Back to Guides

Mullvad on Qubes OS

Installation

  1. Open the Qubes VM Manager
  2. Click on + (Create a new VM).
  3. Select Debian as the template
  4. Check the Standalone checkbox
  5. Click the ProxyVM radiobutton
  6. Click on OK

Run the following commands to install OpenVPN 2.4.0+ (otherwise it will fail with the inlined crl) and resolvconf for added AES-256-GCM support:

sudo -s
wget -O - https://swupdate.openvpn.net/repos/repo-public.gpg|apt-key add - 
echo "deb http://build.openvpn.net/debian/openvpn/release/2.4 jessie main" > /etc/apt/sources.list.d/openvpn-aptrepo.list
apt-get update && apt-get install openvpn resolvconf

In an APPVM open a browser and go to our Configuration files page, choose Android from the Platform drop-down menu and then click the Download button. Once the file has downloaded, qvm-copy it to the proxyVM and in the proxyVM move it to /etc/openvpn/
Edit the OpenVPN configuration file in /etc/openvpn on the ProxyVM and add the command auth-user-pass pass.txt
in pass.txt enter your Mullvad account on the first line and m on the second and then save it.

Change the filename from "Mullvad_xx.ovpn" to "Mullvad_xx.conf" (where xx is the Country or region used).

As root or with sudo, edit /etc/default/openvpn and change #AUTOSTART="all" to AUTOSTART="all" (in other words, remove the "#").

In "Qubes VM Manager", select the VM and then right-click and select "VM Settings".

Make the following changes:

  • choose to use sys-firewall as netVM
  • choose "Start VM automatically on boot"
  • click on "Firewall rules"
  • click on "+" and then enter the IP addresses of the VPN servers you wish to connect to; for instance, if you wish to connect to us1.mullvad.net, then issue "nslookup us1.mullvad.net" in a terminal and then enter that IP address (see our list of VPN servers). You can also enter IP ranges for Sweden and the Netherlands:
    • 193.138.219.0/24 – Sweden (Malmö)
    • 193.138.218.0/24 - Sweden (Malmö)
    • 185.213.152.0/24 – Sweden (Helsingborg)
    • 185.65.135.0/24 – Sweden (Stockholm)
    • 185.65.134.0/24 – Netherlands (Amsterdam)
  • select "Deny network access except"
  • check "Allow DNS queries"
  • uncheck "Allow ICMP traffic"
  • click on OK

Restart the proxyVM after any changes.

In Qubes, select the VM(s) that you want to go via Mullvad.

In VM Manager, right-click and select "VM Settings" and then change "NetVM" to the one you installed. Make sure you start proxyVM for the virtualif to show up.

As root or using sudo, put the following into /rw/config/qubes-firewall-user-script in your proxyVM (IMPORTANT: remember to change the virtualif=10.137.4.1 to suit your configuration):
#!/bin/bash
# replace 10.137.4.1 with the IP address of your vif* interface
virtualif=10.137.4.1
vpndns1=10.8.0.1
vpndns2=10.14.0.1
iptables -F OUTPUT
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
iptables -F PR-QBS -t nat
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns2
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns2

This is to redirect DNS requests to 10.8.0.1 and 10.14.0.1 for all App VMs that use the proxy VM. To find out what your virutalif IP is,  issue "sudo ifconfig" in the proxyVM after you have started the AppVM that is connected to the proxy VM.

Set execute on qubes-firewall-user-script:

sudo chmod 755 /rw/config/qubes-firewall-user-script

Reboot the VPNProxyVM. Then reboot the AppVM that is configured to use the VPNProxyVM.