Skip to main content
 

WireGuard on Linux terminal (advanced)

WireGuard Linux Installation Desktop 

Last updated:

This advanced terminal-only guide will show you how to use WireGuard® to connect to Mullvad in Linux.

We also have an easier setup guide which uses our easy configuration file generator.

What this guide covers

Option 1: use the Mullvad app

The Mullvad VPN app for Linux uses the WireGuard protocol by default, so all you need to do is connect. After you install it you can use the normal app or the Mullvad command line interface.

Option 2: use WireGuard (command-line interface)

1. Install WireGuard

The following command applies to Debian. For other Linux distributions, follow the offical WireGuard installation instructions.

sudo apt-get update && sudo apt-get install curl jq openresolv wireguard

2. Download our configuration script

Download the mullvad-wg.sh configuration script from the Mullvad GitHub. If you want to verify its authenticity then you can also download the signature file.

curl -o mullvad-wg.sh https://raw.githubusercontent.com/mullvad/mullvad-wg.sh/main/mullvad-wg.sh

curl -o mullvad-wg.sh.asc https://raw.githubusercontent.com/mullvad/mullvad-wg.sh/main/mullvad-wg.sh.asc

Verify the signature

curl -o mullvad-code-signing.asc https://mullvad.net/media/mullvad-code-signing.asc

gpg --import mullvad-code-signing.asc

gpg --verify mullvad-wg.sh.asc

3. Run the configuration script

When you run the script it will ask you to enter your Mullvad account number. Make sure to enter only the numbers without any spaces. It will then download the WireGuard configuration files into the folder /etc/wireguard.

chmod +x ./mullvad-wg.sh && ./mullvad-wg.sh

If you run the script again then it will download the configuration files again using the same WireGuard key (device) as in the existing files. This way you can download files for any new servers since you last ran the script.

If you want to run WireGuard on multiple devices, then create a new WireGuard key for each device. You will otherwise likely run into connectivity issues.

4. Connect with WireGuard

Log in to the root account with su --login and change directory using cd /etc/wireguard. Then run the command below but  replace se-mma-wg-001 with the server config file that you want to use.

wg-quick up se-mma-wg-001

5. Verify your connection

Check if you are connected to Mullvad:

curl https://am.i.mullvad.net/connected

If it doesn't work, make sure that you still have time on your Mullvad account.

If you have a web browser you can use our Connection check to check your IP and verify that you don't have any DNS leaks.

You can also check that you get a handshake using the wg command.

wg

6. Disconnect

Replace "se-mma-wg-001" with your currently connected server.

wg-quick down se-mma-wg-001

Additional WireGuard options

Kill switch

You can add a kill switch to prevent leaking traffic outside of the WireGuard interface by adding the following lines under the [Interface] section of your WireGuard configuration files. See the section about Local network sharing below first.

PostUp  =  iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show  %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

You can view the documentation for this with man wg-quick.

Local network sharing

If you added the kill switch above then you may have a problem to connect to your local network. You can modify the kill switch so it includes an exception for your local network, by adding for example ! -d 192.168.1.0/24 to exclude that subnet IP range.

PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Multihop

Our WireGuard servers are connected to each other with WireGuard tunnels. This makes it possible to multihop from one server to another.

Multihop can be useful for different reasons, for example to increase your privacy by connecting through two different countries, or to improve latency/performance in some cases if your ISP has suboptimal peering or routing to the location where you want to exit.

How it works

In the WireGuard configuration file the Endpoint port defines the exit server, and the preceding IP-address or hostname defines the entry server: "INSERVER-IP:OUTSERVER-PORT". The PublicKey you have to use is the out (exit) server's.

Example:

[Peer]
PublicKey = UrQiI9ISdPPzd4ARw1NHOPKKvKvxUhjwRjaI0JpJFgM=
Endpoint = 193.138.218.220:3004
AllowedIPs = 0.0.0.0/0, ::/0

In this example, you connect to nl-ams-wg-001 (exit server) via se-mma-wg-001 (entry server). The PublicKey UrQiI9ISdPPzd4ARw1NHOPKKvKvxUhjwRjaI0JpJFgM= belongs to nl-ams-wg-001 and the port 3004 is the multihop port for nl-ams-wg-001. The IP 193.138.218.220 belongs to se-mma-wg-001.

Make a multihop configuration file

You can make a multihop configuration file by editing an existing configuration file. You can use a text editor or the command below.

When you click on a server on our Servers page it will show its multihop port and WireGuard key.

The command below edits the existing configuration file for nl-ams-wg-001, so it has the PublicKey for that and it will be the exit server. It changes the Endpoint to 193.138.218.220:3004 and saves it to a new configuration file (se-mma-nl-ams.conf).

sudo sh -c "umask 077; sed 's/^Endpoint.*/Endpoint = 193.138.218.220:3004/' /etc/wireguard/nl-ams-wg-001.conf > /etc/wireguard/se-mma-nl-ams.conf"

Note: The configuration file name has to be no more than 15 characters long (not including ".conf").

Multihop with SOCKS5 proxies

You can also use our SOCKS5 proxies to multihop. See our SOCKS5 proxy guide. Using this together with a multihop config file will give you an additional hop for a total of three.

FAQ

How do I make WireGuard start automatically on boot?

Run the following command, replacing se-mma-wg-001 with the WireGuard server you wish to use.

systemctl enable wg-quick@se-mma-wg-001

I get an error message from wg-quick: "does not exist"

Make sure that the configuration file name is no more than 15 characters long (not including ".conf").

External resources

"WireGuard" is a registered trademark of Jason A. Donenfeld.