IVPN on Qubes OS

Introduction

Qubes OS uses a ProxyVM as an intermediary between other VMs in the system and the outside world. The primary function of a ProxyVM is to handle network traffic for other VMs, allowing those VMs to remain isolated from the internet, untrusted and potentially hostile networks.

In Qubes OS, each VM is assigned a specific role, such as a NetVM (for networking) or an AppVM (for running applications). When an AppVM needs to connect to the internet, it sends its network traffic to the designated NetVM.

Alternatively, an AppVM can send its network traffic directly to a ProxyVM for processing. This configuration, known as a “ProxyVM-based NetVM”, allows the ProxyVM to enforce various security policies, such as blocking certain types of traffic or limiting access to specific resources. It also allows the use of a Virtual Private Network (VPN) connection, which can provide additional privacy and security for network traffic.

By configuring a ProxyVM to use a VPN connection, all network traffic from the other VMs in the system can be routed through the VPN, ensuring that the traffic is encrypted and anonymized before it leaves the system. This approach can be especially useful when accessing sensitive or confidential information over untrusted networks.

In summary, using a Proxy VM in Qubes OS can provide a flexible and customizable framework for managing network security and isolation, including the ability to use a VPN connection for added privacy and security.

This guide describes the configuration for the following setup:

Creating ProxyVM

1. Navigate to Qube manager (Main menu -> Qubes Tools -> Qube Manager):

2. Create “New qube” with the following parameters:

   • Name and label: ivpn-proxy
   • Type: StandaloneVM (fully persistent)
   • Template: fedora-36
   • Networking: default (sys-firewall)
   • Advanced tab -> “Provide network access to other qubes“: enabled

3. Press OK

Installing IVPN client

1. Start the recently created ivpn-proxy cube (right-click -> Start/Resume)

2. Open ivpn-proxy terminal (Main menu -> Service: ivpn-proxy -> ivpn-proxy: Terminal)

3. Install IVPN client (CLI and UI; refer to Fedora setup instructions)

4. Add IVPN client to ivpn-proxy VM menu:

   • Main menu -> Service: ivpn-proxy -> Settings
   • In the Applications tab: select IVPN from the list and press the > button
   • Press OK

Configuring IVPN client

IVPN client must start and establish a VPN connection automatically when ProxyVM (ivpn-proxy) starts. It must also block all network traffic when not connected to the VPN server.

1. Start the IVPN app (Main menu -> Service: ivpn-proxy -> ivpn-proxy: IVPN)

2. Log in using your IVPN account ID (i-XXXX-XXXX-XXXX or ivpnXXXXXXXX)

3. In the app’s Settings - General area:

   • Autoconnect On launch: Enabled
   • Allow background daemon to manage autoconnect: Enabled

4. Settings - IVPN Firewall:

   • Always-on firewall: Enabled

5. Settings -> DNS:

   • Force management of DNS using resolv.conf: Enabled(!)

6. Select preferred VPN settings (VPN protocol, server, etc.) and connect

DNS: Configuring DNAT on ProxyVM

Qubes OS requires the /usr/lib/qubes/qubes-setup-dnat-to-ns script to be run every time after updating DNS settings on ProxyVM.

The /usr/lib/qubes/qubes-setup-dnat-to-ns script sets up the necessary DNAT (Destination Network Address Translation) rules by modifying the iptables configuration. This allows DNS requests to be properly forwarded from AppVM-s.

There are various approaches to execute this script automatically:

Approach 1 - Modify the VM startup script:

1. Open ivpn-proxy terminal (Main menu -> Service:ivpn-proxy -> ivpn-proxy: Terminal)

2. Update /rw/config/rc.local file with the following command:

   cat <<EOF | sudo tee -a /rw/config/rc.local
   sleep 10 # Waiting a bit so that IVPN can establish a connection
   systemctl restart systemd-resolved # for Qubes OS 4.2 only (tested on Qubes OS 4.2-RC4)
   /usr/lib/qubes/qubes-setup-dnat-to-ns
   EOF
   

Approach 2 - Modify IVPN ‘dns’ script:

1. Open the /opt/ivpn/etc/firewall.sh script file on ProxyVM (ivpn-proxy) and add the following right after the elif [[ $1 = "-set_dns" ]]; then line:

   #QUBES OS - specific operation
   systemctl restart systemd-resolved || echo "Error: systemd-resolved" # this line is required for Qubes OS 4.2 (tested on Qubes OS 4.2-RC4)
   /usr/lib/qubes/qubes-setup-dnat-to-ns || echo "Error: failed to run '/usr/lib/qubes/qubes-setup-dnat-to-ns'"
   

2. The contents of /opt/ivpn/etc/firewall.sh should look as follows:

   ...
   #DNS rules
   elif [[ $1 = "-set_dns" ]]; then
   
   #QUBES OS - specific operation
   systemctl restart systemd-resolved || echo "Error: systemd-resolved" # this line is required for Qubes OS 4.2 (tested on Qubes OS 4.2-RC4)
   /usr/lib/qubes/qubes-setup-dnat-to-ns || echo "Error: failed to run '/usr/lib/qubes/qubes-setup-dnat-to-ns'" 
   
   get_firewall_enabled || return 0
   ...
   

AppVM

All AppVMs that need to use the VPN connection have to be configured to use ivpn-proxy ProxyVM.

1. In Qube manager (Main menu -> Qubes Tools -> Qube Manager), create “New qube” with the following parameters:

   • Name and label: my-app-vm
   • Type: AppVM
   • Template: fedora-36
   • Networking: ivpn-proxy(!)

2. Press OK

That is it. Now, all traffic from my-app-vm will go through the VPN connection.

Final steps

1. Reboot your system

2. To confirm that you are connected to the IVPN network, check the connection status tool on our website and run a dns leak test at https://www.dnsleaktest.com

Related Articles

• Autostart OpenVPN in systemd (Ubuntu)
• WireGuard - "RTNETLINK answers: Operation not supported"
• Linux - Fedora Silverblue
• WireGuard Kill Switch
• Webpages do not load or DNS leaks when connecting via NetworkManager