, which you can update if needed.
(worked for me anyway)