From Legoktm

How I set up the Riseup VPN on Qubes.

First, install the debian-10-minimal template if you haven't already:

me@dom0$ sudo qubes-dom0-update qubes-template-debian-10-minimal

Then install the basics for networking to work. The minimal template doesn't have passwordless sudo, so you'll have to open the terminal from dom0.

me@dom0$ qvm-run -u root debian-10-minimal xterm
root@debian-10-minimal$ apt update && apt upgrade && apt install qubes-core-agent-networking qubes-core-agent-network-manager nftables

Once that's done, shutdown the template.

Now we're going to create a standalone VM based off of the debian-10-minimal template. I named it sys-riseup-vpn. Make sure you check the "provides network" box.

me@dom0$ qvm-run -u root sys-riseup-vpn xterm
root@sys-riseup-vpn$ apt install leap-archive-keyring
root@sys-riseup-vpn$ echo "deb http://deb.leap.se/client release buster" > /etc/apt/sources.list.d/leap.list
root@sys-riseup-vpn$ apt update && apt install riseup-vpn

Breaking that down, we need to first install the leap GPG keys for the external apt repository we add to be verified. We could just download the keys from their website, but using the packaged version from Debian adds an additional trust factor that we got the right keys. Then we add the external apt repository and install the riseup-vpn package.

Once it's all installed, we need to set the VPN to start when the VM boots.

sys-riseup-vpn$ echo "/usr/bin/riseup-vpn" >> /rw/config/rc.local

And that's it! Shutdown the VM, set another VM to use it for networking, and then watch as the Riseup VPN loads in your indicator menu. You can verify that you're proxying through Riseup by visiting any of the "check my IP address" websites and seeing that your ISP is "Riseup Networks".