WireGuard on Linux terminal (advanced)
This advanced terminal-only guide will teach you how to use the WireGuard protocol to connect to Mullvad using Linux.
We also have an easier setup guide which makes use of our browser-based config generator.
Step 1) Install WireGuard
sudo add-apt-repository ppa:wireguard/wireguard && sudo apt-get update && sudo apt-get install curl jq openresolv linux-headers-$(uname -r) wireguard-dkms wireguard-tools
For non-Debian based distributions, follow WireGuard's official installation instructions.
Step 2) Run our configuration script
curl -LO https://mullvad.net/media/files/mullvad-wg.sh && chmod +x ./mullvad-wg.sh && ./mullvad-wg.sh
If you're running WireGuard on multiple devices, generate a separate key pair for each device. You will otherwise likely run into connectivity issues.
Step 3) Turn on WireGuard
wg-quick up mullvad-se4
You may replace "se4" with any of the other regions found on our server page.
wg-quick down mullvad-se4
As before, you may replace "se4" with the currently used region.
Verify your connection
To verify that WireGuard is working, use our online tool Am I Mullvad to check your IP.
Multihop can be used for many different reasons, for example, increasing your privacy or improving latency/performance due to suboptimal ISP peering.
Each WireGuard server is connected to all the other WireGuard servers through WireGuard tunnels. This means you can multihop from one server to another. One way to do this is to connect to a specific port on a WireGuard server which will then connect to the other WireGuard server via the tunnel.
For example, let's say you want to connect to nl1 via se4. To do this, you would connect to se4-wireguard.mullvad.net:3004 and use the public key of the nl1 server.
Choose a multihop address from our server page. Then add a new multihop configuration file by modifying an existing one:
sudo sh -c "umask 077; sed 's/^Endpoint.*/Endpoint = se4-wireguard.mullvad.net:3004/' /etc/wireguard/mullvad-nl1.conf > /etc/wireguard/wireguard-se4nl1.conf"
Multihop via SOCKS5 proxies
Our SOCKS5 proxy guide includes steps for configuring your browser or other programs to multihop using our WireGuard SOCKS5 proxies.
If you run into any issues while testing WireGuard, please contact us at firstname.lastname@example.org and let us know what you experience.
Due to a Debian bug, Debian/Ubuntu users may want to install openresolv rather than Debian's broken resolvconf, in order to prevent DNS leaks.
DNS leaking Ubuntu 18.04 or newer (or other systems that use systemd-resolved)
Replace the 'DNS = ' line with : PostUp = systemd-resolve -i %i --set-dns=18.104.22.168 --set-domain=~.
Q: How do I enable a kill switch?
A: Add the following lines under the [Interface] section of the WireGuard configuration files found in /etc/wireguard/ :
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
Issue man wg-quick for more information.
Q: How do I make WireGuard start automatically on boot?
A: systemctl enable wg-quick@mullvad-se4 (replace mullvad-se4 with the WireGuard server you wish to use)
Q: How do I enable port forwarding?
A: Log in with your account on our website and then add the ports from your account page, keep in mind that the ports will be forwarded to the latest pubkey that you have added.
- WireGuard homepage
- WireGuard Whitepaper (PDF)
- Installation Instructions
- Quickstart Instructions
- Donate to Upstream WireGuard Development
- Formal Verification of WireGuard Protocol
- wg(8) man page
- wg-quick(8) man page
"WireGuard" is a registered trademark of Jason A. Donenfeld.