SOLVED: Wireguard TCP in a NetVM?

TheMailman · January 18, 2026, 3:46am

I wonder if anyone here has cracked the nut of installing Wireguard to run over TCP in a “NetVM” on 4.3?

I’m working on it now, and I can follow the instructions to use Wireguard using any UDP servers, and I can use Mullvad’s TCP servers if I use the mullvad-cli. But the instructions for Mullvad and Qubes use wg-quick, not mullvad-cli, so I can’t use a NetVM for Wireguard over TCP, even when the server supports it.

I can’t figure out how to use mullvad-cli in a NetVM, to use TCP, or how to use wg-quick to support TCP. I prefer the second one, so I am not limited to Mullvad (although they are the only provider I found to test TCP with so far.)

I’m still working on this but if anyone else figures it out first or has information to share (or questions to ask) please post here.

de_dust2 · January 18, 2026, 5:44am

Make a qube we’ll call it mull0 and use mullvad-cli to make your Wireguard over TCP tunnel. Then configure another qube we’ll call it web0 to use the previous qube as NetVM. With the Wireguard tunnel brought up in mull0, can web0 reach a non-sensitive website?If so, inspect nftables in mull0. The specific nftables rules specified in the guides you are looking at that prevent leaks are the ones you want to make sure are there.

TheMailman · January 18, 2026, 6:51am

I have tried mullvad-cli in a NetVM, and when I connect an AppVM to that NetVM, it does not have internet access. That’s the problem.

I don’t see that what you’re saying explains this?

DVM · January 18, 2026, 1:12pm

Follow this guide, but instead of using the app, use mullvad-cli.

TheMailman · January 18, 2026, 1:34pm

OK I didn’t seen this before. I will try it.

solene · January 18, 2026, 6:32pm

This can’t work with wg-quick, WireGuard is an UDP only protocol, it can’t work with TCP.

There are ways to obfuscate WireGuard in TCP packets (using V2RAY maybe?) so I suppose mullvad provides shadowsocks or v2ray, which must be handled by the mullvad client as it’s not a plain WireGuard connection.

TheMailman · January 18, 2026, 11:01pm

@solene Mullvad’s wireguard servers support TCP when using mullvad-cli. The issue is getting it to work with wg-quick as per the Qubes instructions on the Mullvad website. But connecting to Wireguard over TCP with Mullvad is supported for Mullvad.

solene · January 18, 2026, 11:15pm

As stated on their web page Introducing WireGuard over TCP and IPv6 | Mullvad VPN (it’s 4 years old but I didn’t find any information on other page, they refer to UDP over TCP here Using Mullvad VPN in restrictive locations )

WireGuard out of the box works only over UDP. This can cause problems because UDP is blocked on many public networks like in cafes and on trains. That’s why we’re introducing a solution for WireGuard over TCP

They do not give much information about what they do, but they add a layer on top of WireGuard to make it work over TCP, this can’t work with wg-quick because WireGuard over TCP is not vanilla WireGuard, and wg-quick is only for a vanilla WireGuard tunnel.

rustybird · January 18, 2026, 11:19pm

I think Mullvad uses this tool/library:

TheMailman · January 18, 2026, 11:49pm

I mean, yeah, that’s what I said in my first post, confirmed in my reply to you, and I use it and it works. About your confusion, they seem to use Udp2Tcp because that’s what “mullvad status” shows. But why are you talking about this?

The question I asked here is how to get TCP to work with wg-quick OR how to make mullvad-cli work in a NetVM. For the second one, I intend to read your Tutorial today for the Mullvad App in a NetVM and try to modify it for mullvad-cli (I don’t run a GUI in my NetVM).

TheMailman · January 19, 2026, 1:47am

Okay I cracked it. Here are modifications to make a Qubes NetVM supporting mullvad-cli and Udp2TCP Wireguard servers:

Starting with this:

This guide replaces the sections “Qube configuration” and “Mullvad App,” starting again at “Fix DNS”.

Changes to “Qube creation” first:

my NetVM is Debian minimal
I started with 512MB RAM
I don’t know what “disable ballooning” means, but looking it up makes me think this is supposed to mean to uncheck “Include in memory balancing’” under the Advanced tab in the NetVM’s Settings. So that’s what I did.

To maintain persistance of settings in the NetVM, create bind dir for mullvad:

sudo mkdir /rw/config/qubes-bind-dirs.d/
sudo vi /rw/config/qubes-bind-dirs.d/50_user.conf

Add to 50_user.conf:

binds+=( '/etc/mullvad-vpn' )

Save

$ sudo mkdir -p /rw/bind-dirs/etc/mullvad-vpn

In the template for your NetVM, make sure mullvad-cli is installed. Instructions are here:

(More info on mullvad-cli is here: How to use the Mullvad CLI)

Close the template and if the Qubes NetVM is running, restart it once the template shuts down.

In the NetVM, create a script that looks like this:

#!/bin/bash

mullvad account login <your-account-number>
mullvad relay set location <your-preferred-location>
mullvad connect

Choose your server here: Servers. I don’t know if all servers support Udp2Tcp but every one I have tried does.

Make the script executable:

$ chmod +x startMullvad.sh

Save in /home/user.

In the NetVM, edit /rw/config/rc.local and add these lines:

# Starts custom script that runs mullvad-cli with our preferred login and host
/home/user/startMullvad.sh

Resume main tutorial at “Fix DNS”
Note that on debian 13 minimal templates, inotify is not sufficient for broadcast messages.

TheMailman · January 19, 2026, 1:48am

Thanks @DVM for pointing out the guide and to @solene for creating it.