Collection of Qubes OS scripts and configs.
This setup focuses on privacy. All network traffic must always be routed through VPNs. The use of multiple VPNs, via daisy chaining, is recommended.
graph LR
a[Internet] --> b[sys-net]
b --> c[sys-clearnet]
c --> d[sys-mullvad]
d --> e[sys-vpn]
e --> f[app-vm]
Notes:
- sys-mullvad should be configured with firewall rules to only allow outgoing connections to Mullvad's IP address
- You can add more VPN providers by appending after sys-vpn before any app-vms
Initial configuration is done using https://github.com/hkbakke/qubes-wireguard. Wireguard is the preferred software.
It is strongly recommended to route all traffic through your VPN. This includes updates, clock, whonix, and all qubes except sys-net.
- Open Qubes Global Settings in dom0
- Under "qube defaults" change the following to your vpn firewall qubes "sys-vpn"
- Dom0 Update qube (All updates in dom0 will be fetched via vpn)
- Clock qube (Clock will be updated via vpn)
- net qube (Route all traffic from vms through vpn, unless changed)
You must change your system time to match your VPN. Failing to do so will reveal your real location to websites.
This must be done in your template VM. Remember to restart your app-vms afterwards.
sudo timedatectl set-timezone 'Europe/Berlin'
Use Mullvad's website to generate a Wireguard config. Using multihop is strongly recommended.
The Wireguard key must be rotated every so often to maintain privacy. This can be done via a custom bash script that executes upon startup.
- Copy the contents of the mullvad folder to
/rw/config/mullvad
- Add the line
bash /rw/config/mullvad/rotate.sh
in/rw/config/rc.local
- Add your Mullvad account number in
/home/user/mullvad.txt
Notes:
- Key rotation must be done after a VPN connection is established, due to firewall rules
- The existing key in your Wireguard config will be automatically revoked from Mullvad
- Edit the variables in rotate.sh if your Wireguard config is not at
/rw/config/wireguard/wg0.conf
- The certificate at https://api.mullvad.net is validated via curl using
--cacert
. If this certificate is updated, the file certificate.pem must be updated. The up to date certificate can be found at Mullvad's github repository.
Additional VPN providers can be setup. It is strongly recommended to daisy chain VPNs together. Each new VPN should have its own firewall vm.
- Create a new app-vm using the Wireguard template (Remember to check "Provides network access to other qubes" option)
- Set Net Qube as sys-vpn
- Start the new app-vm and configure Wireguard
- Setup firewall rules to only allow outgoing connections to the server IP address
- Clone sys-vpn
- Configure new app-vms to use the previously cloned qubes as its Net Qube
Updates should be fetched via the vpn qubes and not sys-net. An alternative is to fetch updates over Tor using sys-whonix.
- Open Qube Manager in dom0
- Open settings for your vpn qubes (ex: sys-mullvad)
- Go to "Services"
- Add service "qubes-update-proxy"
- Click "OK" to apply settings
- Edit file
/etc/qubes-rpc/policy/qubes.UpdatesProxy
in dom0
Sample config
# Route whonix through sys-whonix
$tag:whonix-updatevm $default allow,target=sys-whonix
$tag:whonix-updatevm $anyvm deny
# Route all through sys-whonix
# $type:TemplateVM $default allow,target=sys-whonix
# Route tagged VM through secondary VPN
# $tag:work $anyvm allow,target=sys-vpn-2
# Route all through Mullvad
$type:TemplateVM $default allow,target=sys-mullvad
# Route all through sys-net
# $type:TemplateVM $default allow,target=sys-net
# Deny all
$type:TemplateVM $anyvm deny