Tutorial: Installing ProtonVPN CLI in a Debian 12 Minimal VM in 4.1.2

This guide explains how to set up the official ProtonVPN command line interface (CLI) as a ProxyVM for other AppVMs to connect through. This has the advantage of not needing to maintain a list of active ProtonVPN servers as OpenVPN or Wireguard configuration files. It also has the advantage of relying on the CLI’s built-in kill switch and does not require modifications of sys-firewall. This method can easily be chained with sys-whonix to avoid connecting to the VPN provider directory from your ISP by instead connecting to the VPN provider through the Tor network.

First, create a new template based on Debian 12 minimal.

[user@dom0 ~]$ qvm-clone debian-12-minimal debian-12-minimal-sys-vpn

Then run the Qubes updater to ensure the template is up-to-date.

Debian 12 minimal templates don’t have wget or curl installed, so use another VM to download the available .deb file. As of November 2023, that is version 1.0.3. You can find the most up-to-date link at: How to use the v3 ProtonVPN Linux CLI

Then, move the file to debian-12-minimal-sys-vpn so that it appears in /home/user/QubesIncoming.

Open a terminal in the newly-created template as the root user.

[user@dom0 ~]$ qvm-run --user root debian-12-minimal-sys-vpn uxterm

In the just-opened terminal, install the .deb file and then the required software. This will use the default dom0 update qube for network access, which you could have chosen to be sys-whonix.

[root@debian-12-minimal-sys-vpn ~]$ apt install /home/user/QubesIncoming/anon-whonix/protonvpn-stable-release_1.0.3_all.deb
[root@debian-12-minimal-sys-vpn ~]$ apt install protonvpn-cli qubes-core-agent-networking qubes-core-agent-network-manager
[root@debian-12-minimal-sys-vpn ~]$ usermod -G netdev -a user # from https://github.com/ProtonVPN/linux-app/issues/27

Then create the AppVM that will operate as the NetVM for other qubes.

[user@dom0 ~]$ qvm-create --template debian-12-minimal-sys-vpn --label blue sys-vpn
[user@dom0 ~]$ qvm-prefs sys-vpn netvm sys-firewall # or sys-whonix
[user@dom0 ~]$ qvm-prefs sys-vpn provides_network true
[user@dom0 ~]$ qvm-service sys-vpn network-manager true
[user@dom0 ~]$ qvm-prefs sys-vpn maxmem 900 # only need 900 MB
[user@dom0 ~]$ qvm-features sys-vpn ipv6 '' # disable IPv6: https://www.qubes-os.org/doc/networking/#ipv6

You can set sys-whonix as the netvm property to have your network traffic first go through the Tor network first then through the VPN.

Now, open a terminal as user user in sys-vpn to connect to the VPN

[user@sys-vpn ~]$ protonvpn-cli login $USERNAME
[user@sys-vpn ~]$ protonvpn-cli killswitch --permanent
[user@sys-vpn ~]$ protonvpn-cli connect --fastest --protocol tcp

You must use --protocol tcp if the NetVM of sys-vpn is sys-whonix. Otherwise, you can drop that argument.

Now, set the NetVM of another AppVM to sys-vpn to have all of AppVM’s network traffic be sent through the VPN. Notice that if either sys-vpn is not running or if ProtonVPN is disconnected, then the AppVM will not have any networking connectivity. This is probably desirable behavior.


Trying to do the same on 4.2 and Fedora 38 minimal everything seems to work (except there is no netdev group).
Installing protonvpn-cli (dnf localinstall protonforfedorarelease.rpm / dnf update / dnf install protonvpn-cli) and other packages in the template works, creating sys-vpn based on the template works as well. However it cannot be started because of “command not found”. which protonvpn-cli reveals there is no protonvpn-cli. Although using dnf install protonvpn-cli both on the template and in the sys-vpn root terminal leads to “package is already installed”. Is there maybe something missing on Fedora minimal to get protonvpn-cli to work? Or is someone using it already on 4.2?

Does it say this when you try to run protonvpn-cli?
Are you sure that the template was turned off after installation and that sys-vpn was restarted to get the updated root volume?

Exactly, running protonvpn-cli leads to bash: protonvpn-cli: command not found. Both VMs were restarted and the template turned off. No idea what could be the culprit as mentioned starting the root terminal and trying dnf install protonvpn-cli says it is already installed. protonvpn-cli is still not found (neither on the root terminal nor as user).

Is sys-vpn linked to the correct template? Also, can you provide where protonvpn-cli is installed with which protonvpn-cli?

Yes, it looks it’s based on the correct template. The qube based on the template shows that protonvpn-cli is installed.
which: no protonvpn-cli in (/usr/local/sbin:/usr/sbin:/usr/local/bin:/usr/bin) <-this is all I get.

I just tried to install it after this:

There’s no protonvpn-cli, only the graphical application called “protonvpn-app”.

It seems to have been discontinued in favor of the new Linux app:

It’s still maintained by “the community” here:

It must be installed with pip instead of dnf and the cli is named “protonvpn”

1 Like

Ouch, it looks I ended up using the wrong guide with the old legacy repo.
Thank you for showing in the right direction!
I will test a new setup with the latest proton tools.

1 Like

I initally posted an answer to this post but realised it’s a novel and most of which would maybe not be of interest here. Here a separate post for the full story ^^.

TLDR : pvpn cli projects are all outdated

  1. Use Wireguard or OpenVPN if you don’t need much of the cli features, they have both great tutorials on how to set-up in this forum and pvpn doc explain well how to get the config files.
  2. Or install the most recent (outdated) cli from official repo if you need the extra cli features. There are some quirks using it though (I need to restart the proxy when I want to change the options).

So about the pvpn cli project. It looks like it’s maintained by the community because of a recent shallow commit (just an empty version bump XD) but it’s NOT.

  1. [Don’t use] The community repo by Rafficer is much older and outdated than the legacy one. Complitely outdated community repo, and seemingly not honoring PRs by the community but not officially archived by owner - last release 2.11.0 on 28/07/21. You can see the contribution graph here
    /!\ Don’t install it from Pypi (pip) neither as recommended in community readme, it’s stuck in 2.11.0 too

  2. [Pick this one] The official repo is archived by protonvpn. Official repo, the most recent and the one I use but officially abandoned on 11/10/23 by protonvpn - last release 3.13.0 on 14/09/22

I first had a lot of hopes in a statement from the official cli maintainer in this post talking about status and roadmap.

But it has now been 2 years and I only see improvements on the gui client v4 and no more info about cli since then. (I didn’t ask them).

1 Like