メインコンテンツに進む

WireGuard on Qubes OS

Other VPN software WireGuard Connectivity Installation Desktop Qubes OS 

最終更新時刻:

In this guide we will set up a ProxyVM called "MullvadVPN", which will provide network to other AppVMs. This guide is using WireGuard. If you want to use OpenVPN instead then see the guide Mullvad on Qubes OS 4.

Note: We will use Sweden (se-got-wg-001) as the server in this guide. If you want to use another server then replace the configuration with that.

This guide has been tested on Qubes OS 4.1.2.

What this guide covers

Create a new qube

First install the Fedora 38 template (if you do not already have it) using the following command in the Terminal Emulator (dom0):

sudo qubes-dom0-update qubes-template-fedora-38

Click on the Qubes app menu > Qubes Tools > Create Qubes VM.

  1. Name and label: MullvadVPN.
  2. Type: AppVM (persistent home, volatile root).
  3. Template: fedora-38 (or later).
  4. Networking: default (sys-firewall).
  5. Click on the Advanced tab and check (enable) Provides network access to other qubes.
  6. Click on OK.

The newly created MullvadVPN ProxyVM qube will show up as "Service: MullvadVPN" in the Qubes app menu and not "Qube: MullvadVPN" due to its "provides network" setting.

Download a WireGuard configuration

In another AppVM (not MullvadVPN) that you use for web surfing:

  1. Open a web browser and log in to our WireGuard configuration file generator.
  2. Select Linux as the platform and then click on Generate key.
  3. Select a country, a city and a server.
  4. Click on Download file.
  5. Click on the Qubes app menu and go to your current AppVM and open Files.
  6. Open the Downloads folder and right click on the downloaded WireGuard file.
  7. Select Copy To Other AppVM... and then enter MullvadVPN as the Target and click on OK. The MullvadVPN ProxyVM will start when you do this.

Install WireGuard

We will install WireGuard in the Fedora-38 template so your MullvadVPN ProxyVM can use that.

  1. Click on the Qubes app menu and go to Template: fedora-38 and open the Terminal.
  2. In the Terminal run the command sudo dnf install wireguard-tools -y
  3. Shut down the VM with the command sudo shutdown -h now
  4. Click on the Qubes app menu and go to Qubes Tools > Qube Manager.
  5. In Qube Manager, restart the MullvadVPN ProxyVM (so that wireguard-tools is added to it).

Set the Network

  1. In Qube Manager, select the AppVM that you want to use with the MullvadVPN ProxyVM and click on the Stop button in the toolbar to shut it down.
  2. Right click on the same AppVM and select Settings.
  3. On the Basic tab, click on the Net qube drop-down list and select MullvadVPN.
  4. Click on OK.
  5. Click on the Start button in the toolbar to start the AppVM again.

Configure WireGuard

Click on the Qubes app menu and go to Service: MullvadVPN and open the Terminal.

Copy the WireGuard .conf file that was copied from the other AppVM to the /home/user/ folder:
cp /home/user/QubesIncoming/*/se-got-wg-001.conf /home/user/

Enable autostart of WireGuard

  1. Edit the /rw/config/rc.local file using a text editor like nano:
    sudo dnf install nano -y
  2. Run sudo nano /rw/config/rc.local
  3. Add wg-quick up /home/user/se-got-wg-001.conf (or the config file you copied) on a new line in the bottom.
  4. Press Ctrl+O (Enter) and then Ctrl+X to save and exit.

Make sure that WireGuard connects

  1. Run sudo wg-quick up /home/user/se-got-wg-001.conf
  2. Run ping 10.64.0.1
  3. Run curl https://am.i.mullvad.net/connected
  4. Run sudo wg and check for a WireGuard network interface and a peer handshake.

Add DNS hijacking rules

Now we will add firewall rules to redirect DNS requests to 10.64.0.1 (the DNS on the VPN server) for all AppVMs that use the MullvadVPN ProxyVM.

iptables rules are no longer effective in Qubes OS 4.2.0 and newer.

Make sure that you have started an AppVM that has the Networking set to MullvadVPN, otherwise the "vif" IP address will not be visible.

Still in the MullvadVPN ProxyVM Terminal:

  1. To find out your vif* IP address, run ip a | grep -i vif. Write down the "inet" address that you get, for example 10.137.0.47.
  2. Edit the firewall user file with nano:
    sudo nano /rw/config/qubes-firewall-user-script
  3. Copy the text in the text area below and paste it in the bottom of your file.
  4. Replace 10.137.0.47 with your own vif* IP address that you got before.
# replace 10.137.0.47 with the IP address of your vif* interface
virtualif=10.137.0.47
vpndns1=10.64.0.1
iptables -F OUTPUT
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -F PR-QBS -t nat
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1

    5. Press Ctrl+O (Enter) and then Ctrl+X to save and exit.

Add qube firewall rules

In Qube Manger, select MullvadVPN then right click and select Settings.

Make the following changes:

  1. Make sure it is still set to use sys-firewall as "Networking".
  2. Check Start qube automatically on boot.
  3. Click on the Firewall rules tab.
  4. Click on Limit outgoing internet connections to ....
  5. Click on + and enter the IP addresses of the VPN servers that you want to be able to connect to. You can find it in the WireGuard configuration file (se-got-wg-001.conf) on the Endpoint line, or in our Servers list.
  6. Click on OK.

In the next step ("Disable ping") you will edit the firewall manually. After this you can not open Qube Manager and add rules on the Firewall rules tab anymore, so make sure to add all the servers you need now. If you need to add more servers later then you can do it in the Terminal Emulator using the following command (replace SERVER-IP with the IP-address to the Mullvad VPN server).

qvm-firewall MullvadVPN add accept dsthost=SERVER-IP

If you need to undo the changes then you can remove all firewall rules and reset it to default (accept all connections) using this command:

qvm-firewall MullvadVPN reset

Disable ping (optional)

As noted in the qube Firewall rules window, those rules do not apply to DNS requests and ICMP (pings). If you want to block pings too then you can use the qvm-firewall command.

  1. Click on the Qubes app menu and open Terminal Emulator.
  2. Run qvm-firewall MullvadVPN list. Find the rule in the bottom that says "accept icmp" and note the line number.
  3. Run qvm-firewall MullvadVPN del --rule-no NUMBER. Replace NUMBER with the line number you found above.
  4. Run qvm-firewall MullvadVPN add --before NUMBER drop proto=icmp. Replace NUMBER with the line number you found above. This new rule will be added before the last "drop" line.
  5. Check it by running qvm-firewall MullvadVPN list again. The rules should be in this order: accept (the IP addresses of the VPN servers), accept dns, drop icmp, drop.

FAQ

How do I verify that traffic is going out via the MullvadVPN proxy?

Open a web browser in your AppVM that is using the MullvadVPN ProxyVM and go to our Connection check.

Internet works in the ProxyVM, but not in the AppVM.

Try to lower the MTU in your AppVM: sudo ip link set dev eth0 mtu 1280