Skip to content

Wireguard VPN connections in Qubes OS

Jump to bottom
tasket edited this page Jun 30, 2019 · 13 revisions

Steps to get a wireguard VPN working in Qubes 4.0.1 & Debian 9 with DNS support and anti-leak firewall.

This method uses HVM mode in both the template and appVM to get the wireguard module installed and working. Unfortunately, the default Debian 9 kernel (4.9) may no longer work in a current Qubes HVM, so its recommended as a prerequisite to upgrade to a newer kernel from testing such as linux-image-4.19.0-2-amd64 inside the template. This should allow a Debian template to boot in HVM mode.

Wireguard Package Installation

  1. Change your Debian template to use the Debian kernel in HVM mode (the template name used here is 'd9'):
dom0:~$ qvm-prefs d9 kernel ''
dom0:~$ qvm-prefs d9 virt_mode HVM

While we're in dom0 shell, go ahead and create the VPN qube that will use this template:

dom0:~$ qvm-create --property virt_mode=HVM --property kernel='' --property provides_network=True \
--property template=d9 --label green sys-vpn-wg
dom0:~$ qvm-service sys-vpn-wg vpn-handler-wg on
  1. Start the template VM, set the Debian default release and enable the unstable repository:
d9:~$ echo 'APT::Default-Release "stable";' | sudo tee /etc/apt/apt.conf.d/90default-release
d9:~$ echo 'deb http://deb.debian.org/debian sid main' | sudo tee /etc/apt/sources.list.d/sid.list
  1. Install the wireguard package:
d9:~$ sudo apt-get update
d9:~$ sudo apt-get install wireguard -t unstable

The following additional packages will be installed:
  wireguard-dkms wireguard-tools
The following NEW packages will be installed:
  wireguard wireguard-dkms wireguard-tools
0 upgraded, 3 newly installed, 0 to remove and 1079 not upgraded.
Need to get 0 B/378 kB of archives.
After this operation, 2,087 kB of additional disk space will be used.
Do you want to continue? [Y/n]

Eventually you should see:

DKMS: install completed.

  1. Shutdown the template.

  2. Change template back to default PVH (optional, see notes):

dom0:~$ qvm-prefs d9 kernel --default
dom0:~$ qvm-prefs d9 virt_mode --default

Configure Qubes VPN VM

  1. Copy the wireguard config (Mullvad example here) and Qubes-vpn-support to the sys-vpn-wg qube created earlier:
appvm:~$ git clone https://github.com/tasket/Qubes-vpn-support.git
appvm:~$ cd Qubes-vpn-support; git log --show-signature -1; cd ..
appvm:~$ qvm-copy Qubes-vpn-support
appvm:~$ qvm-copy mullvad-us1.conf

The git log step is optional: It verifies Qubes-vpn-support against my public key.

  1. Start a CLI in the 'sys-vpn-wg' qube to install the VPN scripts and config. When prompted for a username and password, leave them blank...
$ cd QubesIncoming/appvm/Qubes-vpn-support
$ sudo bash ./install
$ cd ..
$ sudo cp mullvad-us1.conf /rw/config/vpn/vpn-client.conf
  1. Rename the qubes-vpn-handler service config to switch from openvpn to wireguard:
$ cd /rw/config/qubes-vpn-handler.service.d
$ sudo mv 10_wg.conf.example 10_wg.conf
  1. Restart the qube.

Notes

  • A reminder: Wireguard is still experimental.

  • See Mullvad howto page for additional details.

  • Leaving the template in HVM mode can cause other VMs that are based on it to also run as HVM instead of PVH (the Qubes default); this happens when the appVM's virt_mode is set to 'default'. To avoid this, you can switch your appVMs to explicitly use PVH mode, or change the template back to PVH (step 5) to prevent this from happening. However, the template may not be able to install future updates for the wireguard DKMS module if it is set to PVH mode.

Clone this wiki locally