WireGuard on Linux terminal (advanced)

WIREGUARD

Last updated: 13 March 2023


This advanced terminal-only guide will teach you how to use the WireGuard® protocol to connect to Mullvad using Linux.

We also have an easier setup guide which makes use of our browser-based config generator.

 

Option 1: use the Mullvad app

The Mullvad VPN app for Linux uses the WireGuard protocol by default, so all you need to do is connect.

Option 2: use the WireGuard app

1. Install WireGuard

sudo apt-get update && sudo apt-get install curl jq openresolv wireguard

For non-Debian based distributions, follow WireGuard's official installation instructions.

2. Run our configuration script

curl -LO https://mullvad.net/media/files/mullvad-wg.sh && chmod +x ./mullvad-wg.sh && ./mullvad-wg.sh

If you're running WireGuard on multiple devices, generate a separate key pair for each device. You will otherwise likely run into connectivity issues.

3. Turn on WireGuard

wg-quick up se3-wireguard

You may replace "se3" with any of the other regions found on our server page.

Note: Make sure that the configuration file name is no more than 15 characters long (not including ".conf").

Disconnect

wg-quick down se3-wireguard

As before, you may replace "se3" with the currently used region.

Verify your connection

To verify that WireGuard is working, use our Connection check to check your IP.

Multihop with WireGuard

Multihop can be used for many different reasons, for example, increasing your privacy or improving latency/performance due to suboptimal ISP peering.

Each WireGuard server is connected to all the other WireGuard servers through WireGuard tunnels. This means you can multihop from one server to another. One way to do this is to connect to a specific port on a WireGuard server which will then connect to the other WireGuard server via the tunnel.

In the WireGuard configuration file the Endpoint port defines the exit server, and the preceding IP-address or hostname defines the entry server: "INSERVER-IP:OUTSERVER-PORT". The PublicKey is that of the exit server.

For example, let's say you want to connect to nl1 via se4 (so nl1 is the exit server). To do this, you would connect to se4-wireguard.mullvad.net:3004 and use the public key of the nl1 server. The port 3004 is the multihop port for nl1.

Choose a multihop port from our server page. Then add a new multihop configuration file by modifying an existing one. In the following example you start with an existing configuration file for nl1 so you have the public key for that. Then you change the Endpoint to connect to se4-wireguard.mullvad.net (or 193.138.218.130) and jump to nl1 via it's multihop port 3004. The configuration is saved as a new configuration file.

sudo sh -c "umask 077; sed 's/^Endpoint.*/Endpoint = se3-wireguard.mullvad.net:3004/' /etc/wireguard/nl1-wireguard.conf > /etc/wireguard/wireguard-se4nl1.conf"

Multihop via SOCKS5 proxies

Our SOCKS5 proxy guide includes steps for configuring your browser or other programs to multihop using our WireGuard SOCKS5 proxies.

Troubleshooting

If you run into any issues while testing WireGuard, please contact us at support@mullvad.net and let us know what you experience.

Due to a Debian bug, Debian/Ubuntu users may want to install openresolv rather than Debian's broken resolvconf, in order to prevent DNS leaks.

DNS leaking Ubuntu 18.04 or newer (or other systems that use systemd-resolved)

In the WireGuard configuration file replace the 'DNS = ' line with : PostUp = systemd-resolve -i %i --set-dns=193.138.218.74 --set-domain=~.

FAQ

How do I enable a kill switch?

Add the following lines under the [Interface] section of the WireGuard configuration files found in /etc/wireguard/:

PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Issue man wg-quick for more information.

How do I make WireGuard start automatically on boot?

Run the following command, replacing se3-wireguard with the WireGuard server you wish to use.

systemctl enable wg-quick@se3-wireguard

How do I enable port forwarding?

Log in with your account on our website and then add the ports from your account page, you can move the ports to different pubkeys.

External resources

"WireGuard" is a registered trademark of Jason A. Donenfeld.