Skip to main content

WireGuard on Linux terminal (easy)

WireGuard Linux Installation Desktop 

Last updated:

This guide uses our easy configuration file generator and the necessary terminal-based commands to use WireGuard® with Mullvad in Linux.

We also have an advanced terminal-only setup guide.

Option 1: use the Mullvad app

The Mullvad VPN app for Linux uses the WireGuard protocol by default, so all you need to do is to connect.

Option 2: use WireGuard (command-line interface)

1. Install WireGuard

Ubuntu / Debian

This applies to Ubuntu  (using kernel 5.4 or newer). Users with Debian releases older than Debian 11 (Bullseye) should first enable backports. Then install openresolv and wireguard:

sudo apt update && sudo apt install openresolv wireguard


This applies to Fedora 32 and newer (using kernel 5.6 or newer).

sudo dnf install wireguard-tools

For other Linux distributions, follow the official installation instructions.

2. Generate a configuration file

Visit our WireGuard configuration file generator. Options include enabling a kill switch and selecting two locations for multihop.

If you are running WireGuard on multiple devices, generate a separate key for each device. You will otherwise likely run into connectivity issues.

Save the downloaded file in your Downloads folder and then move it to the /etc/wireguard folder.

Make sure that you have the correct permissions so only root can read them:

sudo chown root:root -R /etc/wireguard && sudo chmod 600 -R /etc/wireguard

3. Connect with WireGuard

For this guide, we have selected Malmö, Sweden (se-mma-wg-001), as our server location. The downloaded config file is named se-mma-wg-001.conf.

As root, change directory to /etc/wireguard and run the following command. Replace se-mma-wg-001 with your selected server.

wg-quick up se-mma-wg-001

4. Verify your connection

To verify that WireGuard is working, use our Connection check to check your IP and verify that you don't have any DNS leaks. You can also check that you are connected using this command:


If it doesn't work, make sure that you still have time on your Mullvad account.

You can also check that you get a handshake using the wg command.



Replace "se-mma-wg-001" with the currently connected server.

wg-quick down se-mma-wg-001

Local network sharing

If you enabled the kill switch in the WireGuard configuration file generator then you may get a problem to connect to your local network. You can modify the kill switch in your WireGuard configuration files so it includes an exception for your local network, for example "! -d". Here is a full example:

PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Multihop with WireGuard

When using our configuration generator in step two, you have the option of enabling Multihop and to select an entry server. Doing so allows your traffic to "hop" from the entry location to the exit location. This can be useful for different reasons, for example to increase your privacy by connecting through different countries or to improve latency/performance in some cases if your ISP has suboptimal peering or routing to the location where you want to exit.

Multihop via SOCKS5 proxies

You can also use our SOCKS5 proxies to multihop. See our SOCKS5 proxy guide. Using this together with the Multihop option in step 2 of this guide will give you an additional hop for a total of three.


How do I make WireGuard start automatically on boot?

Run the following command, replacing se-mma-wg-001 with the WireGuard server you wish to use.

systemctl enable wg-quick@se-mma-wg-001

External resources

"WireGuard" is a registered trademark of Jason A. Donenfeld.