Tutorial: How to configure OpenVPN AppVM (proxyVM) on 4.2 (nft)

After the installation of the recently released 4.2 image I had some issues to set up an OpenVPN AppVM (proxyVM), so I wrote down the steps. It’s basically the same process as before, only Qubes switched from iptables to nft in 4.2 (new version of qubes-vpn-support required). This guide is based on fedora-38-minimal (Debian should work as well).

  1. Install fedora-38-minimal template (in dom0 terminal):

sudo qubes-dom0-update qubes-template-fedora-38-minimal

  1. Open fedora-38-minimal terminal:

qvm-run -u root fedora-38-minimal xterm

In xterm run:

sudo dnf install openvpn qubes-core-agent-networking

Restart the fedora-38-minimal qube.

  1. Create a new qube for the proxyVM. Name the qube as you like. Choose AppVM and fedora-38-minimal template. Networking can be set to default sys-firewall (sys-firewall did not work for me). Also check Launch settings after creation. In the Advanced tab check Provides network access to other qubes and create the new qube.

  2. In the menu go to “Services”. Pick “custom”, click +. Add

vpn-handler-openvpn

Finish by clicking on apply and ok and restart the qube.

  1. Final part is configuring the VPN proxyVM using the .ovpn config data and a custom script created by @1choice (thank you for the script!).

Download the .ovpn config file from your favorite VPN service and take notice of the related Username and Password. Create a file called “userpassword.txt” containing only these two lines (Username and Password). This file is not necessary if you use this data while installing the following script.

Download the ported Qubes-vpn-support script from here. On github click on the green “code” button, download the zip file and extract it (or use git if you prefer). This Qubes-vpn-support-master folder has to be copied over to the VPN proxyVM.

  1. Open the VPN proxyVM root terminal using the GivenName in dom0:

qvm-run -u root GivenName xterm

In the xterm terminal create the following folder:

mkdir -p /rw/config/vpn

Use the .ovpn file from your VPN service and copy it in this folder and rename it to vpn-client.conf. Or create a symlink:

ln -s vpnservicedata.ovpn vpn-client.conf

Cd to the Qubes-vpn-support-master folder and run

sudo bash ./install

Use in this script the given username and password or just use anything and after the install copy the mentioned userpassword.txt file to /rw/config/vpn. Restart the qube.

Once this qube is used in other qubes’ settings as “Net qube”, that qube will connect to the internet via the configured VPN service (check the IP). VPN over VPN should work as well (in the proxyVM’s settings choose as Net qube an other proxyVM).

2 Likes