there are some specific changes for the minimal template, like installing and enabling network manager, or how to run a command as root 
Ahhh ok. I had that already taken into account when setting up the template. Probably the reason why it is been working with your guide so smoothly.
I wrote up some bash scripts for setting up minimal templates even from dom0. It is not as sophisticated as salt but it is doing its job and might be a little easier to understand for Qubes beginners like me:
I have pretty much the same problem here. I tried to set up a sys-vpn via ivpn on a StandaloneVm fedora-41-xfce,also tried via Template then AppVm. In both the app version and the wireguard set up I have a connection and can ping servers as 9.9.9.9 .
But when tryin to browse it doesnt work. I can also acces the sys-vpn as a net qube from a different qube same symptoms. I tried without, with the DNS hardening with 9.9.9.9 as DNS, and with the DNS provided by my VPN Provider.
I dont know what else to try
Thanks in advance
Having issues with sys-vpn AppVM connectivity using wireguard setup in Network Manager. Trying to ping the ip address of an external ip will fail, either with no response or “Destination Host Unreachable ping: sendmsg: Destination address required”.
Using cmd systemd-resolve google.com gives “google.com: resolve call failed: All attempts to contact name servers failed”
Now comes the strange part. Sometimes I can simply switch to a another vpn server in Network Manager and connectivity is restored. Other times, say 20%, this does not work. Restarting the sys-vpn qube usually doesn’t work, but rarely it will.
‘resolvectl status’ shows the Wireguard tunnel as the default route with the correct DNS ip.
Is anyone else experiencing this?
Looks like it’s not a DNS problem as you can’t ping an IP.
Check the status of the VPN using sudo wg and see if there are data in rx and tx lines. (wireguard-tools package is needed, not sure it’s installed by default)
After installing wireguard-tools ‘sudo wg’ shows no rx or tx lines
Then had to switch vpn twice to get connectivity. Now it show the rx and tx info.
Did you notice a huge difference in the command output except the tx/Rx lines? If they are not present, this mean there is the wireguard tunnel started which would be weird, but this would explain your issue.
Went back and had a closer look. The peer endpoint is missing from the output. Why would this happen?
Is it correctly defined in network manager? I don’t know how this is possible to be honest.
I can see the Endpoint as “domain name:port” in the wg config files I imported into network manager.
In the network manager settings the endpoint isn’t shown.
At least you certainly found why the VPN were not all working. But if you used nmcli import, I wonder what went wrong with these files 
Ok so I created a new wg config using the ip address of the endpoint and not as a domain as in the original configs. Now there are no connection issues and the tunnel comes up correctly.
So it seems using the endpoint’s domain name in the config files causes the problem. Still doesn’t explain how disconnecting and reconnecting the vpn in network manager allows it to connect using the domain name configs though.
Seems the DNS lookup of the endpoint fails during network manager wg startup for some reason.
Anyway thanks for your help troubleshooting Solene
The domain name may resolve to a different address in the future, but using a DNS name in the endpoint can also create troubles if you do not allow DNS traffic before the VPN is connected 
From the sys-vpn firewall DNS traffic is allowed. Perhaps it’s blocked somewhere else.