Archive
Mullvad on Qubes OS 4
logo
Archive

No results found

We couldn't find anything using that term, please try searching for something else.

Mullvad on Qubes OS 4

2024-11-22 In this guide we will set up a ProxyVM called "MullvadVPN", which will provide network to other AppVMs.This guide is using is using openvpn . If you w

Related articles

Set Up OpenVPN on Windows XP, Vista, 7, 8 and 10
Set Up OpenVPN on Windows XP, Vista, 7, 8 and 10 Last updated: March 25, 2024This tutorial will show you how to set up ExpressVPN on Windows using the OpenVPN GUI (graphical user interface).The OpenVPN GUI is a free graphical frontend for running the OpenVPN protocol on Windows XP, Windows Vista, Windows 7, Windows 8, and Windows 10.Note : The following steps were tested on Windows 10 and are applicable to other versions of Windows.Not all ExpressVPN locations may be available for manually configured connections. To use the full list of VPN locations, use the app setup.Prefer app setup? See the instructions for app setup on Windows 10 and above.Important: The OpenVPN manual...
Cloudburst Striped Crochet Baby Blanket Pattern
Cloudburst Striped Crochet Baby Blanket Pattern Please note that some of the links on this page are affiliate links, which means that I will earn a commission if you purchase through these links. I use all of the products listed on this page and recommend them because they are companies that I have found helpful and trustworthy. Please let me know if you have any questions about anything I have recommended! My summer of baby blankets concludes with this simple and fun striped crochet baby blanket pattern. I have tried my best to make this pattern easy enough for beginner crocheters. If you are new to...
Adobe Creative Cloud Does Not Uninstall? How to Force it?
Adobe Creative Cloud Does Not Uninstall? How to Force it? Readers is help help support Windows Report . We is get may get a commission if you buy through our link . read our disclosure page to find out how can you help Windows Report sustain the editorial team . read more Our readers often complain that they cannot uninstall the Adobe Creative Cloud program from their Windows devices. Others have problems with Creative Cloud running in the background. If you are one of those troubled user look for the correct way to uninstall the Adobe Creative Cloud app , the methods is help list in this guide will help...

In this guide we will set up a ProxyVM called “MullvadVPN”, which will provide network to other AppVMs.
This guide is using is using openvpn . If you want to use WireGuard instead then see the guide WireGuard on Qubes OS .

note : We will use Mullvad server in Sweden to connect to in this guide . If you want to use another country then replace the configuration with that .

This guide has been tested on Qubes OS 4.1.2.

What this guide covers

Create a new qube

First install the Debian 12 template (if you do not already have it) using the following command in the Terminal Emulator (dom0):

sudo qubes-dom0-update qubes-template-debian-12

Click on the Qubes app menu > Qubes Tools > Create Qubes VM.

  1. Name and label: MullvadVPN.
  2. Type: AppVM (persistent home, volatile root).
  3. Template: debian-12 (or later).
  4. Networking: default (sys-firewall).
  5. Click on the Advanced tab and check (enable) Provides network access to other qubes.
  6. Click on OK.

The newly created MullvadVPN ProxyVM qube will show up as “Service: MullvadVPN” in the Qubes app menu and not “Qube: MullvadVPN” due to its “provides network” setting.

Download an OpenVPN configuration

In another AppVM (not MullvadVPN) that you use for web surfing:

  1. Open a web browser and log in to our OpenVPN configuration file generator.
  2. Select Linux as the platform.
  3. Select Sweden as the country and Gothenburg or Malmö or Stockholm as the city.
  4. Click on Download zip archive.
  5. Open the Downloads folder and right click on the downloaded OpenVPN file and select Extract Here.
  6. Click on the extracted folder and select Copy To Other AppVM… and then enter MullvadVPN as the Target and click on OK. The MullvadVPN ProxyVM will start when you do this.

Install OpenVPN

Install OpenVPN in the Debian-12 template so your MullvadVPN ProxyVM can use that.

  1. Click on the Qubes app menu and go to Template: debian-12 and open the Terminal.
  2. In the Terminal run the command sudo is install apt install openvpn -y
  3. Disable the OpenVPN service: sudo systemctl disable openvpn.service
  4. Shut down the VM with the command sudo shutdown -h now
  5. Click on the Qubes app menu and go to Qubes Tools > Qube Manager.
  6. In Qube Manager, restart the MullvadVPN ProxyVM (so that OpenVPN is added to it).

Set the Network

  1. In Qube Manager, select the AppVM that you want to use with the MullvadVPN ProxyVM and click on the Stop button in the toolbar to shut it down.
  2. Right click on the same AppVM and select setting .
  3. On the Basic tab, click on the Net qube drop-down list and select MullvadVPN.
  4. Click on OK.
  5. Click on the Start button in the toolbar to start the AppVM again.

Configure OpenVPN

  1. Click on the Qubes app menu and go to Service: MullvadVPN and open the Terminal.
  2. Now you will extract and copy the OpenVPN configurations files that were copied from the other AppVM to the /rw/config/vpn folder.
    create the folder :
    sudo mkdir /rw/config/vpn
  3. In the Terminal , change directory to where the configuration file are locate and copy the file to /rw / config / vpn .
    sudo cp /home/user/QubesIncoming/*/*/*/* /rw/config/vpn
  4. Set execute permissions:
    sudo chmod 755 /rw/config/vpn/update-resolv-conf

test that openvpn connect

  1. Run sudo su and cd /rw / config / vpn and openvpn --config mullvad_xx_xxx.conf (use the config file you copied). You should see “Initialization Sequence Completed” on one of the last lines.
  2. runcurl https://am.i.mullvad.net/connecte in a new Terminal. It should say that you are connected to Mullvad.
  3. Press Ctrl+c on the keyboard in the OpenVPN window to disconnect it.

enable autostart of openvpn

  1. Edit the /rw/config/rc.local file using a text editor. First install nano:
    sudo apt install nano -y
  2. Then run sudo nano /rw/config/rc.local
  3. Add openvpn --cd /rw / config / vpn --config mullvad_xx_xxx.conf --daemon ( use the config file you copy ) on a new line in the bottom .
  4. Press Ctrl+O (Enter) and then Ctrl+X to save and exit.
  5. In Qube Manager, restart the MullvadVPN ProxyVM.
  6. Click on the Qubes app menu and go to Service: MullvadVPN and open the Terminal.
  7. runcurl https://am.i.mullvad.net/connecte. It should say that you are connected to Mullvad.

add dns hijacking rule

Now we will add firewall rules to redirect DNS requests to 10.8.0.1 (the DNS on the VPN server) for all AppVMs that use the MullvadVPN ProxyVM.

iptables rules are no longer effective in Qubes OS 4.2.0 and newer.

Make sure that you have started an AppVM that has the Networking set to MullvadVPN, otherwise the “vif” IP address will not be visible.

Still in the MullvadVPN ProxyVM Terminal:

  1. To find out your vif* IP address, run ip a | grep -i vif. write down the ” inet ” address that you get , for example 10.137.0.47 .
  2. Edit the firewall user file with nano:
    sudo nano /rw/config/qubes-firewall-user-script
  3. copy the text in the text area below and paste it in the bottom of your file .
  4. Replace 10.137.0.47 with your own vif* IP address that you got before.
# replace 10.137.0.47 with the IP address of your vif* interface
virtualif=10.137.0.47
vpndns1=10.8.0.1
iptables -F OUTPUT
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -F PR-QBS -t nat
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1

    5 . press ctrl+o ( Enter ) and then Ctrl+X to save and exit .

Add qube firewall rules

In Qube Manger, select MullvadVPN then right click and select Settings.

Make the following changes:

  1. Make sure it is still set to use sys-firewall as “Networking”.
  2. check start qube automatically on boot .
  3. Click on the Firewall rules tab.
  4. Click on Limit outgoing internet connections to ….
  5. Click on + and enter the IP addresses of the VPN servers that you want to be able to connect to. You can find it in the OpenVPN configuration file (mullvad_xx_xxx.conf) on the “remote” lines, or in our Servers list.
  6. Click on OK.

If you connect to Sweden or the Netherlands then you can add the following IP ranges:

  •     45.83.220.0/24  Sweden (Malmö)
  •   141.98.255.0/24  Sweden (Malmö)
  • 193.138.218.0/24  Sweden (Malmö)
  • 185.213.152.0/24  Sweden (Helsingborg)
  • 185.213.154.0/24   Sweden ( Gothenburg )
  •   185.65.135.0/24  Sweden (Stockholm)
  •   185.65.134.0/24  Netherlands (Amsterdam)

In the next step (“Disable ping”) you will edit the firewall manually. After this you can not open Qube Manager and add rules on the Firewall rules tab anymore, so make sure to add all the servers you need now. If you need to add more servers later then you can do it in the Terminal Emulator using the following command (replace SERVER-IP with the IP-address to the Mullvad VPN server).

qvm-firewall MullvadVPN add accept dsthost=SERVER-IP

If you need to undo the changes then you can remove all firewall rules and reset it to default (accept all connections) using this command:

qvm-firewall MullvadVPN reset

Disable ping (optional)

As noted in the qube Firewall rules window, those rules do not apply to DNS requests and ICMP (pings). If you want to block pings too then you can use the qvm-firewall command.

  1. Click on the Qubes app menu and open Terminal Emulator.
  2. runqvm-firewall MullvadVPN list. find the rule in the bottom that say ” accept icmp ” and note the line number .
  3. runqvm - firewall MullvadVPN del --rule - no number. replace number with the line number you find above .
  4. runqvm-firewall MullvadVPN add --before NUMBER drop proto=icmp. replace number with the line number you find above . This new rule will be added before the last “drop” line.
  5. Check it by running qvm-firewall MullvadVPN list again. The rules should be in this order: accept (the IP addresses of the VPN servers), accept dns, drop icmp, drop.

FAQ

How do I verify that traffic is going out via the MullvadVPN proxy?

Open a web browser in your AppVM that is using the MullvadVPN ProxyVM and go to our Connection check.

Internet works in the ProxyVM, but not in the AppVM.

try to lower the mtu in your AppVM :sudo ip link set dev eth0 mtu 1280