Wireguard VPN

Install Wireguard in TemplateVM

apt-get install -y wireguard

Create VM in dom0

  1. Create and configure VM:

    qvm-create sys-wg-vpn --label black
    qvm-prefs sys-wg-vpn netvm sys-firewall
    qvm-prefs sys-wg-vpn provides_network true
    qvm-features service.disable-default-route 1
    qvm-features service.disable-dns-server 1
    qvm-features ipv6 1
  2. Restrict internet access to VPN endpoint:

    qvm-firewall sys-wg-vpn del --rule-no 0
    qvm-firewall sys-wg-vpn add dsthost=<endpoint_ip> proto=udp action=accept

Configure sys-wg-vpn

  1. Persist configuration

    Add to /rw/config/qubes-bind-dirs.d/50_user.conf:

    binds+=( '/etc/systemd/network' )
  2. Reboot

  3. Generate private key:

    (umask 077; wg genkey >/etc/systemd/network/wg0.private_key)
    chmod 640 /etc/systemd/network/wg0.private_key
    chgrp systemd-network /etc/systemd/network/wg0.private_key
  4. Generate pre-shared key:

    (umask 077; wg genpsk >/etc/systemd/network/wg0.preshared_key)
    chmod 640 /etc/systemd/network/wg0.preshared_key
    chgrp systemd-network /etc/systemd/network/wg0.preshared_key
  5. Print public key:

    wg pubkey </etc/systemd/network/wg0.private_key
  6. Start systemd-networkd on boot

    Add to /rw/config/rc.local:

    systemctl start systemd-networkd.service
  7. Forward DNS requests


    iptables -t nat -A PREROUTING -d -p udp --dport 53 -j DNAT --to-destination "$resolver"
    iptables -t nat -A PREROUTING -d -p tcp --dport 53 -j DNAT --to-destination "$resolver"
    iptables -t nat -A PREROUTING -d -p udp --dport 53 -j DNAT --to-destination "$resolver"
    iptables -t nat -A PREROUTING -d -p tcp --dport 53 -j DNAT --to-destination "$resolver"
    # Whonix filters fragmentation needed package
    iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  8. Have traffic to VPN endpoint bypass VPN:

    ip route add <endpoint_ip> dev eth0
  9. Configure Wireguard device

    Create /etc/systemd/networkd/wg.netdev:

    Name = wg0
    Kind = wireguard
    Description = Wireguard VPN
    PrivateKeyFile = /etc/systemd/network/wg0.private_key
    Endpoint = <endpoint_ip>:<endpoint_port>
    AllowedIPs =, ::/0
    PublicKey = <endpoint_public_key>
    PresharedKeyFile = /etc/systemd/network/wg0.preshared_key
  10. Configure VPN network

    Create /etc/systemd/networkd/wg.network:

    Name = wg0
    Address = <vpn_ipv4>
    Address = <vpn_ipv6>
    Gateway = <vpn_gateway_ipv4>
    Destination =
    Gateway = <vpn_gateway_ipv6>
    Destination = ::/0