Wireguard VPN setup

I had to rename my “super-long-proton-config-file-name.conf” to “vpn.conf” and then it worked.

2 Likes

Hi, is it a wrong setup to have a StandaloneVM qube (with vpn app, ProtonVPN) that provides NetVM to other qubes?
The Standalone qube has sys-firewall as NetVM, killswitch activated in app, all works fine. If the qube is down, all others that have it as NetVM can’t connect to the internet.

why would it be wrong in your opinion? My answer is it’s not wrong, but just make sure to keep it up to date

1 Like

thx

Small note on usability.

You can copy multiple vpn config files to your vpn (just follow the guide and repeat the steps). Afterwards you can use the UI to switch between your wireguard connections (almost like using the VPN’s app). Pretty handy

Network Connections

3 Likes

I know some people keep some config files around and pick one file randomly at boot to run wg-quick on it to connect.

Otherwise, you could also connect to a random NetworkManager VPN at boot, certainly with nmcli and a little script around.

1 Like

I added a mention that ProtonVPN has a free plan + WireGuard support, that can be handy for people who are on tight budget. The free plan works really great, but is only limited in term of server availability (and no p2p).

1 Like

Thanks for the tip, @Solene! Very handy for quick testing different sys-vpn setups.

how is using the qube GUI to set the firewall different from a kill switch?

The end result is quite similar but it’s different.

Using the firewall tab, you limit the VPN qube only to the VPN server, but you have to add each VPN server there which can be cumbersome and not straightforward. By default, ICMP isn’t blocked either, and blocking it also affects the NetVM which isn’t ideal because ICMP (ping) is used for MTU discovery.

In addition, this allows NetVM to reach the VPN server when the VPN in the VPN qube isn’t connected. (this is not a real issue).

The kill switch with nftables rules blocks all forwarded traffic outside the VPN tunnel.

1 Like

interesting! So by adding the killswitch, i dont have to modify firewall settings using GUI? Or should i do both too?

A problem im encountering: When i start my sys-vpn, it connects to all the .conf’s ive added to network manager. How do i stop this

You only need the GUI firewall settings if you want to prevent the VPN qube to use the Internet without the VPN.

The killswitch will only prevent the qubes using the netVM VPN to connect to anything when the VPN isn’t connected.

I guess you need to uncheck a setting like “autoconnect at boot” in each VPN settings :frowning:

1 Like

3 posts were split to a new topic: Issues with update and template manager

Does it autoconnect to the last one selected? If not, what does the autoconnection do?

Sorry I cannot test it since I am currently in an upgrade process to 4.2.

I would expect autoconnect means it setup your wg connection as soon as the QVM boots. Consequently, only one should be set to autoconnect.

is it possible to setup by debian? i don’t use fedora.

make sure it is NOT “(default) sys-firewall” but instead “sys-firewall)
i didn’t understand this. can you explain more?

If you keep (default) sys-firewall it will automatically be changed if you change the default NetVM qube for all qubes, if you set the default to be the qube VPN, it will try to use itself as a NetVM.

it should be possible

No, every autoconnect VPN will connect. This make sense because not everyone use a VPN for a default route, and you may need multiple VPN to connect to multiple remote LAN, not just a single vpn for all the traffic.

2 Likes

[irrelevant comment retracted]

3 Likes

That is what I meant! Thanks for your testing and your confirmation. With that setup you can switch your VPN tunnel easily.

3 Likes