Difference between revisions of "Mullvad"

From ArchWiki
Jump to: navigation, search
(Using Mullvad as plain OpenVPN)
(rename Configuring OpenVPN section to Manual configuration)
 
(26 intermediate revisions by 15 users not shown)
Line 1: Line 1:
[[Category:Virtual Private Network]]
+
[[Category:VPN providers]]
==Using Mullvad as plain OpenVPN==
+
[[ja:Mullvad]]
 +
[https://mullvad.net/en/ Mullvad] is a VPN service based in Sweden which operates on [[OpenVPN]] servers.
  
To use the VPN service Mullvad on Arch Linux a few small adjustments need to be done. First, install [[OpenVPN]] and [[resolvconf]]. Download the plain [[OpenVPN]] version of Mullvad [http://mullvad.net/en/openvpn_conf.php "here"]. Next, copy the content of the zip file to /etc/openvpn. Open the file mullvad_linux.conf and change the end of the file from
+
== Installation ==
{{hc|mullvad_linux.conf|<nowiki>
 
# Parses DHCP options from openvpn to update resolv.conf
 
up /etc/openvpn/update-resolv-conf
 
down /etc/openvpn/update-resolv-conf
 
  
ping 10
+
The [https://mullvad.net/download/ official GUI client] is available as {{AUR|mullvad}}.
  
ca master.mullvad.net.crt
+
Alternatively you can use [[OpenVPN]] with a configuration file for Mullvad as explained in [[#Manual configuration]].
cert mullvad.crt
 
key mullvad.key
 
</nowiki>}}
 
to
 
{{hc|mullvad_linux.conf|<nowiki>
 
# Parses DHCP options from openvpn to update resolv.conf
 
# up /etc/openvpn/update-resolv-conf
 
# down /etc/openvpn/update-resolv-conf
 
up /usr/share/openvpn/update-resolv-conf
 
down /usr/share/openvpn/update-resolv-conf
 
  
ping 10
+
== Manual configuration ==
  
ca /etc/openvpn/master.mullvad.net.crt
+
First make sure the packages {{Pkg|openvpn}} and {{Pkg|openresolv}} are installed, then proceed to download Mullvad's OpenVPN configuration file package from [https://www.mullvad.net/download/config/ their website] (under the "other platforms" tab) and unzip the downloaded file to {{ic|/etc/openvpn/client/}}.
cert /etc/openvpn/mullvad.crt
 
key /etc/openvpn/mullvad.key
 
</nowiki>}}
 
and make it executable by running
 
    sudo chmod +x /etc/openvpn/mullvad_linux.conf
 
  
Load the tun module by creating the file
+
Rename mullvad_linux.conf for a shorter name to be used with the [[systemd]] service later:
{{hc|/etc/modules-load.d/tun.conf|<nowiki>
 
# Load tun.ko at boot
 
tun</nowiki>}}
 
  
and create
+
# mv /etc/openvpn/client/mullvad_linux.conf /etc/openvpn/client/mullvad.conf
{{hc|/usr/share/openvpn/update-resolv-conf|<nowiki>
 
#!/bin/bash
 
#
 
# Parses DHCP options from openvpn to update resolv.conf
 
# To use set as 'up' and 'down' script in your openvpn *.conf:
 
# up /etc/openvpn/update-resolv-conf
 
# down /etc/openvpn/update-resolv-conf
 
#
 
# Used snippets of resolvconf script by Thomas Hood <jdthood@yahoo.co.uk>
 
# and Chris Hanson
 
# Licensed under the GNU GPL.  See /usr/share/common-licenses/GPL.
 
#
 
# 05/2006 chlauber@bnc.ch
 
#
 
# Example envs set from openvpn:
 
# foreign_option_1='dhcp-option DNS 193.43.27.132'
 
# foreign_option_2='dhcp-option DNS 193.43.27.133'
 
# foreign_option_3='dhcp-option DOMAIN be.bnc.ch'
 
  
[ -x /usr/sbin/resolvconf ] || exit 0
+
In order to use the nameservers supplied by Mullvad, [[OpenVPN#Update resolv-conf script|update-resolv-conf script]] is being called upon starting and stopping the connection with OpenVPN to modify [[resolv.conf]] to include the correct IP addresses. This script is also included in the Mullvad configuration zipfile, but should be moved to {{ic|/etc/openvpn/}} to match the path specified in the Mullvad configuration file:
  
case $script_type in
+
# mv /etc/openvpn/client/update-resolv-conf /etc/openvpn/
  
up)
+
The script can be kept updated with the AUR package {{aur|openvpn-update-resolv-conf}}{{Broken package link|package not found}}, which also contains a fix for DNS leaks.
  for optionname in ${!foreign_option_*} ; do
 
      option="${!optionname}"
 
      echo $option
 
      part1=$(echo "$option" | cut -d " " -f 1)
 
      if [ "$part1" == "dhcp-option" ] ; then
 
        part2=$(echo "$option" | cut -d " " -f 2)
 
        part3=$(echo "$option" | cut -d " " -f 3)
 
        if [ "$part2" == "DNS" ] ; then
 
            IF_DNS_NAMESERVERS="$IF_DNS_NAMESERVERS $part3"
 
        fi
 
        if [ "$part2" == "DOMAIN" ] ; then
 
            IF_DNS_SEARCH="$part3"
 
        fi
 
      fi
 
  done
 
  R=""
 
  if [ "$IF_DNS_SEARCH" ] ; then
 
          R="${R}search $IF_DNS_SEARCH
 
"
 
  fi
 
  for NS in $IF_DNS_NAMESERVERS ; do
 
          R="${R}nameserver $NS
 
"
 
  done
 
  echo -n "$R" | /usr/sbin/resolvconf -a "${dev}.inet"
 
  ;;
 
down)
 
  /usr/sbin/resolvconf -d "${dev}.inet"
 
  ;;
 
esac
 
</nowiki>}}
 
  
and don't forget to make it executable by running
+
After configuration the VPN connection can be [[enabled|managed]] with {{ic|openvpn-client@mullvad.service}}. If the service fails to start with an error like {{ic|Cannot open TUN/TAP dev /dev/net/tun: No such device <nowiki>(errno=19)</nowiki>}}, you might need to reboot the system to enable OpenVPN creating the correct network device for the task.
    sudo chmod +x /usr/share/openvpn/update-resolv-conf
 
  
Lastly create the file
+
== DNS leaks ==
{{hc|/usr/bin/mullvad|<nowiki>
 
#! /bin/bash
 
# Script to start Mullvad
 
gksu openvpn /etc/openvpn/mullvad_linux.conf
 
</nowiki>}}
 
make it executable
 
    sudo chmod +x /usr/bin/mullvad
 
and simply run Mullvad in the terminal by typing
 
    mullvad
 
  
To create a menu item we need the logo
+
By default, Mullvad configurations allow DNS leaks and for usual VPN use cases this is an unfavourable privacy defect. Mullvad's GUI client settings have an option called "Stop DNS leaks" to prevent this from happening by removing every DNS server IP from the system configuration and replacing them with an IP pointing out to Mullvad's own ''allegedly'' non-logging DNS server, valid during the VPN connection. This fix can also be applied with the plain OpenVPN method by configuring [[resolv.conf]] to use '''only''' the Mullvad DNS server IP specified on their [https://www.mullvad.net/guides/dns-leaks/ website].
    wget https://mullvad.net/images/logo.png -O /usr/share/icons/mullvad.png
+
 
Then create the .desktop file
+
The resolv.conf update script version in {{aur|openvpn-update-resolv-conf}}{{Broken package link|package not found}} implements a different fix for the leaks by using the exclusive interface switch {{ic|-x}} when running the {{ic|resolvconf}} command, but this might cause another form of DNS leakage by making even every local network address resolve via the DNS server provided by Mullvad, as noted in the [https://github.com/masterkorp/openvpn-update-resolv-conf/issues/18 script's GitHub issue page].
{{hc|/usr/share/applications/mullvad.desktop|<nowiki>
 
[Desktop Entry]
 
Type=Application
 
Icon=/usr/share/icons/mullvad.png
 
Name=Mullvad
 
Comment=Start Mullvad VPN service
 
Exec=mullvad
 
Categories=Network
 
</nowiki>}}
 

Latest revision as of 09:18, 21 May 2018

Mullvad is a VPN service based in Sweden which operates on OpenVPN servers.

Installation

The official GUI client is available as mullvadAUR.

Alternatively you can use OpenVPN with a configuration file for Mullvad as explained in #Manual configuration.

Manual configuration

First make sure the packages openvpn and openresolv are installed, then proceed to download Mullvad's OpenVPN configuration file package from their website (under the "other platforms" tab) and unzip the downloaded file to /etc/openvpn/client/.

Rename mullvad_linux.conf for a shorter name to be used with the systemd service later:

# mv /etc/openvpn/client/mullvad_linux.conf /etc/openvpn/client/mullvad.conf

In order to use the nameservers supplied by Mullvad, update-resolv-conf script is being called upon starting and stopping the connection with OpenVPN to modify resolv.conf to include the correct IP addresses. This script is also included in the Mullvad configuration zipfile, but should be moved to /etc/openvpn/ to match the path specified in the Mullvad configuration file:

# mv /etc/openvpn/client/update-resolv-conf /etc/openvpn/

The script can be kept updated with the AUR package openvpn-update-resolv-confAUR[broken link: package not found], which also contains a fix for DNS leaks.

After configuration the VPN connection can be managed with openvpn-client@mullvad.service. If the service fails to start with an error like Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19), you might need to reboot the system to enable OpenVPN creating the correct network device for the task.

DNS leaks

By default, Mullvad configurations allow DNS leaks and for usual VPN use cases this is an unfavourable privacy defect. Mullvad's GUI client settings have an option called "Stop DNS leaks" to prevent this from happening by removing every DNS server IP from the system configuration and replacing them with an IP pointing out to Mullvad's own allegedly non-logging DNS server, valid during the VPN connection. This fix can also be applied with the plain OpenVPN method by configuring resolv.conf to use only the Mullvad DNS server IP specified on their website.

The resolv.conf update script version in openvpn-update-resolv-confAUR[broken link: package not found] implements a different fix for the leaks by using the exclusive interface switch -x when running the resolvconf command, but this might cause another form of DNS leakage by making even every local network address resolve via the DNS server provided by Mullvad, as noted in the script's GitHub issue page.