Wireguard VPN setup

solene · January 9, 2025, 9:49pm

this is weird though

solene · January 9, 2025, 9:49pm

Debugging happened in private, it seemed to be a Mullvad issue

Cracked_Tessaract · January 9, 2025, 9:52pm

Was there a technical solution beyond “pick a different server”? The troubleshooting steps might be helpful for other who has this issue.

Great job @solene!

phuc · January 9, 2025, 10:05pm

@solene had me check the output of systemd-resolve and the output of /etc/resolv.conf to check the DNS. I also restarted systemctl restart systemd-resolved.

In the end, I made a new fedora41 appvm @Cracked_Tessaract

Copied a completely different wireguard .conf over and ran nmcli connection import type wireguard file vpn.conf per solenes guide.

curl https://am.i.mullvad.net/connected returns successful connection. there appear to be 2 servers in my region affected with DNS issues. never had issues with mullvad before…

Axel · January 11, 2025, 3:34pm

I was able to make my wireguard vm disposable like sys-net or at least I think I did, is that something someone else has already done or should I try and post about how I did it? If I should post about it, should it just be a reply to this post or a new one all together?

solene · January 11, 2025, 6:02pm

This kind of operation should be straightforward or common enough that it should be documented separately if it’s not already in the documentation.

But if you really want to, you can edit the first post and add an extra section at the end about making the VPN from a disposable

Axel · January 11, 2025, 6:28pm

Got it, I’ll write up how I did it soon in its own post.

qubesfan35267 · January 27, 2025, 4:12pm

Does anyone know why the “random connect to VPN at startup” sometimes work and at other times does not work or does work delayed?

barto · January 27, 2025, 4:17pm

What do you mean, exactly? It works for me every day.

EDIT: I do have a “sleep 1” before and between the two lines in @solene’s post.
EDIT2: and you have to disable auto-connection for ALL tunnels

solene · January 27, 2025, 4:19pm

if the qube can not reach the Internet when it runs this piece of code, the VPN will try to establish and hang. This may happen if it automatically start at boot and you need to type a WiFi password.

qubesfan35267 · January 27, 2025, 4:32pm

sometimes it is connecting right away…sometimes it is connecting with a delay of up to several minutes…sometimes it never connects…

Solene´s input might be connected to this behavior as well. Maybe I can work it with your “sleep” command…

Thank you for the quick reply you two!

qubesfan35267 · January 27, 2025, 5:09pm

So the “sleep” command seems to help. Thanks again!

MSQLI · January 27, 2025, 6:57pm

resolve call failed: All attempts to contact name server or network failed

qubemanager · February 11, 2025, 8:19pm

If I want to create a VPN qube without a specified DNS server (= I prefer to use my VPN’s DNS) but I also want to avoid any potential DNS leaks, how should I modify the guide? Should I just simply skip the last quoted step?

solene:

# Redirect all the DNS traffic to the preferred DNS server
DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"

Alethia · March 18, 2025, 10:43am

Found out that this is because network manager is not yet initialized. If you add:

sleep 10
nmcli connection up [conf]

Then it works

barto · March 18, 2025, 1:38pm

The delay doesn’t have to be that long (at least in my experience) - “sleep 1” was enough, albeit twice… and with some commands run in between, which probably take 0.1 seconds too.
The idea is to pick a random tunnel at start, resulting in the following, in rc.local:

sleep 1
RVPN=$(nmcli connection show | awk '/wireguard/ {print $1}' | \
        sort -R | head -n 1)
date +'%Y%m%d %H:%M:%S: '"${RVPN}" >> /tmp/chosen
sleep 1
nmcli connection up "${RVPN}"

This works 100% on my machines.

D2Xoi28 · May 11, 2025, 3:47pm

I am using this setup with openvpn.
To be sure about it:
Endpoint in a Wireguard config is the same as remote in an openvpn config?

barto · May 11, 2025, 7:15pm

Yes

solene · May 27, 2025, 4:48pm

I got something to work from a debian-12-minimal template, do you think I should update this guide in-place and replace the fedora based guide, or should I write a new guide?

Fedora based guides are annoying for network as there is a new version every 6 months, and there is a delay to get the latest fedora as a template.

qubesfan35267 · May 28, 2025, 8:45pm

Hi Solene, thank you for all your great contributions to the community. I already used this guide for my debian-12-minimal vpn configurations. Everything has been working fine so far. Or have I been missing something and it should not even have been working with debian?
I think you are right with your assessment that debian makes more sense compared to fedora due to the latter switching to a new version every six month. Just add your debian guide and when fedora gets obsolete kick it out…