---
date: 2024-06-24
title: qubes-miragevpn, a MirageVPN client for QubesOS
description: A new OpenVPN client for QubesOS
tags:
  - OCaml
  - vpn
  - unikernel
  - QubesOS
author:
  name: Romain Calascibetta
  email: romain.calascibetta@gmail.com
  link: https://blog.osau.re/
---

We are pleased to announce the arrival of a new unikernel:
[qubes-miragevpn][qubes-miragevpn]. The latter is the result of work begun
several months ago on [miragevpn][miragevpn].

Indeed, with the ambition of completing our unikernel suite and the success of
[qubes-mirage-firewall][qubes-mirage-firewall] - as well as the general aims of
QubesOS - we thought it would be a good idea to offer this community a unikernel
capable of acting as an OpenVPN client, from which other virtual machines (app
qubes) can connect so that all their connections pass through the OpenVPN
tunnel.

## QubesOS & MirageOS

Unikernels and QubesOS have always been a tempting idea for users in the sense
that a network application (such as a firewall or VPN client) could be smaller
than a Linux kernel: no keyboard, mouse, wifi management, etc. Just network
management via virtual interfaces should suffice.

In this case, the unikernel corresponds to this ideal where, starting from a
base ([Solo5][solo5]) that only allows the strictly necessary (reading and
writing on a virtual interface or block device) and building on top of it all
the application logic strictly necessary to the objective we wish to achieve
reduces, in effect, drastically:
1) the unikernel's attack surface
2) its weight
3) its memory usage


We won't go into all the work that's been done to maintain and improve
[qubes-mirage-firewall][qubes-mirage-firewall] over the last 10
years<sup>[1](#fn1)</sup>, but it's clear that this particular unikernel has
found its audience, who aren't necessarily OCaml and MirageOS aficionados.

In other words, [qubes-mirage-firewall][qubes-mirage-firewall] may well be a
fine example of what can actually be done with MirageOS, and of real utility.

<hr>

<tag id="fn1">**1**</tag>: [marmarek][marmarek], [Mindy][yomimono] or
[mato][mato] were (and still are) heavily involved in the work between QubesOS
and MirageOS. We'd also like to thank them, because if we're able to continue
this adventure, it's also thanks to them.

## QubesOS & MirageVPN

So, after a lengthy development phase for MirageVPN, we set about developing a
unikernel for QubesOS to offer an OpenVPN client as an operating system. We'd
like to give special thanks to [Pierre Alain][palainp], who helped us to better
understand QubesOS and its possibilities.

The unikernel is available here: https://github.com/robur-coop/qubes-miragevpn
A tutorial has just been created to help QubesOS users install and configure
such an unikernel: https://robur-coop.github.io/miragevpn-handbook/

In the same way as [qubes-mirage-firewall][qubes-mirage-firewall], we hope to
offer a solution that works and expand the circle of MirageOS and unikernel
users!

[qubes-miragevpn]: https://github.com/robur-coop/qubes-miragevpn
[miragevpn]: https://github.com/robur-coop/miragevpn
[qubes-mirage-firewall]: https://github.com/mirage/qubes-mirage-firewall
[glossary]: https://www.qubes-os.org/doc/glossary/
[solo5]: https://github.com/Solo5/solo5
[palainp]: https://github.com/palainp
[marmarek]: https://github.com/marmarek
[yomimono]: https://github.com/yomimono
[mato]: https://github.com/mato