WireGuard on Linux terminal (easy)

We'll walk you through our easy browser-based configuration setup and the necessary terminal-based commands to use the WireGuard® protocol with Mullvad on Linux.

We also have an advanced terminal-only setup guide.

Option 1: use the Mullvad app

The Mullvad VPN app for Linux uses the WireGuard protocol by default, so all you need to do is connect.

Option 2: use WireGuard

1. Install WireGuard

Ubuntu / Debian

This applies to Ubuntu  (using kernel 5.4 or newer). Users with Debian releases older than Debian 11 (Bullseye) should first enable backports. Then install openresolv and wireguard:

sudo apt update && sudo apt install openresolv wireguard

Fedora

This applies to Fedora 32 and newer (using kernel 5.6 or newer).

sudo dnf install wireguard-tools

For other Linux distributions, follow the official installation instructions.

2. Generate a configuration file

Use our WireGuard config generator to automatically generate the necessary file. Options include enabling a kill switch and selecting two locations for multihopping.

If you're running WireGuard on multiple devices, generate a separate key pair for each device and each connection. You will otherwise likely run into connectivity issues.

Save the downloaded file in your local directory and then copy its content to /etc/wireguard.

Also make sure you set the correct permissions so only root can read them:

sudo chown root:root -R /etc/wireguard && sudo chmod 600 -R /etc/wireguard

3. Turn on WireGuard

For this guide, we have selected Malmö, Sweden (se3), as our first server location. The downloaded config file is named se3-wireguard.conf.

Run the following command but replace se3 with your selected location's alias.

wg-quick up se3-wireguard

Disconnect

As before, replace se3 with your selection.

wg-quick down se3-wireguard

Verify your connection

To verify that WireGuard is working, use our Connection check to check your IP and verify that you don't leak DNS.

Multihop with WireGuard

When using our config generator in step two, you have the option of selecting a second server location. Doing so allows your traffic to "hop" from the first location to the second before exiting at your destination.

Multihop can be used for many different reasons, for example, increasing your privacy or improving latency/performance due to suboptimal ISP peering.

Multihop via SOCKS5 proxies

Our SOCKS5 proxy guide includes steps for configuring your browser or other programs to multihop using our WireGuard SOCKS5 proxies.

Using this together with the multihop option in step 2 of this guide will give you an additional hop for a total of three.

Troubleshooting

If you run into any issues while using WireGuard, please contact us at support@mullvad.net and let us know what you experience.

FAQ

How do I enable port forwarding?

Log in to your account page and add ports from there. Keep in mind that the ports will be forwarded to the latest pubkey that you have added.

How do I make WireGuard start automatically on boot?

Run the following command, replacing mullvad-se3 with the WireGuard server you wish to use.

systemctl enable wg-quick@se3-wireguard

External resources

• WireGuard homepage
• WireGuard Whitepaper (PDF)
• Installation Instructions
• Quickstart Instructions
• Donate to Upstream WireGuard Development
• Formal Verification of WireGuard Protocol
• wg(8) man page
• wg-quick(8) man page

"WireGuard" is a registered trademark of Jason A. Donenfeld.