Intro

This guide explains how to setup a a VPN with Mullvad app on Qubes OS 4.2 using a Fedora template.

Mullvad app is open source and they provide repositories for fedora / debian, there are no documentation to deploy the App, only an official page explaining how to setup WireGuard, or a community guide for Mullvad WireGuard without the App

The App supports OpenVPN and WireGuard tunnels. Bridge support is available for OpenVPN and WireGuard has obfuscation available, these features are useful if you are unable to connect due to censorship.

They seem also a legit service to use as per the trustable source https://www.privacyguides.org/en/vpn/

Setup

Qube creation

• Create a dedicated qube for the vpn
• Name it as you want (I will name it sys-vpn-mullvad-app)
• Choose type "Standalone" with the template fedora-39 (or xfce flavor, minimal flavor should work too)
• Check "provide network access to other qubes" in the Advanced settings tab
• In the qube settings
• Give it 800 MB of memory minimum
• Add the service qubes-firewall

Qube configuration

• Start the qube
• In the qube terminal, run:

sudo dnf config-manager --add-repo https://repository.mullvad.net/rpm/stable/mullvad.repo
sudo dnf install mullvad-vpn

Mullvad App

Start the App with /opt/Mullvad\ VPN/mullvad-gui or add "Mullvad VPN" application in the qube menu entry that should be available after the installation process.

The Mullvad VPN app should start without issue:

• Enter your credentials
• Configure the App as you want

Auto start at boot can be enabled in the settings.

Avoid issues with WireGuard

> ℹ️ WireGuard tunnels can trigger a MTU issue in the network, in short it could make some websites not working (like duckduckgo) because of too big packet sizes. This is a common issue with WireGuard VPNs.

Add this to /rw/config/qubes-firewall-user-script

nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu

This will automatically ensure that the qubes network packets will fit in a WireGuard network packet and will make things works©.

Killswitch configuration (easy method)

> ℹ️ You may want to force all qubes traffic to go through the VPN and block non-VPN traffic. Mullvad app offers a killswitch but the app could still crash and the killswitch wouldn't be guaranteed to work.

> ℹ️ This easy method plays well with the App as you don't need to configure a firewall rule for each server/port. However, if the qube gets compromised it's possible to disable the rule, if you want more security against this threat you should use qvm-firewall.

Add the rules below in /rw/config/qubes-firewall-user-script in the qube:

# Prevent the qube to forward traffic outside of the VPN
nft add rule qubes custom-forward oifname eth0 counter drop
nft add rule ip6 qubes custom-forward oifname eth0 counter drop

Optional hardening: Avoid DNS leaks

> ℹ️ You may also want to force using a defined DNS server (9.9.9.9 in the current example) and blocking all other DNS servers (this avoids dns leaks)

# Redirect all the DNS traffic to the preferred DNS server
DNS=9.9.9.9
nft add chain qubes nat { type nat hook prerouting priority dstnat\; }
nft add rule qubes nat iifname == "vif*" tcp dport 53 dnat "$DNS"
nft add rule qubes nat iifname == "vif*" udp dport 53 dnat "$DNS"