This guide explains how to set up the official ProtonVPN command line interface (CLI) as a ProxyVM for other AppVMs to connect through. This has the advantage of not needing to maintain a list of active ProtonVPN servers as OpenVPN or Wireguard configuration files. It also has the advantage of relying on the CLI's built-in kill switch and does not require modifications of sys-firewall. This method can easily be chained with sys-whonix to avoid connecting to the VPN provider directory from your ISP by instead connecting to the VPN provider through the Tor network.
First, create a new template based on Debian 12 minimal.
[user@dom0 ~]$ qvm-clone debian-12-minimal debian-12-minimal-sys-vpn
Then run the Qubes updater to ensure the template is up-to-date.
Debian 12 minimal templates don't have wget or curl installed, so use another VM to download the available .deb file. As of November 2023, that is version 1.0.3. You can find the most up-to-date link at: https://protonvpn.com/support/linux-vpn-tool/#debian
Then, move the file to debian-12-minimal-sys-vpn so that it appears in /home/user/QubesIncoming.
Open a terminal in the newly-created template as the root user.
[user@dom0 ~]$ qvm-run --user root debian-12-minimal-sys-vpn uxterm
In the just-opened terminal, install the .deb file and then the required software. This will use the default dom0 update qube for network access, which you could have chosen to be sys-whonix.
[root@debian-12-minimal-sys-vpn ~]$ apt install /home/user/QubesIncoming/anon-whonix/protonvpn-stable-release_1.0.3_all.deb
[root@debian-12-minimal-sys-vpn ~]$ apt install protonvpn-cli qubes-core-agent-networking qubes-core-agent-network-manager
[root@debian-12-minimal-sys-vpn ~]$ usermod -G netdev -a user # from https://github.com/ProtonVPN/linux-app/issues/27
Then create the AppVM that will operate as the NetVM for other qubes.
[user@dom0 ~]$ qvm-create --template debian-12-minimal-sys-vpn --label blue sys-vpn
[user@dom0 ~]$ qvm-prefs sys-vpn netvm sys-firewall # or sys-whonix
[user@dom0 ~]$ qvm-prefs sys-vpn provides_network true
[user@dom0 ~]$ qvm-service sys-vpn network-manager true
[user@dom0 ~]$ qvm-prefs sys-vpn maxmem 900 # only need 900 MB
[user@dom0 ~]$ qvm-features sys-vpn ipv6 '' # disable IPv6: https://www.qubes-os.org/doc/networking/#ipv6
You can set sys-whonix as the netvm property to have your network traffic first go through the Tor network first then through the VPN.
Now, open a terminal as user user in sys-vpn to connect to the VPN
[user@sys-vpn ~]$ protonvpn-cli login $USERNAME
[user@sys-vpn ~]$ protonvpn-cli killswitch --permanent
[user@sys-vpn ~]$ protonvpn-cli connect --fastest --protocol tcp
You must use --protocol tcp if the NetVM of sys-vpn is sys-whonix. Otherwise, you can drop that argument.
Now, set the NetVM of another AppVM to sys-vpn to have all of AppVM's network traffic be sent through the VPN. Notice that if either sys-vpn is not running or if ProtonVPN is disconnected, then the AppVM will not have any networking connectivity. This is probably desirable behavior.