ProtonVPN App 4.2 setup guide

Original forum link

https://forum.qubes-os.org/t/23694

Original poster

Solène R

Created at

2024-01-12 19:02:03

Last wiki edit

2025-01-20 10:07:39

Revisions

4 revisions

Posts count

66

Likes count

64

Intro

This guide explains how to setup a a VPN with ProtonVPN app on Qubes OS 4.2 using a Fedora template.

A cool thing with ProtonVPN is that they have a Free offer, although it comes with limitations it's nice. They seem also a legit service to use as per the trustable source https://www.privacyguides.org/en/vpn/

If you want to set up a ProtonVPN using WireGuard without the App, see https://forum.qubes-os.org/t/wireguard-vpn-setup/19141

Setup

Qube creation

• Create a dedicated qube for the vpn
• Name it as you want (I will name it sys-vpn-protonvpn-app)
• Choose type "Standalone" with the template fedora-38 (or xfce flavor minimal flavor should work too)
• Check "provide network access to other qubes" in the Advanced settings tab
• In the qube settings
• Give it 800 MB of memory minimum
• Add the service qubes-firewall
• Add the service network-manager (this is required otherwise the App can't establish VPNs :woman_shrugging:)

Qube configuration

• Start the qube
• Follow the official guide to install ProtonVPN app
• Basically 3 steps: download a rpm file, run dnf on it to add the repository and accept the new repository, install the app
• If wget is missing (that's the case on fedora 38 xfce by default), you can replace it by curl -OL or install it with sudo dnf install wget
• Automatically start the VPN program on qube boot
• mkdir ~/.config/autostart
• ln -s /usr/share/applications/protonvpn-app.desktop .config/autostart/
• Reboot the qube

ProtonVPN App

• If you get a prompt asking for a keyring password (by the qube), this is an extra linux security feature that keep program passwords in a keyring. It seems that you need to use it (by putting a password for the keyring) otherwise ProtonVPN won't keep credentials...
• The ProtonVPN app should show up
• Enter your credentials
• Connect
• Configure the App as you want

Killswitch configuration

ℹ️ You may want to force all qubes traffic to go through the VPN and block non-VPN traffic. ProtonVPN app offers a killswitch. However, if the app crash, the killswitch wouldn't be guaranteed to work. Here is how to make it more secure.

Add the rules below in /rw/config/qubes-firewall-user-script in the qube:

# Prevent the qube to forward traffic outside of the VPN
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop

Optional hardening: Avoid DNS leaks when no killswitch.

ℹ️ If you did not setup the killswitch, you may want to redirect all DNS queries to a custom server (9.9.9.9 in the current example) and blocking all other DNS servers.

# Redirect all the DNS traffic to the preferred DNS server
DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"