Wireguard VPN setup

solene · June 5, 2023, 4:39pm

Good news, with fedora-38 the network manager supports Wireguard out of the box!
The only thing required are extra firewall rules in the VPN qube, as explained in the community documentation about VPN.

What you’ll need

This guide assumes you are using a VPN service that has wireguard support, most of them do, but you can also add your own if you have a server.

ProtonVPN has a free plan, it has limits but gives you a fully working VPN and they support WireGuard. This provider is recommended on privacyguides.com for being privacy friendly (no logs)

Create a new qube providing network

Make sure fedora-40 template is installed (instructions) (so far, this works with fedora 38/39/40 and certainly later versions)

Menu » Qubes Tools » Create Qubes VM:

name: sys-vpn (you pick yours)
template: fedora-38
type: app qube (or AppVM)
networking: sys-firewall ( make sure it is NOT “(default) sys-firewall” but instead “sys-firewall)
Launch settings after creation
advanced (tab) » Provides network access to other qubes

And then OK. Then the qube settings window should show up (proceed to the next step).

Enable service “network-manager” in sys-vpn

In the settings window that popped up, go to the Services, select network-manager from the drop-down list and click add. Then save the settings by clicking OK.

Get your wireguard VPN configuration file

Go your VPN provider and download a configuration file for wireguard (e.g.: vpn.conf)
On your VPN provider download the wireguard configuration for the server you want to connect to.

Here are the download pages for some popular VPN services: Mullvad, ProtonVPN

Use the Qube GUI to set the firewall to the VPN endpoint (this avoids leaks)

This is essentially a killswitch. It is a fail-safe that ensures that if your VPN connection fails, it does NOT let anything through.

This lets pass DNS requests to internal Qubes OS DNS servers and also ICMP, see the next section if you need to block everything

Open the configuration file in a text editor and take note of the IP address right next to Endpoint. If the line looks like the following, then you take note of the IP address as 1.2.3.4.

Endpoint = 1.2.3.4:5555

Open the qube settings for sys-vpn and navigate to the Firewall rules tab and set Limit outgoing connections to.

Then click on to add a new firewall and add your saved IP address(es)

Hit OK to apply and click OK again to apply the settings.

Block all traffic outside VPN using command line Qubes OS Firewall

To configure killswitch + (DNS) leak protection + ICMP/ping blocking + protection in case of sys-vpn compromise, you can alternatively execute a three-liner in dom0, no nft/iptables needed:

qvm-firewall sys-vpn reset # (1)
qvm-firewall sys-vpn add accept dsthost=1.2.3.4 # (2)
qvm-firewall sys-vpn del --rule-no 0 # (3)

(1) resets firewall to one single rule accepting everything
(2) whitelists specific VPN gateway IP
(3) removes rule (1), so there is just one whitelisted IP from (2) left

Everything else is blocked safely outside sys-vpn.

Configure your VPN in the Network Manager

On the qube on which you downloaded your wireguard configuration (e.g.: vpn.conf), open the file explorer where the file was saved. Then right-click a file and Copy to another AppVM and choose to sys-vpn as the target.

Open your file manager in sys-vpn and find the <NAME>.conf file you just copied. It should in the directory QubesIncoming. Move it to your home directory.

Open the Terminal application on your sys-vpn qube and run the following command (replacing <NAME>.conf with the correct name of the file):

nmcli connection import type wireguard file vpn.conf

If successful, you should see a notification about successful connection. If that doesn’t happen, something may be wrong with your config file:

oppp

You should also see an icon with a padlock in the top-right corner of your screen (system tray). This indicates that your VPN connection is active. Without a padlock, means that it failed to connect.

Assign a VM to the new Qube network to use the VPN

Now that the VPN is configured, for each qube that you want to connect to the VPN, open its settings and set networking to sys-vpn. If you want this to be the default net qube, then you can set it in the Qubes Global Settings.

After that you’re done

Some websites aren’t working

This is certainly related to an MTU issue (the packet payload size), I got this issue only with www.duckduckgo.com for instance, so it could be very specific.

A solution is to force the qubes using the VPN provider qube to use a lower MTU, this can be easily achieved using a firewall rule. Add this to /rw/config/qubes-firewall-user-script:

nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu

Connect to a random VPN at qube start (optional)

If you have multiple VPNs configured in the qube, you may want one to be picked randomly at boot to connect to.

Make sure no VPN are configured for automatic connection at startup, there is a check box in the first tab of the VPN settings for that, it defaults to automatic connection.

Add this code to /rw/config/rc.local

RANDOM_VPN=$(nmcli connection show | awk '/wireguard/ { print $1 }' | sort -R | head -n 1)
nmcli connection up "$RANDOM_VPN"

Hardening (optional)

Killswitch

You may want to force all qubes traffic to go through the VPN and block non-VPN traffic.

Add the rules below in /rw/config/qubes-firewall-user-script in sys-vpn, make sure the qube service “qubes-firewall” is enabled in the qube settings:

# Prevent the qube to forward traffic outside of the VPN
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop

These firewall rules will prevent (at the qube level) routing traffic of the NetVM child qubes through the sys-vpn NetVM. In other words, it blocks network traffic for qubes using sys-vpn as a NetVM if the VPN is not up/working.

If sys-vpn qube is compromised, it is possible to remove that rule from the qube (hence the “qube level” rule) and leak the traffic, although if this happens, it is also possible to directly listen to the network traffic going through sys-vpn.

A better killswitch solution is to use the qube firewall to block all traffic except the host:port destination required to establish the VPN. The firewall rules are applied on sys-vpn NetVM and can’t be modified from sys-vpn itself. Although this is better, it still won’t protect a compromised sys-vpn to listen to the traffic passing there (it’s is actually impossible to protect).

Prevent DNS leak

You may also want to force using a defined DNS server (9.9.9.9 in the current example) and blocking all other DNS servers (this avoids dns leaks)

# Redirect all the DNS traffic to the preferred DNS server
DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"

deeplow · June 30, 2023, 9:33am

This is definitely the way to go about setting up a VPN. This guide definitely needs some polishing / more details, though. I can help with that. Do you mind if I make it into a wiki?

I did not expect it to autoconnect, but it did, which is awesome. No need to setup some script to auto connect!

deeplow · June 30, 2023, 9:42am

Expanding a bit more on the auto-connect thing… The way Qubes networking scripts work, they basically overwrite the saved configurations directory, which is also where it would save the setting to autoconnect.

However, with wireguard it automagically connects, making the whole setup way easier.

solene · June 30, 2023, 10:13am

Sure, I’d be happy to help with documentation in general but it’s not clear how this work except for the repo qubes-doc.

solene · June 30, 2023, 10:13am

maybe the nmcli connect "vpn" trick in rc.local should be enough. I don’t have this VPN anymore so I can’t try it now. I’d have to make it again.

deeplow · June 30, 2023, 3:10pm

It should all be explained here. But this in particular belongs to the community documentation, which will be migrated to the forum soon so I guess its just a matter of explanding this post you’ve already done. Do you mind if I turn it into a wiki post so I can contribute as well?

I also moved your notes about the firewall rules setting to a “hardening” section, since it seems more advanced. And I wanted to ask you what that part aimed to achieve. If it is DNS hijack protection, doesn’t the wireguard config enforce it?

solene · June 30, 2023, 3:15pm

Be my guest

It’s more the community documentation process which looks obscure to me at the moment but I understand it’s in a migration state.

deeplow · June 30, 2023, 6:20pm

Done I hope it’s to your liking. If not, just change it.

I used bullet points as headings and changed the order of two of them. I wrote it from the perspective of someone who downloads a wireguard config from a VPN provider and not from the perspective of someone who has their own. I assumed someone who has their own VPN details can navigate the document and diverge where needed.

Let me know what you think

solene · June 30, 2023, 6:30pm

nice improvement, a few nitpicks

you forgot to mention (did I too in the original text?) to set the VM as “providing network” in the Advanced Tab
why are you using nmcli instead of importing from the network manager applet?
The endpoint firewall rule should be at the end for hardening, it makes the guide look complicated by showing IPs addresses
Did you try it?

KarlinQubes · June 30, 2023, 11:17pm

Thanks for the effort you put in to making this.

I’m curious, if I want to setup a sys-vpn with this configuration, but I want to change the config file to different servers over time, can I do so by simply running the command below with my alternative .conf file and change the firewall setting?

nmcli connection import type wireguard file vpn.conf

Can you clarify that VPN=9.9.9.9 in the hardening section is to be replaced with the VPN server address?

solene · July 1, 2023, 6:40am

The line with 9.9.9.9 should be DNS=9.9.9.9, I was certainly tired when writing this
I’ll fix it

deeplow · July 6, 2023, 4:09pm

Somehow I had missed your feedback.

Good point. Thanks for catching that. Just fixed it.

I didn’t find a way to add a pre-existing config via the NetworkManager GUI. As far as I found, we can only import OpenVPN config files. Is there an option for import wireguard config files directly? If so, I’d love to have it there because having a 100% GUI guide is perfect.

Sorry, I don’t fully understand what you mean, but feel free to change whatever. It’s your guide after all

solene · July 6, 2023, 4:22pm

click on nm-applet
select “VPN Connections” → “Configure VPN…”
click on +
Select “Import a saved VPN configuration…”

It worked for me with a wg-quick configuration file

deeplow · July 6, 2023, 4:40pm

It didn’t work for me, unfortunately

My config file looks something like this: (IPs / keys replaced)

[Interface]
PrivateKey = ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ
Address = X.X.X.X/32,YYYY:YYYY:YYYY:YYYY:YYYY:YYYY:YYYY/128
DNS = X.X.X.X

[Peer]
PublicKey = KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK
AllowedIPs = 0.0.0.0/0,::0/0
Endpoint = Q.Q.Q.Q:51820

In your setup that worked is it something like that?

solene · July 6, 2023, 6:06pm

Interesting, I can’t remember my file and I don’t have it anymore.

Maybe an extra package is required? (like wg quick maybe)

deeplow · July 9, 2023, 11:53am

I just installed wireguard-tools, which provides wg-quick but that didn’t fix it, sadly.

deeplow · July 17, 2023, 12:08pm

We are not the first ones navigating on these waters apparently:

Wireguard in NetworkManager

As of now, if you right-click networkmanager, edit connections, and hit the plus, you can manually create a wireguard profile as the link instructs. However, you cannot import a wireguard profile via the gui yet.
If you use nmcli it will work. See the link, then scroll down to the first comment, by Eugene, and you can import the wireguard profile. Be warned, however, that even if you import with nmcli, features such as the killswitch are not yet respected by networkmanager If the VPN fails, data WILL be passed in clear.

Hopefully in the future, the networkmanager team will have a rock-solid feature where wireguard profiles can be imported via the gui and perform as expected, killswitches, multihop, and all. Maybe even they can add a feature where a random profile is selected on startup, given that wireguard has no remote-random feature like openvpn.

deeplow · July 17, 2023, 12:14pm

Supposedly the code supports it:

deeplow · July 17, 2023, 12:36pm

After some more digging, it turns out that it’s not yet available. On fedora-38 we have network-manager-applet version 1.30.0 and we need at least 1.32.0. So this will probably only be possible on Fedora 39 Not even if we switch to debian 12…

xmpriv · July 28, 2023, 2:13pm

Great write up, thanks! I’m using this method in 4.2 Fedora 38 as it seems the 4.1 method published (officially by Mullvad) doesn’t work. I think SELinux is preventing execution/autostart of Wireguard in /rw/config/rc.local.

This network manager method auto starts, so all is good!

One thing I like to do from that guide, is the optional advice to disable non-tunnelled pinging - from the Mullvad guide:

Disable ping (optional)

As noted in the qube Firewall rules window, those rules do not apply to DNS requests and ICMP (pings). If you want to block pings too then you can use the qvm-firewall command.

Click on the Qubes app menu and open Terminal Emulator.

Run qvm-firewall MullvadVPN list. Find the rule in the bottom that says “accept icmp” and note the line number.

Run qvm-firewall MullvadVPN del --rule-no NUMBER. Replace NUMBER with the line number you found above.

Run qvm-firewall MullvadVPN add --before NUMBER drop proto=icmp. Replace NUMBER with the line number you found above. This new rule will be added before the last “drop” line.

Check it by running the list command again. The rules should be in this order: accept (the IP addresses of the VPN servers), accept dns, drop icmp, drop.