Tutorial: How to configure OpenVPN AppVM (proxyVM) on 4.2 (nft)

After the installation of the recently released 4.2 image I had some issues to set up an OpenVPN AppVM (proxyVM), so I wrote down the steps. It’s basically the same process as before, only Qubes switched from iptables to nft in 4.2 (new version of qubes-vpn-support required). This guide is based on fedora-38-minimal (Debian should work as well).

  1. Install fedora-38-minimal template (in dom0 terminal):

sudo qubes-dom0-update qubes-template-fedora-38-minimal

  1. Open fedora-38-minimal terminal:

qvm-run -u root fedora-38-minimal xterm

In xterm run:

sudo dnf install openvpn qubes-core-agent-networking

Restart the fedora-38-minimal qube.

  1. Create a new qube for the proxyVM. Name the qube as you like. Choose AppVM and fedora-38-minimal template. Networking can be set to default sys-firewall (sys-firewall did not work for me). Also check Launch settings after creation. In the Advanced tab check Provides network access to other qubes and create the new qube.

  2. In the menu go to “Services”. Pick “custom”, click +. Add

vpn-handler-openvpn

Finish by clicking on apply and ok and restart the qube.

  1. Final part is configuring the VPN proxyVM using the .ovpn config data and a custom script created by @1choice (thank you for the script!).

Download the .ovpn config file from your favorite VPN service and take notice of the related Username and Password. Create a file called “userpassword.txt” containing only these two lines (Username and Password). This file is not necessary if you use this data while installing the following script.

Download the ported Qubes-vpn-support script from here. On github click on the green “code” button, download the zip file and extract it (or use git if you prefer). This Qubes-vpn-support-master folder has to be copied over to the VPN proxyVM.

  1. Open the VPN proxyVM root terminal using the GivenName in dom0:

qvm-run -u root GivenName xterm

In the xterm terminal create the following folder:

mkdir -p /rw/config/vpn

Use the .ovpn file from your VPN service and copy it in this folder and rename it to vpn-client.conf. Or create a symlink:

ln -s vpnservicedata.ovpn vpn-client.conf

Cd to the Qubes-vpn-support-master folder and run

sudo bash ./install

Use in this script the given username and password or just use anything and after the install copy the mentioned userpassword.txt file to /rw/config/vpn. Restart the qube.

Once this qube is used in other qubes’ settings as “Net qube”, that qube will connect to the internet via the configured VPN service (check the IP). VPN over VPN should work as well (in the proxyVM’s settings choose as Net qube an other proxyVM).

4 Likes

when i run this i dont get any notification saying link is up, and the qubes-handler-vpn-handler service could not be found

1 Like

The service is supposed to be called “vpn-handler-openvpn”. Not sure what you mean that it could not be found.

These steps still work fine. From own experience it is important to check having username/password in the right order in the “userpassword.txt” file.

I’ve tried this instruction, but there is no ‘LINK IS UP!’.

AppVM doesn’t autostart OpenVPN client.

I’ve checked that openvpn runs well, and my credentials are verified.

Add
I’ve checked the source code in Github, and I realized that it uses “iptable”. As far as I know, it would not be working on Qubes 4.2

So I think it’s better to follow this instruction : This is currently working.

you need to fix d-bus services.

install notification-daemon
then
sudo nano /usr/share/dbus-1/services/org.freedesktop.Notifications.service

and insert this:

[D-BUS Service]
Name=org.freedesktop.Notifications
Exec=/usr/lib/notification-daemon

i wrote a guide to use vpn … see my posts you can fix it