Good news, with fedora-38 the network manager supports Wireguard out of the box! The only thing required are extra firewall rules in the VPN qube, as explained in the community documentation about VPN.
This guide assumes you are using a VPN service that has wireguard support. For example, ProtonVPN and Mullvad VPN do support it. But you can also follow this guide to add any other (even your own).
> ℹ️ Make sure fedora-38 template is installed (instructions)
Menu » Qubes Tools » Create Qubes VM:
- name: sys-vpn (you pick yours)
- template: fedora-38
- type: app qube (or AppVM)
- ☑️ Launch settings after creation
- advanced (tab) » Provides network access to other qubes
And then OK. Then the qube settings window should show up (procced to the next step).
In the settings windown that popped up, go to the Services, select network-manager from the drop-down list and click ➕ add. Then save the settings by clicking OK.
Go your VPN provider and either get a download a configuration file for wireguard (e.g.: vpn.conf)
On your VPN provider download the wireguard configuration for the server you want to connect to.
Here are the download pages for some popular VPN services: Mullvad, ProtonVPN
> ℹ️ This is essentially a killswitch. It is a fail-safe that ensures that if your VPN connection fails, it does let anything through.
Open the configuration file in a text editor and take note of the IP address in right next to Endpoint. If the line looks like the following, then you take note of the IP address as 1.2.3.4.
> > Endpoint = 1.2.3.4:5555
>
Open the qube settings for sys-vpn and navigate to the Firewall rules tab and set 🔘 Limit outgoing connections to.
Then click on ➕ to add a new firewall and add your saved IP address(es)
Hit OK to apply and click OK again to apply the settings
On the qube on which you downloaded your wireguard configuration (e.g.: vpn.conf), open the file explorer where the file was saved. Then right-click a file and Copy to another AppVM and choose to sys-vpn as the target.
Open your file manager in sys-vpn and find the <NAME>.conf file you just copied. It should in the directory QubesIncoming. Move it to your home directory.
Open the Terminal application on your sys-vpn qube and run the following command (replacing <NAME>.conf with the correct name of the file):
nmcli connection import type wireguard file vpn.conf
If successful, you should see a notification about successful connection. If that doesn't happen, something may be wrong with your config file:
> ℹ️ You should also see an icon with a padlock in the top-right corner of your screen (system tray). This indicates that your VPN connection is active. Without a padlock, means that it failed to connect.
Now that the VPN is configured, for each qube that you want to connect to the VPN, open its settings and set networking to sys-vpn. If you want this to be the default net qube, then you can set it in the Qubes Global Settings.
After that you're done :partying_face:
> ℹ️ TODO explain why this is needed
Add the rules below in /rw/config/qubes-firewall-user-script in sys-vpn:
# Prevent the qube to forward traffic outside of the VPN
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
ip6tables -I FORWARD -o eth0 -j DROP
ip6tables -I FORWARD -i eth0 -j DROP
# Redirect all the DNS traffic to the preferred DNS server
DNS=9.9.9.9
iptables -t nat -A PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to "$DNS"
iptables -t nat -A PR-QBS -i vif+ -p tcp --dport 53 -j DNAT --to "$DNS"