User:Ultima

From ArchWiki
Jump to: navigation, search
Example of Mullvad changes required

Mullvad is a VPN service based in Sweden which operates on OpenVPN servers. They provide their own GUI client available in the Arch User Repository as mullvadAUR, but it can also be used with a configuration file for OpenVPN as explained in this article.

Configuring OpenVPN

First make sure the packages openvpn and openresolv are installed, then proceed to download Mullvad's OpenVPN configuration file package from their website (under the "other platforms" tab) and unzip the downloaded files to /etc/openvpn/client/. The files that need to be moved are mullvad.conf mullvad_ca.crt mullvad_crl.pem and mullvad_userpass.txt.

Remember to change your mullvad.conf file to a shorter name for use with systemd later.

# mv /etc/openvpn/client/mullvad_us.conf /etc/openvpn/client/mullvad.conf

In order to use the nameservers supplied by Mullvad, update-resolv-conf script is being called upon starting and stopping the connection with OpenVPN to modify resolv.conf to include the correct IP addresses. This script is also included in the Mullvad configuration zipfile, but should be moved to /etc/openvpn/ to match the path specified in the Mullvad configuration file:

# mv /etc/openvpn/client/update-resolv-conf /etc/openvpn/

The script can be kept updated with the AUR package openvpn-update-systemd-resolvedAUR, which also contains a fix for DNS leaks.

After configuration the VPN connection can be managed with openvpn-client@mullvad.service. If the service fails to start with an error like Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19), you might need to reboot the system to enable OpenVPN creating the correct network device for the task.

You will also need to enable and start systemd-resolved as a systemd service.

# systemctl enable systemd-resolved.service
# systemctl start systemd-resolved.service

Modifications need to be made to the mullvad.conf file in /etc/openvpn/client in order to ensure that the systemd-resolved script is run before the interface closes.

/etc/openvpn/client/mullvad.conf
script-security 2
  setenv PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  up /etc/openvpn/scripts/update-systemd-resolved
  down /etc/openvpn/scripts/update-systemd-resolved
  down-pre

Modifying the /etc/nsswitch.conf file may be necessary to use systemd-resolved.

# # Use /etc/resolv.conf first, then fall back to systemd-resolved
# hosts: files dns resolve myhostname
# # Use systemd-resolved first, then fall back to /etc/resolv.conf
# hosts: files resolve dns myhostname
# # Don't use /etc/resolv.conf at all
# hosts: files resolve myhostname

DNS leaks

By default, Mullvad configurations allow DNS leaks and for usual VPN use cases this is an unfavourable privacy defect. Mullvad's GUI client settings have an option called "Stop DNS leaks" to prevent this from happening by removing every DNS server IP from the system configuration and replacing them with an IP pointing out to Mullvad's own allegedly non-logging DNS server, valid during the VPN connection. This fix can also be applied with the plain OpenVPN method by configuring resolv.conf to use only the Mullvad DNS server IP specified on their website.

The resolv.conf update script version in openvpn-update-systemd-resolvedAUR implements a different fix for the leaks by using the exclusive interface switch -x when running the resolvconf command, but this might cause another form of DNS leakage by making even every local network address resolve via the DNS server provided by Mullvad, as noted in the script's GitHub issue page.