Setting up a VPN connection is really not Qubes specific and is documented in your operating system documentation. The relevant documentation for the Qubes default Guest OS (Fedora) is [Establishing a VPN Connection](https://docs.fedoraproject.org/en-US/Fedora/23/html/Networking_Guide/sec-Establishing_a_VPN_Connection.html)
The simplest case is to set up a VPN connection using the NetworkManager service inside your NetVM. Because the NetworkManager service is already started, you are ready to set up your VPN connection. However this has some disadvantages:
While the NetworkManager service is not started here (for a good reason), you can configure any kind of VPN client in your AppVM as well. However this is only suggested if your VPN client has special requirements.
**WARNING:** *You need to use Qubes 3.1-rc2 (or later)! In the previous releases the NetworkManager service was not working in ProxyVMs as expected.* ([#1052](https://github.com/QubesOS/qubes-issues/issues/1052))
One of the best thing in Qubes is that you can use a special type of VM called a ProxyVM (or FirewallVM). The special thing is that your AppVMs see this as a NetVM, and your NetVMs see it as an AppVM. Because of this, you can place a ProxyVM between your AppVMs and your NetVM. This is how the default FirewallVM functions.
Copy your openvpn config file to `/home/user/vpn.cfg`.
It should have one line starting with `dev` and one starting with `proto`.
The first describes the connection type (`tun` or `tap`) and the second the used protocol (`tcp` or `udp`).
Depending on your connection type, openvpn will create a new network device (probably `tap0` or `tun0`).
It also contains a line `remote X.X.X.X 1194`, where `X.X.X.X` is the ip of your openvpn server.
If it does not contain a line `redirect-gateway def1`, add it.
This will route all traffic through your vpn's network device, after a connection was created.
If the connection breaks down all traffic will be routed through the original network device (we will top this with iptables).
If your vpn config file contains `auth-user-pass`, change it to `auth-user-pass /home/user/auth.txt` and create a file `/home/user/auth.txt` containing the user name in the first line and the password in the second.
This will enable the vpn to login without requiring you to enter your username and password.
If a different authentication method is used, set it up to require no user input.
The vpn should now start by calling `sudo openvpn --config /home/user/vpn.cfg` and require no additional user input.
In the following, we use the following placeholder:
`$DEV` For the device created for the connection.
`$PROT` For the protocol used for connection
`$SVR` For the openvpn server's ip.
`$DNS` For the dns server's ip.
3. Setup iptables:
Edit `/rw/config/qubes-firewall-user-script` and add:
`iptables -P OUTPUT DROP`
This blocks all outgoing traffic, if not specified otherwise.
`iptables -I OUTPUT -o $DEV -j ACCEPT`
This allows the local system to connect through the vpn (you dont need this).