This guide explains how to setup a a VPN with IVPN app on Qubes OS 4.2 using a Fedora template.
IVPN app is open source and they provide repositories for fedora / debian, there is an official documentation but I think it deserves more explanations here: https://www.ivpn.net/knowledgebase/linux/ivpn-on-qubes-os/
The App supports OpenVPN and WireGuard tunnels with respectively obfuscation protocols obfsproxy and V2ray.
They seem also a legit service to use as per the trustable source https://www.privacyguides.org/en/vpn/
If you want to set up IVPN using WireGuard without the App, see https://forum.qubes-os.org/t/wireguard-vpn-setup/19141
sys-vpn-ivpn-app)qubes-firewallsudo dnf config-manager --add-repo https://repo.ivpn.net/stable/fedora/generic/ivpn.reposudo dnf install ivpn-ui/rw/config/rc.local this is required to automatically switch the DNS offered by the NetVM to the qubes, in addition this code automatically repatch IVPN code when the program is upgradedif ! grep "QUBES OS" /opt/ivpn/etc/firewall.sh >/dev/null
then
sudo sed -i '/-set_dns/a\
#QUBES OS - specific operation\
systemctl restart systemd-resolved || echo "Error: systemd-resolved" \
/usr/lib/qubes/qubes-setup-dnat-to-ns || echo "Error: failed to run /usr/lib/qubes/qubes-setup-dnat-to-ns"' /opt/ivpn/etc/firewall.sh
fi
Start the App with /opt/ivpn/ui/bin/ivpn-ui or add "IVPN" application in the qube menu entry.
The IVPN app should start without issue:
Auto start at boot can be enabled in the settings "General".
ℹ️ WireGuard tunnels can trigger a MTU issue in the network, in short it could make some websites not working (like duckduckgo) because of too big packet sizes. This is a common issue with WireGuard VPNs.
Add this to /rw/config/qubes-firewall-user-script
nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu
This will automatically ensure that the qubes network packets will fit in a WireGuard network packet and will make things works©.
ℹ️ You may want to force all qubes traffic to go through the VPN and block non-VPN traffic. IVPN app offers a killswitch but the app could still crash and the killswitch wouldn't be guaranteed to work.
Add the rules below in /rw/config/qubes-firewall-user-script in the qube:
# Prevent the qube to forward traffic outside of the VPN
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop
ℹ️ You may also want to force using a defined DNS server (9.9.9.9 in the current example) and blocking all other DNS servers (this avoids dns leaks)
# Redirect all the DNS traffic to the preferred DNS server
DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"
ℹ️ There is an issue with the App on Qubes OS, the "allow LAN exception doesn't always work", it's not useful for most users though, don't panic 😃
I created a script /rw/config/bypass-fw with the content (adapt the IPs in the first variable):
#!/bin/sh
IPS_TO_ALLOW="10.42.42.42 10.42.42.150"
for i in "$IPS_TO_ALLOW"
do
nft insert rule qubes custom-forward ip daddr $i counter accept
nft insert rule filter FORWARD ip daddr $i counter accept
nft insert rule filter FORWARD ip saddr $i counter accept
Make it executable with chmod +x /rw/config/bypass-fw, make sure to change the script in /rw/config/rc.local to call /rw/config/bypass-fw like this:
if ! grep "QUBES OS" /opt/ivpn/etc/firewall.sh >/dev/null
then
sudo sed -i '/-set_dns/a\
#QUBES OS - specific operation\
systemctl restart systemd-resolved || echo "Error: systemd-resolved" # this line is required for Qubes OS 4.2 (tested on Qubes OS 4.2-RC4)\
/usr/lib/qubes/qubes-setup-dnat-to-ns || echo "Error: failed to run /usr/lib/qubes/qubes-setup-dnat-to-ns"' /opt/ivpn/etc/firewall.sh
/rw/config/bypass-fw
fi
Make sure to edit /opt/ivpn/etc/firewall.sh to add /rw/config/bypass-fw around where the code above is added within the file.