Difference between revisions of "Mullvad"

From ArchWiki
Jump to: navigation, search
(Using Mullvad as plain OpenVPN)
m (Configuring OpenVPN: fixed broken section link by replacing underscores with spaces.)
 
(22 intermediate revisions by 13 users not shown)
Line 1: Line 1:
[[Category:Virtual Private Network]]
+
[[Category:VPN providers]]
==Using Mullvad as plain OpenVPN==
+
Mullvad is a VPN service based in Sweden which operates on [[OpenVPN]] servers. They provide their own [https://mullvad.net/download/ GUI client] available in the [[Arch User Repository]] as {{AUR|mullvad}}, but it can also be used with a configuration file for OpenVPN as explained in this article.
  
To use the VPN service Mullvad on Arch Linux a few small adjustments need to be done. First, install [[OpenVPN]] and [[resolvconf]]. Download the plain [[OpenVPN]] version of Mullvad [http://mullvad.net/en/openvpn_conf.php "here"]. Next, copy the content of the zip file to /etc/openvpn. Open the file mullvad_linux.conf and change the end of the file from
+
== Configuring OpenVPN ==
{{hc|mullvad_linux.conf|<nowiki>
 
# Parses DHCP options from openvpn to update resolv.conf
 
up /etc/openvpn/update-resolv-conf
 
down /etc/openvpn/update-resolv-conf
 
  
ping 10
+
First make sure the packages {{Pkg|openvpn}} and {{Pkg|openresolv}} are installed, then proceed to download Mullvad's OpenVPN configuration file package from [https://www.mullvad.net/download/config/ their website] (under the "other platforms" tab) and unzip the downloaded file to {{ic|/etc/openvpn/client/}}.
  
ca master.mullvad.net.crt
+
Rename mullvad_linux.conf for a shorter name to be used with the [[systemd]] service later:
cert mullvad.crt
 
key mullvad.key
 
</nowiki>}}
 
to
 
{{hc|mullvad_linux.conf|<nowiki>
 
# Parses DHCP options from openvpn to update resolv.conf
 
# up /etc/openvpn/update-resolv-conf
 
# down /etc/openvpn/update-resolv-conf
 
up /usr/share/openvpn/update-resolv-conf
 
down /usr/share/openvpn/update-resolv-conf
 
  
ping 10
+
# mv /etc/openvpn/client/mullvad_linux.conf /etc/openvpn/client/mullvad.conf
  
ca /etc/openvpn/master.mullvad.net.crt
+
In order to use the nameservers supplied by Mullvad, [[OpenVPN#Update resolv-conf script|update-resolv-conf script]] is being called upon starting and stopping the connection with OpenVPN to modify [[resolv.conf]] to include the correct IP addresses. This script is also included in the Mullvad configuration zipfile, but should be moved to {{ic|/etc/openvpn/}} to match the path specified in the Mullvad configuration file:
cert /etc/openvpn/mullvad.crt
 
key /etc/openvpn/mullvad.key
 
</nowiki>}}
 
and make it executable by running
 
    sudo chmod +x /etc/openvpn/mullvad_linux.conf
 
  
Load the tun module by creating the file
+
# mv /etc/openvpn/client/update-resolv-conf /etc/openvpn/
{{hc|/etc/modules-load.d/tun.conf|<nowiki>
 
# Load tun.ko at boot
 
tun</nowiki>}}
 
  
and create
+
The script can be kept updated with the AUR package {{aur|openvpn-update-resolv-conf}}, which also contains a fix for DNS leaks.
{{hc|/usr/share/openvpn/update-resolv-conf|<nowiki>
 
#!/bin/bash
 
#
 
# Parses DHCP options from openvpn to update resolv.conf
 
# To use set as 'up' and 'down' script in your openvpn *.conf:
 
# up /etc/openvpn/update-resolv-conf
 
# down /etc/openvpn/update-resolv-conf
 
#
 
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
 
# and Chris Hanson
 
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL.
 
#
 
# 05/2006 chlauber@bnc.ch
 
#
 
# Example envs set from openvpn:
 
# foreign_option_1='dhcp-option DNS 193.43.27.132'
 
# foreign_option_2='dhcp-option DNS 193.43.27.133'
 
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
 
  
[ -x /usr/sbin/resolvconf ] || exit 0
+
After configuration the VPN connection can be [[enabled|managed]] with {{ic|openvpn-client@mullvad.service}}. If the service fails to start with an error like {{ic|Cannot open TUN/TAP dev /dev/net/tun: No such device <nowiki>(errno=19)</nowiki>}}, you might need to reboot the system to enable OpenVPN creating the correct network device for the task.
  
case $script_type in
+
== DNS leaks ==
  
up)
+
By default, Mullvad configurations allow DNS leaks and for usual VPN use cases this is an unfavourable privacy defect. Mullvad's GUI client settings have an option called "Stop DNS leaks" to prevent this from happening by removing every DNS server IP from the system configuration and replacing them with an IP pointing out to Mullvad's own ''allegedly'' non-logging DNS server, valid during the VPN connection. This fix can also be applied with the plain OpenVPN method by configuring [[resolv.conf]] to use '''only''' the Mullvad DNS server IP specified on their [https://www.mullvad.net/guides/dns-leaks/ website].
  for optionname in ${!foreign_option_*} ; do
 
      option="${!optionname}"
 
      echo $option
 
      part1=$(echo "$option" | cut -d " " -f 1)
 
      if [ "$part1" == "dhcp-option" ] ; then
 
        part2=$(echo "$option" | cut -d " " -f 2)
 
        part3=$(echo "$option" | cut -d " " -f 3)
 
        if [ "$part2" == "DNS" ] ; then
 
            IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
 
        fi
 
        if [ "$part2" == "DOMAIN" ] ; then
 
            IF_DNS_SEARCH="$part3"
 
        fi
 
      fi
 
  done
 
  R=""
 
  if [ "$IF_DNS_SEARCH" ] ; then
 
          R="${R}search $IF_DNS_SEARCH
 
"
 
  fi
 
  for NS in $IF_DNS_NAMESERVERS ; do
 
          R="${R}nameserver $NS
 
"
 
  done
 
  echo -n "$R" | /usr/sbin/resolvconf -a "${dev}.inet"
 
  ;;
 
down)
 
  /usr/sbin/resolvconf -d "${dev}.inet"
 
  ;;
 
esac
 
</nowiki>}}
 
  
and don't forget to make it executable by running
+
The resolv.conf update script version in {{aur|openvpn-update-resolv-conf}} implements a different fix for the leaks by using the exclusive interface switch {{ic|-x}} when running the {{ic|resolvconf}} command, but this might cause another form of DNS leakage by making even every local network address resolve via the DNS server provided by Mullvad, as noted in the [https://github.com/masterkorp/openvpn-update-resolv-conf/issues/18 script's GitHub issue page].
    sudo chmod +x /usr/share/openvpn/update-resolv-conf
 
 
 
Lastly create the file
 
{{hc|/usr/bin/mullvad|<nowiki>
 
#! /bin/bash
 
# Script to start Mullvad
 
openvpn /etc/openvpn/mullvad_linux.conf
 
</nowiki>}}
 
make it executable
 
    sudo chmod +x /usr/bin/mullvad
 
and simply run Mullvad in the terminal by typing
 
    sudo mullvad
 

Latest revision as of 14:52, 30 March 2017

Mullvad is a VPN service based in Sweden which operates on OpenVPN servers. They provide their own GUI client available in the Arch User Repository as mullvadAUR, but it can also be used with a configuration file for OpenVPN as explained in this article.

Configuring OpenVPN

First make sure the packages openvpn and openresolv are installed, then proceed to download Mullvad's OpenVPN configuration file package from their website (under the "other platforms" tab) and unzip the downloaded file to /etc/openvpn/client/.

Rename mullvad_linux.conf for a shorter name to be used with the systemd service later:

# mv /etc/openvpn/client/mullvad_linux.conf /etc/openvpn/client/mullvad.conf

In order to use the nameservers supplied by Mullvad, update-resolv-conf script is being called upon starting and stopping the connection with OpenVPN to modify resolv.conf to include the correct IP addresses. This script is also included in the Mullvad configuration zipfile, but should be moved to /etc/openvpn/ to match the path specified in the Mullvad configuration file:

# mv /etc/openvpn/client/update-resolv-conf /etc/openvpn/

The script can be kept updated with the AUR package openvpn-update-resolv-confAUR, which also contains a fix for DNS leaks.

After configuration the VPN connection can be managed with openvpn-client@mullvad.service. If the service fails to start with an error like Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19), you might need to reboot the system to enable OpenVPN creating the correct network device for the task.

DNS leaks

By default, Mullvad configurations allow DNS leaks and for usual VPN use cases this is an unfavourable privacy defect. Mullvad's GUI client settings have an option called "Stop DNS leaks" to prevent this from happening by removing every DNS server IP from the system configuration and replacing them with an IP pointing out to Mullvad's own allegedly non-logging DNS server, valid during the VPN connection. This fix can also be applied with the plain OpenVPN method by configuring resolv.conf to use only the Mullvad DNS server IP specified on their website.

The resolv.conf update script version in openvpn-update-resolv-confAUR implements a different fix for the leaks by using the exclusive interface switch -x when running the resolvconf command, but this might cause another form of DNS leakage by making even every local network address resolve via the DNS server provided by Mullvad, as noted in the script's GitHub issue page.