I had to rename my “super-long-proton-config-file-name.conf” to “vpn.conf” and then it worked.
2 Likes
Hi, is it a wrong setup to have a StandaloneVM qube (with vpn app, ProtonVPN) that provides NetVM to other qubes?
The Standalone qube has sys-firewall as NetVM, killswitch activated in app, all works fine. If the qube is down, all others that have it as NetVM can’t connect to the internet.
why would it be wrong in your opinion? My answer is it’s not wrong, but just make sure to keep it up to date
1 Like
thx
Small note on usability.
You can copy multiple vpn config files to your vpn (just follow the guide and repeat the steps). Afterwards you can use the UI to switch between your wireguard connections (almost like using the VPN’s app). Pretty handy
3 Likes
I know some people keep some config files around and pick one file randomly at boot to run wg-quick on it to connect.
Otherwise, you could also connect to a random NetworkManager VPN at boot, certainly with nmcli and a little script around.
1 Like
I added a mention that ProtonVPN has a free plan + WireGuard support, that can be handy for people who are on tight budget. The free plan works really great, but is only limited in term of server availability (and no p2p).
1 Like
how is using the qube GUI to set the firewall different from a kill switch?
The end result is quite similar but it’s different.
Using the firewall tab, you limit the VPN qube only to the VPN server, but you have to add each VPN server there which can be cumbersome and not straightforward. By default, ICMP isn’t blocked either, and blocking it also affects the NetVM which isn’t ideal because ICMP (ping) is used for MTU discovery.
In addition, this allows NetVM to reach the VPN server when the VPN in the VPN qube isn’t connected. (this is not a real issue).
The kill switch with nftables rules blocks all forwarded traffic outside the VPN tunnel.
1 Like
interesting! So by adding the killswitch, i dont have to modify firewall settings using GUI? Or should i do both too?
A problem im encountering: When i start my sys-vpn, it connects to all the .conf’s ive added to network manager. How do i stop this
You only need the GUI firewall settings if you want to prevent the VPN qube to use the Internet without the VPN.
The killswitch will only prevent the qubes using the netVM VPN to connect to anything when the VPN isn’t connected.
I guess you need to uncheck a setting like “autoconnect at boot” in each VPN settings 
1 Like
Does it autoconnect to the last one selected? If not, what does the autoconnection do?
Sorry I cannot test it since I am currently in an upgrade process to 4.2.
I would expect autoconnect means it setup your wg connection as soon as the QVM boots. Consequently, only one should be set to autoconnect.
is it possible to setup by debian? i don’t use fedora.
make sure it is NOT “(default) sys-firewall” but instead “sys-firewall)
i didn’t understand this. can you explain more?
If you keep (default) sys-firewall it will automatically be changed if you change the default NetVM qube for all qubes, if you set the default to be the qube VPN, it will try to use itself as a NetVM.
it should be possible
No, every autoconnect VPN will connect. This make sense because not everyone use a VPN for a default route, and you may need multiple VPN to connect to multiple remote LAN, not just a single vpn for all the traffic.
2 Likes
[irrelevant comment retracted]
3 Likes
That is what I meant! Thanks for your testing and your confirmation. With that setup you can switch your VPN tunnel easily.
3 Likes