We also have an advanced terminal-only setup guide.
Option 1: use the Mullvad app
The Mullvad VPN app for Linux uses the WireGuard protocol by default, so all you need to do is connect.
Option 2: use WireGuard
1. Install WireGuard
Ubuntu / Debian
This applies to Ubuntu 18.04 and newer (using kernel 5.4 or newer). Users with Debian releases older than Debian 11 (Bullseye) should first enable backports. Then install openresolv and wireguard:
sudo apt update && sudo apt install openresolv wireguard
This applies to Fedora 32 and newer (using kernel 5.6 or newer).
sudo dnf install wireguard-tools
For other Linux distributions, follow the official installation instructions.
2. Generate a configuration file
If you're running WireGuard on multiple devices, generate a separate key pair for each device. You will otherwise likely run into connectivity issues.
Save the downloaded file in your local directory and then copy it to
Also make sure you set the correct permissions so only root can read them:
sudo chown root:root -R /etc/wireguard && sudo chmod 600 -R /etc/wireguard
3. Turn on WireGuard
For this guide, we have selected Malmö, Sweden (se4), as our first server location. The downloaded config file is named mullvad-se4-wireguard.conf.
Run the following command but replace
se4 with your selected location's alias.
wg-quick up mullvad-se4
As before, replace
se4 with your selection.
wg-quick down mullvad-se4
Verify your connection
To verify that WireGuard is working, use our Connection check to check your IP.
When using our config generator in step two, you have the option of selecting a second server location. Doing so allows your traffic to "hop" from the first location to the second before exiting at your destination.
Multihop can be used for many different reasons, for example, increasing your privacy or improving latency/performance due to suboptimal ISP peering.
Multihop via SOCKS5 proxies
Our SOCKS5 proxy guide includes steps for configuring your browser or other programs to multihop using our WireGuard SOCKS5 proxies.
Using this together with the multihop option in step 2 of this guide will give you an additional hop for a total of three.
If you run into any issues while using WireGuard, please contact us at firstname.lastname@example.org and let us know what you experience.
Due to a Debian bug, Debian/Ubuntu users may want to install openresolv rather than Debian's broken resolvconf, in order to prevent DNS leaks.
DNS leaking Ubuntu 18.04 or newer (or other systems that use systemd-resolved)
Replace the 'DNS = ' line with
PostUp = systemd-resolve -i %i --set-dns=18.104.22.168 --set-domain=~.
How do I enable port forwarding?
Log in to your account page and add ports from there. Keep in mind that the ports will be forwarded to the latest pubkey that you have added.
How do I make WireGuard start automatically on boot?
Run the following command, replacing
mullvad-se4 with the WireGuard server you wish to use.
systemctl enable wg-quick@mullvad-se4
- WireGuard homepage
- WireGuard Whitepaper (PDF)
- Installation Instructions
- Quickstart Instructions
- Donate to Upstream WireGuard Development
- Formal Verification of WireGuard Protocol
- wg(8) man page
- wg-quick(8) man page
"WireGuard" is a registered trademark of Jason A. Donenfeld.