This guide explains how to setup a a VPN with ProtonVPN app on Qubes OS 4.2 using a Fedora template.
If you want to setup a VPN using WireGuard without the App, see https://forum.qubes-os.org/t/wireguard-vpn-setup/19141
sys-vpn-protonvpn-app)In the qube settings
Give it 600 MB of memory minimum
Add the service qubes-firewall
network-manager (this is required otherwise the App can't establish VPNs :woman_shrugging:)wget is missing (that's the case on fedora 38 xfce by default), you can replace it by curl -OL or install it with sudo dnf install wgetAutomatically start the VPN program on qube boot
Reboot the qube
NOTE: for some reasons, it doesn't save credentials upon reboot, I don't know if this is normal behavior...
> ℹ️ You may want to force all qubes traffic to go through the VPN and block non-VPN traffic. ProtonVPN app offers a killswitch, but if the app crash the killswitch isn't guaranteed to still work.
Add the rules below in /rw/config/qubes-firewall-user-script in the qube:
# Prevent the qube to forward traffic outside of the VPN
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
> ℹ️ You may also want to force using a defined DNS server (9.9.9.9 in the current example) and blocking all other DNS servers (this avoids dns leaks)
# Redirect all the DNS traffic to the preferred DNS server
DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"