Mullvad is a VPN service based in Sweden which operates on OpenVPN servers. They provide their own GUI client available in the Arch User Repository as AUR, but it can also be used with a configuration file for OpenVPN as explained in this article.
First make sure the packages their website (under the "other platforms" tab) and unzip the downloaded file to
Rename mullvad_linux.conf for a shorter name to be used with the systemd service later:
# mv /etc/openvpn/client/mullvad_linux.conf /etc/openvpn/client/mullvad.conf
In order to use the nameservers supplied by Mullvad, update-resolv-conf script is being called upon starting and stopping the connection with OpenVPN to modify resolv.conf to include the correct IP addresses. This script is also included in the Mullvad configuration zipfile, but should be moved to
/etc/openvpn/ to match the path specified in the Mullvad configuration file:
# mv /etc/openvpn/client/update-resolv-conf /etc/openvpn/
The script can be kept updated with the AUR package broken link: package not found], which also contains a fix for DNS leaks.AUR[
After configuration the VPN connection can be managed with
email@example.com. If the service fails to start with an error like
Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19), you might need to reboot the system to enable OpenVPN creating the correct network device for the task.
By default, Mullvad configurations allow DNS leaks and for usual VPN use cases this is an unfavourable privacy defect. Mullvad's GUI client settings have an option called "Stop DNS leaks" to prevent this from happening by removing every DNS server IP from the system configuration and replacing them with an IP pointing out to Mullvad's own allegedly non-logging DNS server, valid during the VPN connection. This fix can also be applied with the plain OpenVPN method by configuring resolv.conf to use only the Mullvad DNS server IP specified on their website.
The resolv.conf update script version in broken link: package not found] implements a different fix for the leaks by using the exclusive interface switch
-x when running the
resolvconf command, but this might cause another form of DNS leakage by making even every local network address resolve via the DNS server provided by Mullvad, as noted in the script's GitHub issue page.