Intro

This guide explains how to setup a a VPN with ProtonVPN app on Qubes OS 4.2 using a Fedora template.

A cool thing with ProtonVPN is that they have a Free offer, although it comes with limitations it's nice. They seem also a legit service to use as per the trustable source https://www.privacyguides.org/en/vpn/

If you want to set up a ProtonVPN using WireGuard without the App, see https://forum.qubes-os.org/t/wireguard-vpn-setup/19141

Setup

Qube creation

• Create a dedicated qube for the vpn
• Name it as you want (I will name it sys-vpn-protonvpn-app)
• Choose type "Standalone" with the template fedora-38 (or xfce flavor minimal flavor should work too)
• Check "provide network access to other qubes" in the Advanced settings tab
• In the qube settings
• Give it 800 MB of memory minimum
• Add the service qubes-firewall
• Add the service network-manager (this is required otherwise the App can't establish VPNs :woman_shrugging:)

Qube configuration

• Start the qube
• Follow the official guide to install ProtonVPN app
• Basically 3 steps: download a rpm file, run dnf on it to add the repository and accept the new repository, install the app
• If wget is missing (that's the case on fedora 38 xfce by default), you can replace it by curl -OL or install it with sudo dnf install wget
• Automatically start the VPN program on qube boot
• mkdir ~/.config/autostart
• ln -s /usr/share/applications/protonvpn-app.desktop .config/autostart/
• Reboot the qube

ProtonVPN App

• If you get a prompt asking for a keyring password (by the qube), this is an extra linux security feature that locks program passwords in a keyring. It's not really useful in Qubes OS and you can just accept with an empty password, or use a password if you prefer.

• The ProtonVPN app should show up

• Enter your credentials

• Connect

• Configure the App as you want

NOTE: for some reasons, it doesn't save credentials upon reboot, I don't know if this is normal behavior...

Hardening (optional)

Killswitch

> ℹ️ You may want to force all qubes traffic to go through the VPN and block non-VPN traffic. ProtonVPN app offers a killswitch, but if the app crash the killswitch isn't guaranteed to still work.

Add the rules below in /rw/config/qubes-firewall-user-script in the qube:

# Prevent the qube to forward traffic outside of the VPN
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop

Avoid DNS leaks

> ℹ️ You may also want to force using a defined DNS server (9.9.9.9 in the current example) and blocking all other DNS servers (this avoids dns leaks)

# Redirect all the DNS traffic to the preferred DNS server
DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"