System-wide Mullvad VPN How to? Many options, conflicting information

User Support General
, ,
1

TLDR:

  • New to Qubes. Not completely new to Linux. Completely new to networking.
  • I want a system-wide Mullvad VPN with a killswitch. I want everything to go through Mullvad.
  • There are many different guides about how to do this, with conflicting information, leaving me very confused.

I am new to Qubes. I have some experience with Linux, but I don’t know much about networking.
I am not familiar with iptables, nftables and so on.

I want to use a system-wide Mullvad VPN because I trust Mullvad more than my ISP and because I want to use the Tor Browser without my ISP knowing, while still being able to simultaneously download files using the VPN connection (separately from Tor and Tor Browser).
I have also considered using a dedicated router for the VPN, but it would be a difficult option for me due to logistics.

Ideally, I want to setup the system-wide VPN before any internet connection is made to not make it obvious through clearnet that I am using Qubes. This is possible for example in vanilla Debian, where I can make sure any automatic connection is disabled before I plug in the ethernet cable, install Mullvad VPN app offline through it’s .deb package, then plug the ethernet cable. The only clearnet connection being made is to Mullvad’s server.

Unfortunately, I am absolutely confused by the guides about setting up a system-wide Mullvad VPN.
There are several guides, each using very different methods. Here are three I found here in Qubes forum:

This guide by Mullvad:

The guide is written for 4.1, and it clearly says “iptables rules are no longer effective in Qubes OS 4.2.0 and newer.”. The guide doesn’t say how to solve the issue in 4.2.

This guide by Solene:

<>/t/mullvad-vpn-app-4-2-setup-guide/25107

This guide by Tommy Tran:

<>/t/mullvad-vpn-setup-guide/26528

(Separated because I can only post 2 links as a new user)

This is my understanding of the three methods, I am not even sure if my understanding is correct.

Mullvad

Advantages:

-Most noob-friendly explanation (in my opinion)
-Doesn’t require the Mullvad Electron app

Disadvantages:

-Guide is written for 4.1, and it clearly says “iptables rules are no longer effective in Qubes OS 4.2.0 and newer.”. The guide doesn’t say how to solve the issue in 4.2. So possible DNS leaks/issues?
-Can’t easily change VPN servers if a server has issues

Solene

Advantages:

  • Seems somewhat similar to Mullvad’s official guide (may or may not be a good thing)

Disadvantages:

  • Requires a standalone (more RAM usage, have to download updates)
  • Apparently problems if switching DNS too fast?

Tommy Tran:

Advantages:

  • Doesn’t use rc.local, according to the author, shouldn’t be used.
  • Doesn’t require a standalone, unlike Solene’s guide

Disadvantages:

  • Differs a lot from Mullvad’s official guide (may or may not be a good thing)

I have no idea what is the best method, nor do I even know how to decide what is the best method.
I would prefer “good enough” and easy over “ideal” and complicated. The killswitch must be reliable.

So, which guide should I go with?
Again, my goal is to have system-wide Mullvad VPN with a reliable killswitch.

Thank you.

2

Bump.
Basically I want to know if I should use Solene, Tommy Tran, Mullvad, or some other guide.

3

Hi, you can just setup a VPN appvm(ensure to select the appvm to provide network to other qubes within settings, Fedora is recommended) from a template with MullvadVPN application installed. It may be easier for you as you are new to just use a standalone Qube based on Fedora template if you having issues.
Ensure then that you set the vpnqube to sys-firewall & other qube to use the vpnqube for networking.
This is a very basic setup example, adjust as you wish.

Either mentioned guides are sufficient.

4

If you want to consider the Travel Router, again, and having Mullvad preinstalled.

I bought: GL-MT300N-V2 / Mango - GL.iNet

less the US Forty dollars.

but I have not programmed it yet. I wanted to get a fresh new login number with Mullvad. (Router, accommodates other VPN’s if Mullvad is not your choice) and I wanted to worry about doing the install to Mango Router in a secure way.

5

Many options, conflicting information

This is a big problem. I have just finished telling the Qubes developers that they need to make an official guide or package a solution themselves https://www.mail-archive.com/qubes-devel@googlegroups.com/msg05567.html

If you want the best leak protection then you have to use Configuring a ProxyVM VPN Gateway - #58 by qubesfirewallbug

It doesn’t matter that you don’t understand nftables, just follow the guide and it will work.

6

I made that guide myself just a few days ago because there was no other solution that worked as intended. All of them have issues and I’ve explained the issues in the post that I linked.

7

I have been using GitHub - tasket/Qubes-vpn-support: VPN configuration in Qubes OS

Works great but does not use the Qubes firewall and hasn’t been updated in a long time. Currently you need to use the branch and patch of this pull request: Replace iptables with nftables by 1cho1ce · Pull Request #71 · tasket/Qubes-vpn-support · GitHub

After you configured it it’s basically ‘Plug and Play’ for any config you throw at it.
Have not seen any leaks yet.

8

How many, five hundred, a thousand to follow 'how to create a sys-net VPN" instructions which often need to be updated, and as OP says, “conflicting.”

Instead, a very knowledgeable person could create a community sys-net which has Qube preinstalled Mullvad VPN, with proper firewalls.

Probably several other sys-net’s to accomplish the same for other VPN’s.

Suddenly, it is easy to for anyone to implement a sys-net with VPN pre-installed.

Problem is, the amount of effort to keep even one of sys-net’s working and trustworthy. Still someone qubes and internet knowledgeable is keepng the sys-net trustworthy instead of several hundred independently attempting to do that for themselves.

9

How many, five hundred, a thousand to follow 'how to create a sys-net VPN" instructions which often need to be updated, and as OP says, “conflicting.”

I have not found a single guide other than mine that prevents all leaks. Guides that only use the filter forward chain to block traffic to oifgroup 1 are wrong. If anyone can provide a reason for why any of the guides other than mine should be used, we can discuss it now.

Instead, a very knowledgeable person could create a community sys-net which has Qube preinstalled Mullvad VPN, with proper firewalls.

It’s not practical for this to be done by the community, as I’ve said in my linked mailing list post. If you want this feature then you need to be vocal on the mailing list and forums about it. Qubes have terrible communication and they ignore things on the forums all the time.

10

Everyone who wants this feature (or any feature) should use all the public communication channels to let the developers know. GitHub, mailing list and forums.

11

What do you think about the thing I linked? How good is that