This advanced terminal-only guide will teach you how to use the WireGuard protocol to connect to Mullvad using Linux.
We also have an easier setup guide which makes use of our browser-based config generator.
sudo add-apt-repository ppa:wireguard/wireguard && sudo apt-get update && sudo apt-get install curl jq openresolv linux-headers-$(uname -r) wireguard-dkms wireguard-tools
For non-Debian based distributions, follow WireGuard's official installation instructions.
curl -LO https://mullvad.net/media/files/mullvad-wg.sh && chmod +x ./mullvad-wg.sh && ./mullvad-wg.sh
If you're running WireGuard on multiple devices, generate a separate key pair for each device. You will otherwise likely run into connectivity issues.
wg-quick up mullvad-se4
You may replace "se4" with any of the other regions found on our server page.
wg-quick down mullvad-se4
As before, you may replace "se4" with the currently used region.
To verify that WireGuard is working, use our online tool Am I Mullvad to check your IP.
Multihop can be used for many different reasons, for example, increasing your privacy or improving latency/performance due to suboptimal ISP peering.
Each WireGuard server is connected to all the other WireGuard servers through WireGuard tunnels. This means you can multihop from one server to another. One way to do this is to connect to a specific port on a WireGuard server which will then connect to the other WireGuard server via the tunnel.
For example, let's say you want to connect to nl1 via se4. To do this, you would connect to se4-wireguard.mullvad.net:3004 and use the public key of the nl1 server.
Choose a multihop address from our server page. Then add a new multihop configuration file by modifying an existing one:
sudo sh -c "umask 077; sed 's/^Endpoint.*/Endpoint = se4-wireguard.mullvad.net:3004/' /etc/wireguard/mullvad-nl1.conf > /etc/wireguard/wireguard-se4nl1.conf"
Our SOCKS5 proxy guide includes steps for configuring your browser or other programs to multihop using our WireGuard SOCKS5 proxies.
If you run into any issues while testing WireGuard, please contact us at firstname.lastname@example.org and let us know what you experience.
Due to a Debian bug, Debian/Ubuntu users may want to install openresolv rather than Debian's broken resolvconf, in order to prevent DNS leaks.
In the WireGuard configuration file replace the 'DNS = ' line with :
PostUp = systemd-resolve -i %i --set-dns=184.108.40.206 --set-domain=~.
Add the following lines under the [Interface] section of the WireGuard configuration files found in
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
man wg-quick for more information.
Run the following command, replacing
mullvad-se4 with the WireGuard server you wish to use.
systemctl enable wg-quick@mullvad-se4
Log in with your account on our website and then add the ports from your account page, you can move the ports to different pubkeys.
"WireGuard" is a registered trademark of Jason A. Donenfeld.