The guide is based on debian13-minimal, but it should work on debian-13-xfce or debian-13.

Prepare the template

• Start "Terminal Xfce" in dom0
• Run qvm-template install debian-13-minimal
• Run qvm-clone debian-13-minimal debian-13-minimal-openvpn

> ℹ️ The following steps are required to install packages in the new template, as it's a minimal template, you can't use sudo from a regular terminal.

• Run "Terminal Xfce" in dom0
• Run qvm-run -u root debian-13-minimal-openvpn xterm
• Run this command in the terminal that opened: apt install -y qubes-core-agent-networking qubes-core-agent-network-manager network-manager-openvpn-gnome
• Run this command in the terminal that opened: adduser user netdev
• Shutdown debian-13-minimal-openvpn qube

> ℹ️ The following steps will create an AppVM qube that will connect to the OpenVPN server and be used as a NetVM for other qubes.

• Start "Terminal Xfce" in dom0
• Run qvm-create --property provides_network=true --template debian-13-minimal-openvpn --label red --property maxmem=512 sys-vpn-openvpn
• Run qvm-service --enable sys-vpn-openvpn network-manager true

Copy the OpenVPN configuration file to sys-vpn-openvpn

Move the OpenVPN configuration (unzip the file before if needed, the appvm does not have the tools to unzip) to the qube sys-vpn-openvpn you just created.

This can be done by right-clicking on the downloaded file in the file explorer of the Qube that downloaded the configuration file, and choose "Move to other qube..." menu entry in the contextual menu.

Import the configuration file in sys-vpn-openvpn

• Start "Terminal Xfce" in dom0
• Run qvm-run -u root sys-vpn-openvpn xterm
• On the network systray icon, left click, then hover on "VPN Connections" then click on "Add a VPN connection..."

• On the shown menu, click on "OpenVPN" and select "Imported a saved VPN configuration..." instead
• Click on "Create..."
• Select the configuration file you sent to the qube, it's under /home/user/QubesIncoming/...
• When prompted with "Choose new password for keyring" click on "Continue", you can fill the password fields if you want to add a password to unlock the VPN password but this is useless for most users as the qube is dedicated for the VPN task. You will be asked if you really don't want to use a password, click "Continue"
• Fill the values for the fields User name and Password
• Click on "Save"

Autoconnect

> ℹ️ Autoconnect on boot can't work if you store the passwords as the user, which is the case in this guide.

• In sys-vpn-openvpn run a terminal as normal user
• Run the following snippet:

mkdir -p ~/.config/systemd/user
cat << 'EOF' > ~/.config/systemd/user/autoconnect.service
[Service]
Type=oneshot

ExecStart=/bin/sh -c 'nmcli connection up "$(nmcli connection show | awk "/vpn/ { print \$1 }" | sort -R | head -n 1)"'


[Install]
WantedBy=default.target
EOF
systemctl --user daemon-reload
systemctl --user enable autoconnect

> 👉 ℹ️ This creates a service running as user on boot that selects a random VPN connection and connect to it.

Block non-VPN network using Qubes OS Firewall (aka "killswitch")

> ℹ️ This method uses the command line version of the firewall as it allows to block both ICMP (ping) and DNS packets, whereas the firewall tab in the qube settings does not block ICMP and DNS.

• Start "Terminal Xfce" in dom0
• Type the following commands:
• Remove all existing rules for the qube, this is the default qube settings: qvm-firewall sys-vpn-openvpn reset
• Only accept outgoing traffic toward destination, the example is using destination 1.2.3.4 with proto udp and port 1194 (adapt to your configuration!): qvm-firewall sys-vpn-openvpn add accept dsthost=1.2.3.4 dstports=1194 proto=udp
• Remove the default rule that allows everything since we added a more restrictive one: qvm-firewall sys-vpn-openvpn del --rule-no 0 ```