How to configure Whonix to use Mullvad revisions

Go back to topic: How to configure Whonix to use Mullvad

  1. v7 anchor; v7 full version
  2. v6 anchor; v6 full version
  3. v5 anchor; v5 full version
  4. v4 anchor; v4 full version
  5. v3 anchor; v3 full version
  6. v2 anchor; v2 full version

Revision #7

Edited on
2025-08-12
Edited by user
magazine
This method offers a more secure way to utilize VPNs when you seek similar security and (pseudo)anonymity advantages of the Whonix Workstation, but prefer not to use Tor as your exit node. This guide offers a way to use Whonix Workstation with Mullvad as its NetVM. Which could be needed when you seek similar security and (pseudo)anonymity advantages of the Whonix Workstation, but prefer not to use Tor as your NetVM.

Revision #6

Edited on
2025-06-26
Edited by user
magazine
6. Setup the systemd path and service units ```sudoedit /etc/systemd/system/resolv-reload.path``` 6. Setup the systemd path and service units Create your path unit ```sudoedit /etc/systemd/system/resolv-reload.path```
In ```sudoedit /etc/systemd/system/resolv-reload.service``` Create your service unit ```sudoedit /etc/systemd/system/resolv-reload.service```
Extra step for Fedora / SElinux to put the SElinux tag for systemd: ``` /sbin/restorecon -v /etc/systemd/system/resolv-reload.* ```
8. (Optional) Add these firewall rules to `/rw/config/qubes-firewall-user-script` to add another killswitch in case Mullvad`s fails for whatever reason 9. (Optional) Add these firewall rules to `/rw/config/qubes-firewall-user-script` to add another killswitch in case Mullvad`s fails for whatever reason

Revision #5

Edited on
2025-06-26
Edited by user
magazine
6. Install inotify `sudo dnf install -y inotify-tools` 6. Setup the systemd path and service units ```sudoedit /etc/systemd/system/resolv-reload.path``` ``` [Path] PathModified=/etc/resolv.conf [Install] WantedBy=multi-user.target ``` In ```sudoedit /etc/systemd/system/resolv-reload.service``` ``` [Service] ExecStart=/usr/local/bin/mullvad-dns.sh Type=oneshot ``` Enable it to start on boot ``` systemctl daemon-reload systemctl enable resolv-reload.path ```
4. Start your new sys-mullvad Qube and open a terminal. Run the command `sudoedit /usr/local/bin/mullvad-dns.sh` and paste in the following contents: 4. Start your new sys-mullvad Qube and open a terminal. Run the command ```sudoedit /usr/local/bin/mullvad-dns.sh``` and paste in the following contents:
mullvad_dns_ip=$(grep "nameserver"; < /etc/resolv.conf| awk `{print $2}` | head -n 1) mullvad_dns_ip=$(awk '/nameserver/ { print $2 ; exit }' /etc/resolv.conf)
qube_vm_ip=$(hostname -I | awk `{print $1}`) qube_vm_ip=$(hostname -I | awk '{print $1}')
nameserver_ips=$(grep "nameserver" < /etc/resolv.conf| awk `{print $2}`) nameserver_ips=$(awk '/nameserver/ { print $2 }' /etc/resolv.conf)
update_dns # check for /etc/resolv.conf content change inotifywait -m -q -e close_write /etc/resolv.conf | while read -r; do update_dns done update_dns
`nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu` ```nft add rule ip qubes custom-forward tcp flags syn / syn,rst tcp option maxseg size set rt mtu```

Revision #4

Edited on
2025-06-26
Edited by user
magazine

Revision #3

Edited on
2025-06-15
Edited by user
magazine
3. Run this script by Tommy from PrivSec to minimize the template and reduce the attack surface: https://github.com/TommyTran732/QubesOS-Scripts/blob/main/fedora-gnome/fedora-gnome.sh 3. Run this script by Tommy from PrivSec to minimize the template and reduce the attack surface: [fedora-gnome.sh script](https://github.com/magazine-qubes/QubesOS-Scripts/blob/main/fedora-gnome/fedora-gnome.sh)
Big thanks to Solene and Tommy from PrivSec as this guide is a mash of both their guides plus a bit of my own.Big thanks to @solene and @TommyTran732 from PrivSec as this guide is a mash of both their guides plus a bit of my own.

Revision #2

Edited on
2025-06-14
Edited by user
magazine
Template setup is complete! Now, let’s configure Mullvad for networking. Template setup is complete! Now, let’s configure Mullvad for networking.
```nft add rule qubes custom-forward oifname eth0 counter drop nft add rule ip6 qubes custom-forward oifname eth0 counter drop``` Done! Keep in mind that when you create an AppVM with your sys-mullvad qube, it must be based on the whonix-workstation-17-vpn template.``` nft add rule qubes custom-forward oifname eth0 counter drop nft add rule ip6 qubes custom-forward oifname eth0 counter drop ``` Keep in mind that when you create an AppVM with your sys-mullvad qube, it must be based on the whonix-workstation-17-vpn template. Big thanks to Solene and Tommy from PrivSec as this guide is a mash of both their guides plus a bit of my own.