9/30/23, 8:00 PM WireGuard on Qubes OS - Guides | Mullvad VPN

 Not using Mullvad VPN  Zurich, Switzerland  Check for leaks

About Policies Blog Pricing Servers Downloads Help Account Get started

WireGuard on Qubes OS
OTHER VPN SOFTWARE WIREGUARD CONNECTIVITY

Last updated: 6 September 2023

In this guide we will set up a ProxyVM called "MullvadVPN" which will provide network to other AppVMs,
using WireGuard. If you want to use OpenVPN instead then see our guide Mullvad on Qubes OS 4.

Note: We will use Sweden (se9-wireguard) as the server in this guide. If you want to use another server
then replace the configuration with that.

Create a new qube

Click on the Qubes app menu and then Create Qubes VM.

1. Name and label: MullvadVPN.

2. Type: Qube based on a template (AppVM).
3. Template: fedora-36 (or later).
4. Networking: default (sys-firewall).
5. Advanced: Check (enable) provides network.
9/30/23, 8:00 PM WireGuard on Qubes OS - Guides | Mullvad VPN

6. Click on OK.

Note: In the Qubes app menu, the newly created MullvadVPN AppVM qube will show up as "Service:
MullvadVPN" and not "Qube: MullvadVPN" due to its "provides network" setting.

Download a WireGuard configuration

In another AppVM (not MullvadVPN) that you use for web surfing:

1. Open a web browser and log in to our WireGuard configuration file generator.
2. Select Linux as the platform and then click on Generate key.
3. Select a country, a city and a server.
4. Click on Download file.
5. Click on the Qubes app menu and go to your current AppVM and open Files.
6. Open the Downloads folder and right click on the downloaded WireGuard file.
7. Select Copy To Other AppVM... and then enter MullvadVPN as the Target and click on OK.

Install WireGuard
We will install WireGuard in the Fedora-34 template so your MullvadVPN ProxyVM can use that.

1. Click on the Qubes app menu and go to Template: fedora-36 and open the Terminal.
2. In the Terminal run the command sudo dnf install wireguard-tools -y
3. Shut down the VM with the command sudo shutdown -h now
4. Shutdown and Start the MullvadVPN ProxyVM so that wireguard-tools are added to it.

Set the Networking

1. Click on the Qubes app menu and go to System Tools > Qube Manager.
9/30/23, 8:00 PM WireGuard on Qubes OS - Guides | Mullvad VPN

2. Select the AppVM that you want to use with the MullvadVPN ProxyVM and click on the Stop button in
the toolbar to shut it down.
3. Right click on the same AppVM and then select Qube settings.
4. On the Basic tab, click on the Networking drop-down list and select MullvadVPN.
5. Click on OK.
6. Click on the Start button in the toolbar to start the AppVM again.

Configure WireGuard
In the MullvadVPN ProxyVM:

1. Click on the Qubes app menu and go to MullvadVPN and open the Terminal.
2. Now you will copy the WireGuard .conf file that was copied from the other AppVM to the /home/user/
folder so it persist after reboot. First run:
cp /home/user/QubesIncoming/*/[Link] /home/user/
3. Now you will edit the /rw/config/[Link] file using a text editor. First install nano:
sudo dnf install nano -y
4. Then run sudo nano /rw/config/[Link]
5. Add wg-quick up /home/user/[Link] (or the config file you used) on a new line.
6. Press Ctrl+O (Enter) and then Ctrl+X to save and exit.

Make sure that WireGuard connects:

1. Run sudo wg-quick up /home/user/[Link]

2. Run curl [Link]
3. Run sudo wg and check for a WireGuard network interface and a peer handshake.

Add DNS hijacking rules

9/30/23, 8:00 PM WireGuard on Qubes OS - Guides | Mullvad VPN

Now we will add firewall rules to redirect DNS requests to [Link] (the DNS on the VPN server) for all
AppVMs that use the MullvadVPN ProxyVM.

Make sure that you have started an AppVM that has the Networking set to MullvadVPN, otherwise the "vif"
IP address will not be visible.

Still in the MullvadVPN Terminal:

1. To find out your vif* IP address, run ip a | grep -i vif

2. Edit the firewall user file with nano:
sudo nano /rw/config/qubes-firewall-user-script
3. Copy and paste the following in the bottom. Replace [Link] with your own vif* IP address:

# replace [Link] with the IP address of your vif* interface

virtualif=[Link]
vpndns1=[Link]
iptables -F OUTPUT
iptables -I FORWARD -o eth0 -j DROP
iptables -I FORWARD -i eth0 -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -F PR-QBS -t nat
iptables -A PR-QBS -t nat -d $virtualif -p udp --dport 53 -j DNAT --to $vpndns1
iptables -A PR-QBS -t nat -d $virtualif -p tcp --dport 53 -j DNAT --to $vpndns1

4. Press Ctrl+O (Enter) and then Ctrl+X to save and exit.

Add qube firewall rules

In Qube Manger, select MullvadVPN then right click and select Qube settings.

Make the following changes:

9/30/23, 8:00 PM WireGuard on Qubes OS - Guides | Mullvad VPN

1. Ensure it is still set to use sys-firewall as "Networking".

2. Check "Start qube automatically on boot".
3. Click on the "Firewall rules" tab.
4. Click on "Limit outgoing internet connections to ...".
5. Click on "+" and enter the IP addresses of the VPN servers that you want to be able to connect to. You
can find it in the WireGuard configuration file ([Link]) on the Endpoint line, or in our Servers
list.
6. Click on OK.

In the next step you will edit the firewall manually. After this you can not open Qube Manager and add rules
on the Firewall rules tab anymore, so make sure to add all the servers you need now. If you have to add
more servers later you can do it in the Terminal Emulator using the following command (replace SERVER-IP
with the IP-address to the Mullvad VPN server).

qvm-firewall MullvadVPN add accept dsthost=SERVER-IP

If you need to undo the changes then you can remove all firewall rules and reset it to default (accept all
connections) using this command:

qvm-firewall MullvadVPN reset

Disable ping (optional)

As noted in the qube Firewall rules window, those rules do not apply to DNS requests and ICMP (pings). If
you want to block pings too then you can use the qvm-firewall command.

1. Click on the Qubes app menu and open Terminal Emulator.

9/30/23, 8:00 PM WireGuard on Qubes OS - Guides | Mullvad VPN

2. Run qvm-firewall MullvadVPN list . Find the rule in the bottom that says "accept icmp" and note the
line number.
3. Run qvm-firewall MullvadVPN del --rule-no NUMBER . Replace NUMBER with the line number you found
above.
4. Run qvm-firewall MullvadVPN add --before NUMBER drop proto=icmp . Replace NUMBER with the line
number you found above. This new rule will be added before the last "drop" line.
5. Check it by running the list command again. The rules should be in this order: accept (the IP addresses
of the VPN servers), accept dns, drop icmp, drop.

FAQ
How do I verify that traffic is going out via the MullvadVPN proxy?
Open a web browser in your AppVM that is using the MullvadVPN ProxyVM and go to our Connection
check.

Troubleshooting
Internet works in the ProxyVM, but not in the AppVM.
Make sure you shut down your AppVM before setting the Networking to ProxyVM. It seems that it does not
work as well to change it on the fly.

Try to lower the MTU in your AppVM: sudo ifconfig eth0 mtu 1280
9/30/23, 8:00 PM WireGuard on Qubes OS - Guides | Mullvad VPN

MULLVAD POLICIES ADDRESS FOLLOW US

About
Help
Open source
Privacy policy
Mullvad VPN AB
Box 53049
 @mullvadnet

Servers Cookies 400 14 Gothenburg  @mullvadnet

Pricing Terms of service Sweden
Blog Partnerships and resellers  Mullvad VPN

What is privacy? Reviews, ads and affiliates  support@[Link]  mullvad

Why Mullvad VPN? Reporting a bug or
 GPG key
What is a VPN?
Download
vulnerability
Onion service LANGUAGE
Press
Jobs   English 