In this guide we will setup a ProxyVM called MullvadVPN, which will then proxy other APPVMs traffic.
Assign a AppVM to exit via the MullvadVPN proxy (the AppVM must be started and assigned to the ProxyVM otherwise the vif on the ProxyVM will not be visible).
2.4.0 in Debian9, you can of course install a newer one if you wish as well.
In a terminal run
sudo apt-get update && apt-get install openvpn
sudo cp mullvad_config_linux_se/* /etc/openvpn/
sudo chmod 755 /etc/openvpn/update-resolv-conf)
As root or with sudo, edit /etc/default/openvpn and change #AUTOSTART="all" to AUTOSTART="all" (in other words, remove the "#")
Add the follwing to the file /rw/config/qubes-firewall-user-script be sure to change 10.137.0.47 to the IP that matches your vif*
To find out your vif* ip address, run
ip a | grep -i vif in a terminal (make sure you have the AppVM assigned before you do this, otherwise it will not show up).
#!/bin/bash # replace 10.137.0.47 with the IP address of your vif* interface virtualif=10.137.0.47 vpndns1=10.8.0.1 vpndns2=10.14.0.1 iptables -F OUTPUT iptables -I FORWARD -o eth0 -j DROP iptables -I FORWARD -i eth0 -j DROP iptables -F PR-QBS -t nat iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1 iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1 iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns2 iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns2
This is to redirect DNS requests to 10.8.0.1 and 10.14.0.1 for all AppVMs that use the ProxyVM.
Select MullvadVPN then right-click and select Qube settings
Make the following changes:
For instance if you wish to connect to us-nyc-001.mullvad.net, then issue "nslookup us-nyc-001.mullvad.net" in a terminal and then enter that IP address (see our list of VPN servers), or you can download an OpenVPN configuration file with Use IP Addresses enabled and then look at the OpenVPN configuration for which IP-addresses it contains and then add them.
You can also enter IP ranges for Sweden and the Netherlands (ensure you add all IP ranges for a given location):
In Qubes R4 "ICMP and DNS are no longer accessible in the GUI, but can be changed via qvm-firewall".
qvm-firewall MullvadVPN list. Based on that list we need to delete the rule that accepts icmp, and add a new rule that drops it.
qvm-firewall MullvadVPN del --rule-no [icmp_rule_#]. Now to add the new icmp rule run the list command again, and add the icmp rule before the final "drop" line
qvm-firewall MullvadVPN add --before [last_drop_rule_#] drop proto=icmp. Now you can verify by running the list command again. The rules should be in this order: accept -> the IP addresses of the VPN servers, accept -> dns, drop -> icmp, drop
Keep in mind that you will need to edit the firewall rules in dom0 if you wish to add more ip-ranges.
Open a browser in your APPVM that is connected to the MullvadVPN proxy VM and visit: https://am.i.mullvad.net
You can of course do this in a regular AppVM as long as you have OpenVPN installed in it, having it standalone means you do not need to restart VM's as much if you want to update things, though it does take more diskspace.
Since OpenVPN will depend on DNS working unless you use IP addresses, it could be because your DNS replies are poisoned, or your DNS queries are blocked, the solution would then be to use IP addresses instead of host+domainnames for connecting. Open the OpenVPN configuration file located in /etc/openvpn/ and replace "remote se.mullvad.net" with "remote 126.96.36.199" (as a test, and if that works you can add more entries)
Make sure you shut down your APPVM before setting the PROXYVM, it seems it does not work as well by changing it on the fly as it did in Qubes 3.2.