Setting up ProtonVPN on QubesOS using a Wireguard configuration. First, you need to create a wireguard configuration from your protonvpn account at account.proton.me and store it safely. Choose GNU/Linux as a platform, i'd recommend you also enable tracker blocking and use a Secure Core configuration. For this guide I will use a configuration that goes through Switzerland then Poland. Now, install the latest fedora-minimal template on your QubesOS install, to do so, check on https://www.qubes-os.org/news/ what the latest Fedora release is supported (each release is announced) and type sudo qubes-dom0-update qubes-template-fedora-38-minimal replacing 38 with whatever is the latest supported version. Once it has installed, clone the template using qvm-clone or the Qubes Manager, let's call it fedora-38-minimal-vpn in this guide. Now fire up that template you just created and open a terminal in dom0. In that terminal, type qvm-run -u root fedora-38-minimal-vpn xterm. It will open a terminal as root in your template. Now install GIT and the dependencies for wireguard sing dnf: dnf in git iproute iptables-nft qubes-core-agent-networking qubes-core-agent-dom0-updates Note: you only need qubes-core-agent-dom0-updates if you want to update dom0 with a VPN VM directly. Now we're going to use a tool that will make our life easier made by hkbakke on GitHub. First, we will store the tool in /usr/src, so let's move to there: cd /usr/src Second, setup git to use Qubes' proxy for templates: git config --global http.proxy http://127.0.0.1:8082 Third, clone hkbakke's repository: git clone https://github.com/hkbakke/qubes-wireguard Now let's setup the template: cd qubes-wireguard ; ./bin/wg-template-conf Finally, remove git from the template: dnf rm git And now, close your terminal and shut down the template. You will never need to touch it again (apart from updates, obviously) Now let's setup the Disposable Template that we will use for the VPN. If you want to use multiple VPNs using different wireguard configs, just redo the following steps in as many disposable templates as you want. First, create a new AppVM based on the template we just configured, let's call it sys-vpn-dvm-CH-PL. Do not give it any networking and it should not provide networking either. Now turn it on, and run qvm-run -u root sys-vpn-dvm-CH-PL xterm to open a root terminal. Do this two times. Open a terminal in the Qube that contains your wireguard configuration, and type qvm-copy /path/to/your/wireguard-config.conf. It should open a window in dom0, just select sys-vpn-dvm-CH-PL in the list. Now, in sys-vpn-dvm-CH-PL, in the first terminal, show the content of the wireguard config using cat /home/user/QubesIncoming/name-of-the-vm-that-had-your-config/your-config-file.conf. In the second one, go to /usr/src/qubes-wireguard using cd then run cp config.example config ; nano config config.example is a file that exists you don't need to replace it with your own wireguard file or whatever!!! Now copy the different values from your wireguard config into the file that you have just opened. You can copy text in xterm by selecting text, and pasting it with middle click. Once your file has been properly edited, uncommend the WG_PERSISTENT_KEEPALIVE line (remove the #) and then save with Ctrl+S then exit with Ctrl+X Adjust the permissions of the file with chmod 600 config Set it up with ./bin/wg-appvm-conf Delete /home/user/QubesIncomfing with rm -rf /home/user/QubesIncoming Now, let's use a little trick to prevent the VM from loosing connection after waking up from sleep: Edit /rw/config/rc.local: nano /rw/config/rc.local And then add the following at the end of the file: while true ; do sleep 10 /usr/lib/qubes/qubes-setup-dnat-to-ns done This will fix the DNS servers every 10 seconds. Power off your AppVM. Now, got to the settings of your AppVM, into the Advanced tab, and tick "Disposable template" then click OK. Create a new Qube of the DisposableVM type, based on sys-vpn-dvm-CH-PL that provides network and uses sys-net or sys-firewall as networking (depending on your setup). I'll call it sys-vpn-CH-PL. Now set that Qube to start automatically at boot, and set it as network qube for some qubes and you're good to go !