Back to Guides

Advanced WireGuard + Mullvad setup on Linux

This advanced terminal-only guide will teach you how to use the WireGuard protocol to connect to Mullvad using Linux.

We also have an easier setup guide which makes use of our browser-based config generator.

Step 1) Install WireGuard

sudo add-apt-repository ppa:wireguard/wireguard && sudo apt-get update && sudo apt-get install curl jq openresolv linux-headers-$(uname -r) wireguard-dkms wireguard-tools

For non-Debian based distributions, follow WireGuard's official installation instructions.
 

Step 2) Run our configuration script

curl -LO https://mullvad.net/media/files/mullvad-wg.sh && chmod +x ./mullvad-wg.sh && ./mullvad-wg.sh


Step 3) Turn on WireGuard

wg-quick up mullvad-se4

You may replace "se4" with any of the other regions found on our server page.
 

Disconnect

wg-quick down mullvad-se4

As before, you may replace "se4" with the currently used region.
 

Verify your connection

To verify that WireGuard is working, use our online tool Am I Mullvad to check your IP.
 

Multihop with WireGuard

Multihop can be used for many different reasons, for example, increasing your privacy or improving latency/performance due to suboptimal ISP peering.

Each WireGuard server is connected to all the other WireGuard servers through WireGuard tunnels. This means you can multihop from one server to another. One way to do this is to connect to a specific port on a WireGuard server which will then connect to the other WireGuard server via the tunnel.

For example, let's say you want to connect to nl1 via se4. To do this, you would connect to se4-wireguard.mullvad.net:3004 and use the public key of the nl1 server.

Choose a multihop address from our server page. Then add a new multihop configuration file by modifying an existing one:

sudo sh -c "umask 077; sed 's/^Endpoint.*/Endpoint = se4-wireguard.mullvad.net:3004/' /etc/wireguard/mullvad-nl1.conf > /etc/wireguard/wireguard-se4nl1.conf"


Multihop via SOCKS5 proxies

Our SOCKS5 proxy guide includes steps for configuring your browser or other programs to multihop using our WireGuard SOCKS5 proxies.
 

Troubleshooting

If you run into any issues while testing WireGuard, please contact us at support@mullvad.net and let us know what you experience.

Due to a Debian bug, Debian/Ubuntu users may want to install openresolv rather than Debian's broken resolvconf, in order to prevent DNS leaks.
 

DNS leaking Ubuntu 18.04 or newer (or other systems that use systemd-resolved)
Replace the 'DNS = ' line with : PostUp = systemd-resolve -i %i --set-dns=193.138.219.228 --set-domain=~.

FAQ

Q: How do I enable a kill switch?
A: You can add the following lines under the [Interface] section of the WireGuard configuration files found in /etc/wireguard/ :

PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Issue man wg-quick for more information.

Q: How do I make WireGuard start automatically on boot ?
A: systemctl enable wg-quick@mullvad-se4  (replace mullvad-se4 with the WireGuard server you wish to use)

Q: How do I enable port forwarding?
A: Log in with your account on our website and then add the ports from your account page,  keep in mind that the ports will be forwarded to the latest pubkey that you have added.

External resources

"WireGuard" is a registered trademark of Jason A. Donenfeld.