Additional VPN destinations via CLI config?

Skip to first unread message

Sep 11, 2017, 1:37:19 PM9/11/17
to qubes-users
I followed the tutorial here, specifically "Set up a ProxyVM as a VPN gateway using iptables and CLI scripts"

I like having the iptables anti-leak rules. However, it's connecting automatically to my VPN providers destination that I downloaded their .ovpn for.

Is it possible to compile multiple locations and be able to select which one?

OR perhaps I'm going about this the wrong way? Should I instead use the GUI way via NetworkManager? Can I configure that for multiple destination choices then perhaps still add the iptables anti-leak rules?

What's the best way?



Sep 11, 2017, 11:52:01 PM9/11/17
to qubes-users
On 09/11/2017 07:37 AM,
na, just make another NetVM like you did for the one you got , or 2 3
etc up to you , what i've been doing is after suspend just start the
new non active VPN NetVM and use it , after changing the appVMs using
it , bit tedious but works


Sep 12, 2017, 1:15:19 AM9/12/17
Create a different VPN ProxyVM for each location you want to use.
You lose leak protection if you use NetworkManager, you should use the
iptables way.

Once you get the first ProxyVM setup correctly, you can copy its files
to other ProxyVMs to save time. Just verify their permissions and change
the desired server in the .ovpn file. Check your MTU settings, too.


Sep 13, 2017, 3:21:03 AM9/13/17
to qubes-users
proxyVM rather fwiw

btw, how or why does one "check their MTU settings?"

pixel fairy

Sep 13, 2017, 3:37:46 AM9/13/17
to qubes-users
On Wednesday, September 13, 2017 at 12:21:03 AM UTC-7, qubester wrote:
> proxyVM rather fwiw
> btw, how or why does one "check their MTU settings?"

ip a

look for a line like this,

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000


Sep 13, 2017, 8:23:23 PM9/13/17
> btw, how or why does one "check their MTU settings?"
Why? Incorrect MTU settings caused me to have disconnects from my VPN
connections. After I measured and compensated for poor MTU, my
connections have become much more stable and disconnects come back
online shortly.

How? MTU is essentially packet size. You can measure in CLI by pinging a
server. There are a few tutorials to correct MTU in OpenVPN. Go to one
of them to check it out.

Kushal Das

Sep 14, 2017, 12:50:56 AM9/14/17
to, qubes-users
I wrote a blog post [1] about how I am trying to do the similar thing.


Fedora Cloud Engineer
CPython Core Developer

Chris Laprise

Sep 14, 2017, 4:17:14 PM9/14/17
to, qubes-users
If all the VPN links are the same provider or have the same trust
profile, then switching with a menu should be OK. But there is no "best"
way;  It depends greatly on how you use the VPNs.

With the VPN doc scripts, you could move the contents of rc.local to a
custom script in /rw/config so it isn't directly executed on startup.
Then at the start of the script read all the ovpn files from
/rw/config/vpn into an array and print that as a menu, then read input
from the user. Next, link the chosen file to openvpn-client.ovpn.

You could start this script automatically from rc.local using
'systemd-run xterm ' etc.


Chris Laprise,
PGP: BEE2 20C5 356E 764A 73EB 4AB3 1DC4 D106 F07F 1886

Reply all
Reply to author
0 new messages