Advanced networking with QubesOS: VPN proxyVM

According to we can setup multiple ways for our AppVMs to reach the Internet.

AppVMs can:

  • have direct access to the Internet
  • be forced to go through a Tor proxy, tunnelling all their traffic through the Tor network
  • be forced to go through a VPN proxy, tunnelling all their traffic through the VPN.

The beauty of this setup is that once we have our proxyVMs setup, we don’t need to worry about the configuration of any network-level data leaks of the AppVMs that use the proxies.

Example: setting up a Tor proxyVM and then assigning this as the netvm of 5 different AppVMs will force all network traffic from all 5 AppVMs through the Tor network, with no configuration/awareness in the AppVMs themselves! This setup is covered quite well already in

Creating the setup

How to setup a “workvpn” proxyVM that allows us to tunnel any “work” related AppVMs we have through work’s (in this case Cisco) VPN gateway as shown here:

QubesOS advanced network setup

  1. From Qubes Manager: VM -> Create AppVM
  2. Name: workvpn. Select the ProxyVM radio button and OK.
  3. In a couple of seconds your new VM is created. Go to the “K” menu and fire up a terminal in your new workvpn VM.
  4. Create the file vpn.conf with the following contents, substituting your VPN provider’s values:
    Xauth username xxxxxxxxxxxxxxxxxxx
    IPSec gateway
    IPSec ID xxxxxxxxxxxxxxxxxx
    IPSec secret xxxxxxxxxxxxxxxxxxxx
  5. Create the file with the following contents:
    sudo /usr/sbin/vpnc /home/user/vpn.conf
    sleep 2
    sudo /usr/lib/qubes/qubes_setup_dnat_to_ns
  6. Create the file with the following contents:
    sudo /usr/sbin/vpnc-disconnect
    sleep 2
    sudo /usr/lib/qubes/qubes_setup_dnat_to_ns
  7. Make both scripts executable:
    chmod +x *.sh
  8. Now tell your work-related AppVMs to use workvpn as their network VM. To do this, right-click on the AppVMs in Qubes VM Manager and select “VM Settings”. In the “Basic” tab ensure that “NetVM” is set to “workvpn”
  9. You’re all set.

Using this setup

When you fire up any of your AppVMs that need to use the VPN, workvpn will automatically start. You will then need to fire up a terminal in workvpn and type


(of course after the first time you can just hit the “up” arrow and the command will be there for you)
This will connect you to your work’s VPN and allow all AppVMs that use this as their netvm to seamlessly talk to internal work systems, while leaving the rest of your QubesOS AppVMs unaffected, reaching the Internet either directly or through Tor.