Skip to main content

Mullvad on Qubes OS 4

Other VPN software OpenVPN Installation Desktop Qubes OS 

Last updated:

In this guide we will set up a ProxyVM called "MullvadVPN", which will provide network to other AppVMs.
This guide is using OpenVPN. If you want to use WireGuard instead then see the guide WireGuard on Qubes OS.

Note: We will use Mullvad servers in Sweden to connect to in this guide. If you want to use another country then replace the configuration with that.

This guide has been tested on Qubes OS 4.1.2.

What this guide covers

Create a new qube

First install the Debian 12 template (if you do not already have it) using the following command in the Terminal Emulator (dom0):

sudo qubes-dom0-update qubes-template-debian-12

Click on the Qubes app menu > Qubes Tools > Create Qubes VM.

  1. Name and label: MullvadVPN.
  2. Type: AppVM (persistent home, volatile root).
  3. Template: debian-12 (or later).
  4. Networking: default (sys-firewall).
  5. Click on the Advanced tab and check (enable) Provides network access to other qubes.
  6. Click on OK.

The newly created MullvadVPN ProxyVM qube will show up as "Service: MullvadVPN" in the Qubes app menu and not "Qube: MullvadVPN" due to its "provides network" setting.

Download an OpenVPN configuration

In another AppVM (not MullvadVPN) that you use for web surfing:

  1. Open a web browser and log in to our OpenVPN configuration file generator.
  2. Select Linux as the platform.
  3. Select Sweden as the country and Gothenburg or Malmö or Stockholm as the city.
  4. Click on Download zip archive.
  5. Open the Downloads folder and right click on the downloaded OpenVPN file and select Extract Here.
  6. Click on the extracted folder and select Copy To Other AppVM... and then enter MullvadVPN as the Target and click on OK. The MullvadVPN ProxyVM will start when you do this.

Install OpenVPN

Install OpenVPN in the Debian-12 template so your MullvadVPN ProxyVM can use that.

  1. Click on the Qubes app menu and go to Template: debian-12 and open the Terminal.
  2. In the Terminal run the command sudo apt install openvpn -y
  3. Disable the OpenVPN service: sudo systemctl disable openvpn.service
  4. Shut down the VM with the command sudo shutdown -h now
  5. Click on the Qubes app menu and go to Qubes Tools > Qube Manager.
  6. In Qube Manager, restart the MullvadVPN ProxyVM (so that OpenVPN is added to it).

Set the Network

  1. In Qube Manager, select the AppVM that you want to use with the MullvadVPN ProxyVM and click on the Stop button in the toolbar to shut it down.
  2. Right click on the same AppVM and select Settings.
  3. On the Basic tab, click on the Net qube drop-down list and select MullvadVPN.
  4. Click on OK.
  5. Click on the Start button in the toolbar to start the AppVM again.

Configure OpenVPN

  1. Click on the Qubes app menu and go to Service: MullvadVPN and open the Terminal.
  2. Now you will extract and copy the OpenVPN configurations files that were copied from the other AppVM to the /rw/config/vpn folder.
    Create the folder:
    sudo mkdir /rw/config/vpn
  3. In the Terminal, change directory to where the configurations file are located and copy the files to /rw/config/vpn.
    sudo cp /home/user/QubesIncoming/*/*/*/* /rw/config/vpn
  4. Set execute permissions:
    sudo chmod 755 /rw/config/vpn/update-resolv-conf

Test that OpenVPN connects

  1. Run sudo su and cd /rw/config/vpn and openvpn --config mullvad_xx_xxx.conf (use the config file you copied). You should see "Initialization Sequence Completed" on one of the last lines.
  2. Run curl https://am.i.mullvad.net/connected in a new Terminal. It should say that you are connected to Mullvad.
  3. Press Ctrl+c on the keyboard in the OpenVPN window to disconnect it.

Enable autostart of OpenVPN

  1. Edit the /rw/config/rc.local file using a text editor. First install nano:
    sudo apt install nano -y
  2. Then run sudo nano /rw/config/rc.local
  3. Add openvpn --cd /rw/config/vpn --config mullvad_xx_xxx.conf --daemon (use the config file you copied) on a new line in the bottom.
  4. Press Ctrl+O (Enter) and then Ctrl+X to save and exit.
  5. In Qube Manager, restart the MullvadVPN ProxyVM.
  6. Click on the Qubes app menu and go to Service: MullvadVPN and open the Terminal.
  7. Run curl https://am.i.mullvad.net/connected. It should say that you are connected to Mullvad.

Add DNS hijacking rules

Now we will add firewall rules to redirect DNS requests to 10.8.0.1 (the DNS on the VPN server) for all AppVMs that use the MullvadVPN ProxyVM.

iptables rules are no longer effective in Qubes OS 4.2.0 and newer.

Make sure that you have started an AppVM that has the Networking set to MullvadVPN, otherwise the "vif" IP address will not be visible.

Still in the MullvadVPN ProxyVM Terminal:

  1. To find out your vif* IP address, run ip a | grep -i vif. Write down the "inet" address that you get, for example 10.137.0.47.
  2. Edit the firewall user file with nano:
    sudo nano /rw/config/qubes-firewall-user-script
  3. Copy the text in the text area below and paste it in the bottom of your file.
  4. Replace 10.137.0.47 with your own vif* IP address that you got before.
# replace 10.137.0.47 with the IP address of your vif* interface
virtualif=10.137.0.47
vpndns1=10.8.0.1
iptables -F OUTPUT
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -F PR-QBS -t nat
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1

    5. Press Ctrl+O (Enter) and then Ctrl+X to save and exit.

Add qube firewall rules

In Qube Manger, select MullvadVPN then right click and select Settings.

Make the following changes:

  1. Make sure it is still set to use sys-firewall as "Networking".
  2. Check Start qube automatically on boot.
  3. Click on the Firewall rules tab.
  4. Click on Limit outgoing internet connections to ....
  5. Click on + and enter the IP addresses of the VPN servers that you want to be able to connect to. You can find it in the OpenVPN configuration file (mullvad_xx_xxx.conf) on the "remote" lines, or in our Servers list.
  6. Click on OK.

If you connect to Sweden or the Netherlands then you can add the following IP ranges:

  •     45.83.220.0/24  Sweden (Malmö)
  •   141.98.255.0/24  Sweden (Malmö)
  • 193.138.218.0/24  Sweden (Malmö)
  • 185.213.152.0/24  Sweden (Helsingborg)
  • 185.213.154.0/24  Sweden (Gothenburg)
  •   185.65.135.0/24  Sweden (Stockholm)
  •   185.65.134.0/24  Netherlands (Amsterdam)

In the next step ("Disable ping") you will edit the firewall manually. After this you can not open Qube Manager and add rules on the Firewall rules tab anymore, so make sure to add all the servers you need now. If you need to add more servers later then you can do it in the Terminal Emulator using the following command (replace SERVER-IP with the IP-address to the Mullvad VPN server).

qvm-firewall MullvadVPN add accept dsthost=SERVER-IP

If you need to undo the changes then you can remove all firewall rules and reset it to default (accept all connections) using this command:

qvm-firewall MullvadVPN reset

Disable ping (optional)

As noted in the qube Firewall rules window, those rules do not apply to DNS requests and ICMP (pings). If you want to block pings too then you can use the qvm-firewall command.

  1. Click on the Qubes app menu and open Terminal Emulator.
  2. Run qvm-firewall MullvadVPN list. Find the rule in the bottom that says "accept icmp" and note the line number.
  3. Run qvm-firewall MullvadVPN del --rule-no NUMBER. Replace NUMBER with the line number you found above.
  4. Run qvm-firewall MullvadVPN add --before NUMBER drop proto=icmp. Replace NUMBER with the line number you found above. This new rule will be added before the last "drop" line.
  5. Check it by running qvm-firewall MullvadVPN list again. The rules should be in this order: accept (the IP addresses of the VPN servers), accept dns, drop icmp, drop.

FAQ

How do I verify that traffic is going out via the MullvadVPN proxy?

Open a web browser in your AppVM that is using the MullvadVPN ProxyVM and go to our Connection check.

Internet works in the ProxyVM, but not in the AppVM.

Try to lower the MTU in your AppVM: sudo ip link set dev eth0 mtu 1280