This guide uses our easy configuration file generator and the necessary terminal-based commands to use WireGuard® with Mullvad in Linux.
We also have an advanced terminal-only setup guide.
Option 1: use the Mullvad app
The Mullvad VPN app for Linux uses the WireGuard protocol by default, so all you need to do is to connect.
Option 2: use WireGuard (command-line interface)
1. Install WireGuard
Ubuntu / Debian
This applies to Ubuntu (using kernel 5.4 or newer). Users with Debian releases older than Debian 11 (Bullseye) should first enable backports. Then install openresolv and wireguard:
sudo apt update && sudo apt install openresolv wireguard
This applies to Fedora 32 and newer (using kernel 5.6 or newer).
sudo dnf install wireguard-tools
For other Linux distributions, follow the official installation instructions.
2. Generate a configuration file
If you are running WireGuard on multiple devices, generate a separate key for each device. You will otherwise likely run into connectivity issues.
Save the downloaded file in your Downloads folder and then move it to the
Make sure that you have the correct permissions so only root can read them:
sudo chown root:root -R /etc/wireguard && sudo chmod 600 -R /etc/wireguard
3. Connect with WireGuard
For this guide, we have selected Malmö, Sweden (se-mma-wg-001), as our server location. The downloaded config file is named se-mma-wg-001.conf.
As root, change directory to /etc/wireguard and run the following command. Replace se-mma-wg-001 with your selected server.
wg-quick up se-mma-wg-001
4. Verify your connection
To verify that WireGuard is working, use our Connection check to check your IP and verify that you don't have any DNS leaks. You can also check that you are connected using this command:
If it doesn't work, make sure that you still have time on your Mullvad account.
You can also check that you get a handshake using the wg command.
Replace "se-mma-wg-001" with the currently connected server.
wg-quick down se-mma-wg-001
If you enabled the kill switch in the WireGuard configuration file generator then you may get a problem to connect to your local network. You can modify the kill switch in your WireGuard configuration files so it includes an exception for your local network, for example "
! -d 192.168.1.0/24". Here is a full example:
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
When using our configuration generator in step two, you have the option of enabling Multihop and to select an entry server. Doing so allows your traffic to "hop" from the entry location to the exit location. This can be useful for different reasons, for example to increase your privacy by connecting through different countries or to improve latency/performance in some cases if your ISP has suboptimal peering or routing to the location where you want to exit.
Multihop via SOCKS5 proxies
You can also use our SOCKS5 proxies to multihop. See our SOCKS5 proxy guide. Using this together with the Multihop option in step 2 of this guide will give you an additional hop for a total of three.
How do I make WireGuard start automatically on boot?
Run the following command, replacing se-mma-wg-001 with the WireGuard server you wish to use.
systemctl enable wg-quick@se-mma-wg-001
- WireGuard homepage
- WireGuard Whitepaper (PDF)
- Installation Instructions
- Quickstart Instructions
- Donate to Upstream WireGuard Development
- Formal Verification of WireGuard Protocol
- wg(8) man page
- wg-quick(8) man page
"WireGuard" is a registered trademark of Jason A. Donenfeld.