System-wide Mullvad VPN How to? Many options, conflicting information

User Support General
, ,
1

TLDR:

  • New to Qubes. Not completely new to Linux. Completely new to networking.
  • I want a system-wide Mullvad VPN with a killswitch. I want everything to go through Mullvad.
  • There are many different guides about how to do this, with conflicting information, leaving me very confused.

I am new to Qubes. I have some experience with Linux, but I don’t know much about networking.
I am not familiar with iptables, nftables and so on.

I want to use a system-wide Mullvad VPN because I trust Mullvad more than my ISP and because I want to use the Tor Browser without my ISP knowing, while still being able to simultaneously download files using the VPN connection (separately from Tor and Tor Browser).
I have also considered using a dedicated router for the VPN, but it would be a difficult option for me due to logistics.

Ideally, I want to setup the system-wide VPN before any internet connection is made to not make it obvious through clearnet that I am using Qubes. This is possible for example in vanilla Debian, where I can make sure any automatic connection is disabled before I plug in the ethernet cable, install Mullvad VPN app offline through it’s .deb package, then plug the ethernet cable. The only clearnet connection being made is to Mullvad’s server.

Unfortunately, I am absolutely confused by the guides about setting up a system-wide Mullvad VPN.
There are several guides, each using very different methods. Here are three I found here in Qubes forum:

This guide by Mullvad:

The guide is written for 4.1, and it clearly says “iptables rules are no longer effective in Qubes OS 4.2.0 and newer.”. The guide doesn’t say how to solve the issue in 4.2.

This guide by Solene:

<>/t/mullvad-vpn-app-4-2-setup-guide/25107

This guide by Tommy Tran:

<>/t/mullvad-vpn-setup-guide/26528

(Separated because I can only post 2 links as a new user)

This is my understanding of the three methods, I am not even sure if my understanding is correct.

Mullvad

Advantages:

-Most noob-friendly explanation (in my opinion)
-Doesn’t require the Mullvad Electron app

Disadvantages:

-Guide is written for 4.1, and it clearly says “iptables rules are no longer effective in Qubes OS 4.2.0 and newer.”. The guide doesn’t say how to solve the issue in 4.2. So possible DNS leaks/issues?
-Can’t easily change VPN servers if a server has issues

Solene

Advantages:

  • Seems somewhat similar to Mullvad’s official guide (may or may not be a good thing)

Disadvantages:

  • Requires a standalone (more RAM usage, have to download updates)
  • Apparently problems if switching DNS too fast?

Tommy Tran:

Advantages:

  • Doesn’t use rc.local, according to the author, shouldn’t be used.
  • Doesn’t require a standalone, unlike Solene’s guide

Disadvantages:

  • Differs a lot from Mullvad’s official guide (may or may not be a good thing)

I have no idea what is the best method, nor do I even know how to decide what is the best method.
I would prefer “good enough” and easy over “ideal” and complicated. The killswitch must be reliable.

So, which guide should I go with?
Again, my goal is to have system-wide Mullvad VPN with a reliable killswitch.

Thank you.