Good point. Thanks for catching that. Just fixed it.
I didn’t find a way to add a pre-existing config via the NetworkManager GUI. As far as I found, we can only import OpenVPN config files. Is there an option for import wireguard config files directly? If so, I’d love to have it there because having a 100% GUI guide is perfect.
Sorry, I don’t fully understand what you mean, but feel free to change whatever. It’s your guide after all
After some more digging, it turns out that it’s not yet available. On fedora-38 we have network-manager-applet version 1.30.0 and we need at least 1.32.0. So this will probably only be possible on Fedora 39 Not even if we switch to debian 12…
Great write up, thanks! I’m using this method in 4.2 Fedora 38 as it seems the 4.1 method published (officially by Mullvad) doesn’t work. I think SELinux is preventing execution/autostart of Wireguard in /rw/config/rc.local.
This network manager method auto starts, so all is good!
One thing I like to do from that guide, is the optional advice to disable non-tunnelled pinging - from the Mullvad guide:
Disable ping (optional)
As noted in the qube Firewall rules window, those rules do not apply to DNS requests and ICMP (pings). If you want to block pings too then you can use the qvm-firewall command.
Click on the Qubes app menu and open Terminal Emulator.
Run qvm-firewall MullvadVPN list. Find the rule in the bottom that says “accept icmp” and note the line number.
Run qvm-firewall MullvadVPN del --rule-no NUMBER. Replace NUMBER with the line number you found above.
Run qvm-firewall MullvadVPN add --before NUMBER drop proto=icmp. Replace NUMBER with the line number you found above. This new rule will be added before the last “drop” line.
Check it by running the list command again. The rules should be in this order: accept (the IP addresses of the VPN servers), accept dns, drop icmp, drop.
It’s ok to make mistakes, just make sure to learn from it, and clean the mess
Because you made a mistake? This is ridiculous. People make mistakes, you can’t make mistakes if you don’t have the opportunity, but if you make mistakes, you learn, you get experiences, and you can do better next time, and teach people how to not make the same mistakes as you.
Except if you don’t want to edit documentation anymore, in which case it would make sense.
I can see the history of changes on the topic, it seems some changes don’t make sense, like the addition of
Maybe instead of show up
will be available to be started from
upper left Q / Services.
``
is it what you are apologizing for?
Yes. That is what I added.
Sorry I could not re edit it. I guess someone realized I should not have been allowed to edit and removed my permission.
I had already created a sys-mullvad Qube and tried to install the Mullvad GUI app. Which caused me to have a different response than what your documentation shows.
In the community guides section we aim to have things as editable wikis. So anyone can edit and contribute. If someone messes something up (either on purpose or by mistake) we can always revert that
So no problem. We learn by mistake as @solene is saying.
Hello Solene, thank you for this amazing guide it’s working flawlessly for me. Just a few questions.
Has there been any extensive (or nonextensive) leak tests done to make sure that these iptables rules are sufficient enough to prevent a vpn leak? Of course using the Qubes GUI to set the firewall to the VPN end point is one way to do this however, it would be nice if the vpn setup was leakproof without relying on the Qubes Firewall. I am a user that always sets the Qubes Firewall to limit outgoing connections to the wireguard vpn end point, however in a case such as a bug in the firewall, I would feel much safer if the iptables rules and network manager would also fail safe by default. Two layers of protection rather than one sort of thing… Also network manager does not fail safe by default which is why I want to make sure that these iptables rules are sufficient enough. Perhaps there is additional hardening that could be done that hasn’t been mentioned in this guide? Or many other users who have tried this vpn setup and are coming across my comment have some insight?
Also I am interested to know if you or anybody else will carry this guide onto Qubes 4.2 where we will be moving to nftables by default. (I am hoping you will do so)
Again, thank you so much for this guide. It’s working very well, just wanted to discuss the aspects of failsafe regarding this setup.
Regarding leaks, I haven’t done extensive testing either. It may leak ICMP packets (pings) if the advanced part is skipped. This is because the Qubes GUI firewall by default leaks those.
It would be nice to have it updated indeed. We also welcome contributions by anyone. So if you get it working, feel free to improve it.
Starting in Fedora 29 39 networkmanager-applet will have the ability to add wireguard connections via the UI. So the guide may be updated too to remove the command line for that
Run into some weird errors probably due to my lack of understanding though i think the guide should mention a few more things + be made into an ASCI text file to make a offline copy easy.
There is the need to hvm the new sys-vpn.
and then add the network adapter, ethernet port or wifi adapter internal or external to the sys-vpn
follow the guide
once this is done you can only set firewall rules in the firewall
Please correct me if i am wrong but this is the ony way i could get it to run while traveling with a notebook and random wifi hotspots.