The things you may be missing here:
1. Its more secure to have a 'sys-vpn' VM dedicated to the VPN client.
2. Service provider apps generally don't work or don't secure a
dedicated VM properly. They assume a PC network architecture while a
Qubes proxy VM is more like a router.
From a security standpoint the best way is probably Qubes-vpn-support
(see my github link below). But it doesn't have easy GUI switching
between servers; you would have to 'cp' the config for the new server
then 'systemctl restart' the service to switch.
Its possible to setup Network Manager in a dedicated VPN VM including
added anti-leak firewall rules. See the Qubes vpn doc for details.
--
Chris Laprise,
tas...@posteo.net
https://github.com/tasket
https://twitter.com/ttaskett
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886