Context:
I’m trying to use a dedicated NetVM (sys-amnezia-standalone) in Qubes OS 4.2 for routing traffic from AppVMs and dispVMs through Amnezia VPN (which uses WireGuard). Amnezia is installed in the standalone qube and works correctly — it connects and masks VPN protocol as expected.
Disposable AppVMs set sys-amnezia-standalone as their NetVM.
Firewall in sys-amnezia-standalone initially allowed only the VPN server IP (now relaxed to allow all outgoing).
VPN interface name: amn0.
Problem:
VPN connects successfully in sys-amnezia-standalone, and it has full internet access.
Any disposable or AppVM using it as NetVM has no internet access at all — even DNS doesn’t resolve.
I applied recommended firewall restrictions (based on amn0 interface and VPN IP) and also tested with firewall fully open (all outgoing allowed) — same result.
DNS to 10.139.1.1 is allowed in iptables.
What I tried:
Verified that Amnezia is routing traffic over amn0 in the VPN qube.
Allowed all outgoing traffic to rule out firewall problems.
Added internal DNS IP and vif+ interface exceptions.
Either sys-amnezia-standalone is not properly forwarding traffic from client VMs over the VPN tunnel, or something about Qubes networking isolation is interfering.
Since the VPN client is GUI-based and auto-manages the tunnel, it’s unclear if Qubes’ routing tables or NAT is mismatched post-VPN connection.
Questions:
What’s the correct way to set up a GUI VPN client (like Amnezia) in a NetVM and have other qubes use it for networking?
Is additional NAT or routing setup required manually?
Could Qubes firewall isolation interfere with the masked WireGuard tunnel?
Would appreciate any insights or suggestions on how to debug or fix this.
How did you manage to run amnezia vpn?
I encounter an error when trying to start the interface (awg-quick cli): Unknown device type, protocol not supported.
The amneziawg-go utility starts the interface, but the configuration files are ignored…
It’s a standalone, but did you use a template as a base?
If not, it’s certainly missing qubes tools to handle the network, this mean you would have to turn your sys-amnezia-standalone into a router with a firewall rule for NAT, which is automatically done with qubes os compatibles OSes running in qubes.
I used the Amnezia VPN desktop client (the graphical GUI version) in a Fedora-based standalone VM. I installed it from their official binary installer.
After installing the required dependencies (e.g. libxcb-cursor etc.), the GUI launched fine. It successfully imported a WireGuard config with obfuscation, and the VPN connected. The virtual interface it created was named amn0, and routing/DNS appeared to work correctly inside the Amnezia qube itself.
However, I didn’t use awg-quick or amneziawg-go from the CLI directly. It seems the GUI manages the tunnel differently, possibly with custom masking logic, so your issues may be related to using the CLI without that layer.
Unfortunately, I no longer have access to that machine at the moment, and I’ve already deleted the test qube, so I won’t be able to investigate further until I can reproduce the setup again. I’ll update when I get a chance to retry.
Let me know what base system you’re using, and I’d be happy to compare setups when I can revisit it.
Yes. That’s a great point, and thank you for bringing it up.
I created the standalone qube (sys-amnezia-standalone) from a Fedora-based template, so Qubes tools should have been present. The Amnezia GUI client was installed via its official binary installer, and it connected successfully, creating a VPN interface named amn0.
The issue I ran into was that although the VPN was working inside sys-amnezia, AppVMs that used it as a NetVM had no internet access — not even DNS. I suspected the problem was with NAT or forwarding not being correctly restored after the VPN tunnel came up.
At the moment, I’ve deleted that qube and can’t test further until I have access to the machine again. Once I can reproduce the setup, I’ll try rerunning /usr/lib/qubes/qubes-setup-dnat-to-ns or applying explicit NAT rules to handle forwarding from AppVMs through the amn0 interface.
Any tips or known-good iptables/NAT setups for custom VPNs in NetVMs would be very helpful when I’m able to try again.
I have good news, I found a way to make amnezia-sys-vpn work from other qubes. In each qube where you use amnezia-sys-vpn as network provider, you need to write nameserver 1.1.1.1 in /etc/resolv.conf. Most likely this is not an ideal solution, but we need to figure out how to do it right.
Instead of manually configuring the DNS in the qube, you should alter
the nftables rules in the netvm.
By default the rules are in the nat table in the PR-QBS chain:
chain PR-QBS {
meta l4proto udp ip daddr 10.139.1.1 udp dport 53 counter packets 0 bytes 0 dnat to 10.139.1.1
meta l4proto tcp ip daddr 10.139.1.1 tcp dport 53 counter packets 0 bytes 0 dnat to 10.139.1.1
meta l4proto udp ip daddr 10.139.1.2 udp dport 53 counter packets 0 bytes 0 dnat to 10.139.1.2
meta l4proto tcp ip daddr 10.139.1.2 tcp dport 53 counter packets 0 bytes 0 dnat to 10.139.1.2
}
But I don’t see the PR-QBS table in the output of the nft list ruleset command, only a similar table dnat-dns…
I will be glad of any help. In my country, amnezia vpn is the only way to bypass blocking.