Choosing the Right VPN for Qubes OS
Qubes OS users are very particular about isolation, secure defaults and minimal attack surface. By default Qubes uses Fedora-based TemplateVMs and the dnf package manager (though Debian-based templates with apt are popular too). Typical desktop environments are XFCE or KDE Plasma, running inside AppVMs, each with its own root filesystem. Network traffic flows through a dedicated sys-net VM and is optionally filtered by sys-firewall. To integrate a VPN, you’ll generally:
- Create or clone a minimal TemplateVM (e.g.
fedora-33→vpn-template). - Install VPN software inside that template (using
dnforaptdirectly in the template). - Instantiate a ProxyVM (NetVM) from your VPN template.
- Set your AppVMs’ NetVM to the VPN ProxyVM.
For Qubes users you need VPN clients with solid Linux support, systemd integration (for automatic kill-switch), and preferably a CLI tool. Based on these criteria, the following stand out:
VPN Comparison Table
| VPN | Linux Client | Package Manager | Protocols | Kill-Switch | Features |
|---|---|---|---|---|---|
| Mullvad VPN | CLI daemon (mullvad) |
dnf / apt | WireGuard, OpenVPN | Yes (systemd) | Anonymous account, port forwarding |
| ProtonVPN | CLI (protonvpn) |
apt / dnf (package repo) | WireGuard, OpenVPN | Yes (systemd) | Secure Core, Tor over VPN |
| NordVPN | CLI (nordvpn) |
dnf / apt | NordLynx (WireGuard), OpenVPN | Yes (native) | Double VPN, obfuscation |
| IVPN | CLI OpenVPN config | dnf / apt | WireGuard, OpenVPN | Yes | Multi-hop, port forwarding |
| Windscribe | CLI (windscribe-cli) |
dnf / apt | WireGuard, OpenVPN, IKEv2 | Yes | R.O.B.E.R.T. ad-blocker |
Installing and Configuring Top VPNs in Qubes OS
Mullvad VPN
Mullvad’s minimal CLI amp daemon approach fits neatly into a Qubes vpn-template. We’ll assume you cloned fedora-33 to vpn-template and started it.
- In Qubes Manager, open a terminal in
vpn-template. - Enable the Mullvad repo and install:
sudo dnf install dnf-plugins-core sudo dnf config-manager --add-repo=https://releases.mullvad.net/linux/mullvad-repo.repo sudo dnf install mullvad-daemon
- Enable and start the daemon:
sudo systemctl enable --now mullvad-daemon.service
- Login and connect:
mullvad account login # follow on-screen link to add account code mullvad connect wireguard
- Shut down
vpn-template, then create a new AppVM (type NetVM) using it (e.g.vpn-dvm). - Point your AppVMs’ NetVM to
vpn-dvm.
ProtonVPN
ProtonVPN’s CLI tool supports both Debian and Fedora templates. We’ll illustrate Debian-based debian-11 → vpn-template-deb.
- Open a terminal in
vpn-template-deb. - Add the repository and install:
sudo apt update sudo apt install -y gnupg wget -qO - https://repo.protonvpn.com/debian/public_key.asc sudo apt-key add - echo deb https://repo.protonvpn.com/debian stable main sudo tee /etc/apt/sources.list.d/protonvpn.list sudo apt update sudo apt install -y protonvpn-cli
- Initialize amp connect:
protonvpn init # follow prompts for OpenVPN or WireGuard protonvpn connect --fastest
- Create a NetVM from
vpn-template-deb(e.g.protonvpn-dvm) and route AppVMs through it.
NordVPN
NordVPN offers an RPM/DEB and a systemd-aware daemon. Below for Fedora-based template:
- In
vpn-templateopen terminal. - Add repository and install:
sudo dnf install -y yum-utils sudo yum-config-manager --add-repo https://repo.nordvpn.com/yum/nordvpn.repo sudo dnf install -y nordvpn
- Login amp connect:
nordvpn login nordvpn set killswitch on nordvpn connect
- Clone this template to create
nordvpn-dvmand set it as the NetVM.
With these steps you’ll have compartmentalized VPN ProxyVMs, ensuring each AppVM’s traffic is tunnelled securely without bloating dom0 or other templates.
Leave a Reply