- Example of Mullvad changes required
Mullvad is a VPN service based in Sweden which operates on OpenVPN servers. They provide their own GUI client available in the Arch User Repository as AUR, but it can also be used with a configuration file for OpenVPN as explained in this article.
First make sure the packages their website (under the "other platforms" tab) and unzip the downloaded files to
/etc/openvpn/client/. The files that need to be moved are mullvad.conf mullvad_ca.crt mullvad_crl.pem and mullvad_userpass.txt.
Remember to change your mullvad.conf file to a shorter name for use with systemd later.
# mv /etc/openvpn/client/mullvad_us.conf /etc/openvpn/client/mullvad.conf
In order to use the nameservers supplied by Mullvad, update-resolv-conf script is being called upon starting and stopping the connection with OpenVPN to modify resolv.conf to include the correct IP addresses. This script is also included in the Mullvad configuration zipfile, but should be moved to
/etc/openvpn/ to match the path specified in the Mullvad configuration file:
# mv /etc/openvpn/client/update-resolv-conf /etc/openvpn/
The script can be kept updated with the AUR packageAUR, which also contains a fix for DNS leaks.
After configuration the VPN connection can be managed with
firstname.lastname@example.org. If the service fails to start with an error like
Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19), you might need to reboot the system to enable OpenVPN creating the correct network device for the task.
You will also need to enable and start systemd-resolved as a systemd service.
# systemctl enable systemd-resolved.service # systemctl start systemd-resolved.service
Modifications need to be made to the mullvad.conf file in /etc/openvpn/client in order to ensure that the systemd-resolved script is run before the interface closes.
script-security 2 setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin up /etc/openvpn/scripts/update-systemd-resolved down /etc/openvpn/scripts/update-systemd-resolved down-pre
Modifying the /etc/nsswitch.conf file may be necessary to use systemd-resolved.
# # Use /etc/resolv.conf first, then fall back to systemd-resolved # hosts: files dns resolve myhostname # # Use systemd-resolved first, then fall back to /etc/resolv.conf # hosts: files resolve dns myhostname # # Don't use /etc/resolv.conf at all # hosts: files resolve myhostname
By default, Mullvad configurations allow DNS leaks and for usual VPN use cases this is an unfavourable privacy defect. Mullvad's GUI client settings have an option called "Stop DNS leaks" to prevent this from happening by removing every DNS server IP from the system configuration and replacing them with an IP pointing out to Mullvad's own allegedly non-logging DNS server, valid during the VPN connection. This fix can also be applied with the plain OpenVPN method by configuring resolv.conf to use only the Mullvad DNS server IP specified on their website.
The resolv.conf update script version in
-x when running the
resolvconf command, but this might cause another form of DNS leakage by making even every local network address resolve via the DNS server provided by Mullvad, as noted in the script's GitHub issue page.