Interim Bind-Directory Support

Until bind-directory functionality is completed upstream and implemented as /usr/lib/qubes/, files & directories can be added to the BINDS array in /usr/lib/qubes-whonix/bind-directories to have them persist across reboots.

Example: Persistent OpenVPN Configuration

Open File as root: /usr/lib/qubes-whonix/bind-directories
Add entries to BINDS array:



From VPN documentation.

sudo cp /lib/systemd/system/openvpn@.service /lib/systemd/system/openvpn@openvpn.service

bind-dirs config snippet in theory.

binds+=( '/lib/systemd/system/openvpn@openvpn.service' )

Does not work in practice yet. The issue with bind-directories which will still be an issue with bind-dirs is, the files / folders that do not exist in the TemplateVM at all.

“Does not work if the file / folder in question does not already exist in the root image. I.e. a file that does not exist in the root image cannot be bind mounted in the TemplateBasedVM.”

Problematic code:

Issues described on qubes-devel mailing list but no one had an idea how to solve it:

Ok. Needed a little systemd primer first to understand.

IIUC: At present, openvpn can not be enabled or disabled per proxyVM (although binding /etc/openvpn will allow for per-proxyVM openvpn conf’s).

This is because


need to exist in the templateVM and the way to create them is to sudo systemctl enable openvpn... So no point in binding what is already in the Template. There could be a point in binding these files if they could then be deleted in proxyVMs that didn’t need openvpn but that’s not possible either:

[1] Files that exist in the TempalteVM root image cannot be made deleted in the TemlateBasedVMs root image using

So: use dedicated openvpn TemplateVM or standalone VM. Template still has advantages: 1. non-persistent root fs, 2. per-proxyVM openvpn .conf

Actually, it is possible to enable openvpn per-proxyVM if you bind the directories instead of the files:


Is that just going overboard? (Maybe less system breakage by binding /etc/systemd/system/ instead of

We might be able to create openvpn@openvpn.service in the TemplateVM with no harm. Just needs to check an additional condition. ConditionPathExists=... And then that file could be located in /rw.

Not sure if wise to bind that one. Updates in TemplateVM might be missed in TemplateBasedVM then.

For reference:
TemplateBasedVMs: make selected files and folders located in the root image persistent- review

For reference: