qubes-doc/privacy/vpn.md

---
layout: doc
title: VPN
permalink: /doc/privacy/vpn/
redirect_from:
- /en/doc/vpn/
- /doc/VPN/
- /wiki/VPN/
---

How To make a VPN Gateway in Qubes
----------------------------------

The simplest case if you set up a VPN connection using the Network Manager inside one of your VMs. Setting up such a connection is really not Qubes specific and it is documented in Your operating system documentation. If you using the Qubes default Guest OS (Fedora): [Establishing a VPN Connection](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)

The Qubes specific part is to choose the right VM for the VPN client:

### NetVM

The simplest case is to set up a VPN connection using the Network Manager inside your NetVM. Because the NetworkManager already started you are ready to set up your VPN connection. However this has some disadvantages:

-   You have to place (and probably save) Your VPN credentials inside the NetVM which is directly connected to the outside world
-   All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)

### AppVM

While the Network Manager is not started here (for a good reason), you can configure any kind of VPN client in your AppVM as well, however it is only suggested if you have to use a special VPN client.

### ProxyVM

**WARNING:** *You need to use Qubes 3.1-rc2 (or later)! In the previous releases the NetworkManager was not working in ProxyVMs as expected.* ([#1052](https://github.com/QubesOS/qubes-issues/issues/1052))

One of the best thing in Qubes that you can use a special type of VMs called ProxyVM (or FirewallVM). The special thing is that your AppVMs see this as a NetVM, and the NetVMs see it as an AppVM. Because of that You can place a ProxyVM between your AppVMs and Your NetVM. This is how the default firewall VM is working.

Using a ProxyVM to set up a VPN client gives you the ability to:

-   Separate your VPN credentials from Your NetVM
-   Separate your VPN credentials from Your AppVM data.
-   Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM.

**To setup a ProxyVM as a VPN gateway you should:**

1.  Create a new VM and check the ProxyVM radio button.

    ![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)

2.  Add the `network-manager` service to this new VM.

    ![Settings-services.png](/attachment/wiki/VPN/Settings-services.png)

3.  Wet up your VPN as described in the Network Manager documentation linked above.

4.  Connect your AppVMs to use the new VM as a NetVM.

    ![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)
VPN changed 2014-05-23 06:42:09 -04:00			`---`
wiki -> doc migration 2015-04-10 16:17:45 -04:00			`layout: doc`
VPN changed 2014-05-23 06:42:09 -04:00			`title: VPN`
fixed merge conflict QubesOS/qubes-issues#1202 2015-12-02 13:14:39 -05:00			`permalink: /doc/privacy/vpn/`
Change URIs from CamelCase to lowercase-hyphen-separated 2015-10-11 03:04:59 -04:00			`redirect_from:`
Remove en/ from URLs (QubesOS/qubes-issues#1333) 2015-10-28 18:14:40 -04:00			`- /en/doc/vpn/`
Change URIs from CamelCase to lowercase-hyphen-separated 2015-10-11 03:04:59 -04:00			`- /doc/VPN/`
			`- /wiki/VPN/`
VPN changed 2014-05-23 06:42:09 -04:00			`---`

VPN changed 2014-05-23 08:47:14 -04:00			`How To make a VPN Gateway in Qubes`
			`----------------------------------`
VPN changed 2014-05-23 06:42:09 -04:00
Update vpn.md #1052 fixed :) 2016-01-22 05:23:37 -05:00			`The simplest case if you set up a VPN connection using the Network Manager inside one of your VMs. Setting up such a connection is really not Qubes specific and it is documented in Your operating system documentation. If you using the Qubes default Guest OS (Fedora): [Establishing a VPN Connection](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)`
VPN changed 2014-05-23 06:42:09 -04:00
Updated docs, fixed spelling and use Markdown code syntax for commands. * Add FIXMEs. 2015-07-23 07:19:16 -04:00			`The Qubes specific part is to choose the right VM for the VPN client:`
VPN changed 2014-05-23 06:42:09 -04:00
			`### NetVM`

Updated docs, fixed spelling and use Markdown code syntax for commands. * Add FIXMEs. 2015-07-23 07:19:16 -04:00			`The simplest case is to set up a VPN connection using the Network Manager inside your NetVM. Because the NetworkManager already started you are ready to set up your VPN connection. However this has some disadvantages:`
VPN changed 2014-05-23 06:42:09 -04:00
Updated docs, fixed spelling and use Markdown code syntax for commands. * Add FIXMEs. 2015-07-23 07:19:16 -04:00			`- You have to place (and probably save) Your VPN credentials inside the NetVM which is directly connected to the outside world`
			`- All your AppVMs which are connected to the NetVM will be connected to the VPN (by default)`
VPN changed 2014-05-23 06:42:09 -04:00
VPN changed 2014-05-23 10:16:18 -04:00			`### AppVM`

Updated docs, fixed spelling and use Markdown code syntax for commands. * Add FIXMEs. 2015-07-23 07:19:16 -04:00			`While the Network Manager is not started here (for a good reason), you can configure any kind of VPN client in your AppVM as well, however it is only suggested if you have to use a special VPN client.`
VPN changed 2014-05-23 10:16:18 -04:00
VPN changed 2014-05-23 06:42:09 -04:00			`### ProxyVM`

Update vpn.md #1052 fixed :) 2016-01-22 05:23:37 -05:00			`WARNING: You need to use Qubes 3.1-rc2 (or later)! In the previous releases the NetworkManager was not working in ProxyVMs as expected. ([#1052](https://github.com/QubesOS/qubes-issues/issues/1052))`
VPN changed 2014-09-22 03:50:21 -04:00
VPN changed 2014-05-23 08:25:42 -04:00			`One of the best thing in Qubes that you can use a special type of VMs called ProxyVM (or FirewallVM). The special thing is that your AppVMs see this as a NetVM, and the NetVMs see it as an AppVM. Because of that You can place a ProxyVM between your AppVMs and Your NetVM. This is how the default firewall VM is working.`
VPN changed 2014-05-23 06:42:09 -04:00
Updated docs, fixed spelling and use Markdown code syntax for commands. * Add FIXMEs. 2015-07-23 07:19:16 -04:00			`Using a ProxyVM to set up a VPN client gives you the ability to:`
VPN changed 2014-05-23 06:42:09 -04:00
Update vpn.md #1052 fixed :) 2016-01-22 05:23:37 -05:00			`- Separate your VPN credentials from Your NetVM`
VPN changed 2014-05-23 06:42:09 -04:00			`- Separate your VPN credentials from Your AppVM data.`
Updated docs, fixed spelling and use Markdown code syntax for commands. * Add FIXMEs. 2015-07-23 07:19:16 -04:00			`- Easily control which of your AppVMs are connected to your VPN by simply setting it as a NetVM of the desired AppVM.`
VPN changed 2014-05-23 06:42:09 -04:00
VPN changed 2014-05-23 08:18:21 -04:00			`To setup a ProxyVM as a VPN gateway you should:`
VPN changed 2014-05-23 06:42:09 -04:00
Update vpn.md #1052 fixed :) 2016-01-22 05:23:37 -05:00			`1. Create a new VM and check the ProxyVM radio button.`
VPN changed images added 2014-05-23 08:15:00 -04:00
Fix Markdown syntax and clean up text 2015-11-04 15:14:02 -05:00			`![Create\_New\_VM.png](/attachment/wiki/VPN/Create_New_VM.png)`
VPN changed images added 2014-05-23 08:15:00 -04:00
Update vpn.md #1052 fixed :) 2016-01-22 05:23:37 -05:00			2. Add the `network-manager` service to this new VM.
VPN changed images added 2014-05-23 08:15:00 -04:00
Fix Markdown syntax and clean up text 2015-11-04 15:14:02 -05:00			`![Settings-services.png](/attachment/wiki/VPN/Settings-services.png)`
VPN changed 2014-05-23 08:18:21 -04:00
Update vpn.md #1052 fixed :) 2016-01-22 05:23:37 -05:00			`3. Wet up your VPN as described in the Network Manager documentation linked above.`
VPN changed images added 2014-05-23 08:15:00 -04:00
Update vpn.md #1052 fixed :) 2016-01-22 05:23:37 -05:00			`4. Connect your AppVMs to use the new VM as a NetVM.`
Fix Markdown syntax and clean up text 2015-11-04 15:14:02 -05:00
			`![Settings-NetVM.png](/attachment/wiki/VPN/Settings-NetVM.png)`