Mullvad
Mullvad is a VPN service based in Sweden which uses OpenVPN and WireGuard.
Installation
The official GUI client is available as mullvad-vpnAUR and mullvad-vpn-binAUR.
After installation, you will need to start/enable mullvad-daemon.service.
Alternatively you can use either OpenVPN or WireGuard with a configuration file for Mullvad as explained in #Manual configuration.
Manual configuration
If you do not want to use the Mullvad app you can set it up manually with standard Linux software. Mullvad supports the OpenVPN and WireGuard protocols. Mullvad advises to use WireGuard. It is a more modern protocol and is deeply integrated to the Linux kernel, generally allowing for better performance and a more reliable connection. Modern desktop environments and graphical utilities support managing both protocols.
If you use NetworkManager you may want to set up dnsmasq to decrease DNS lookup times and decrease risk of DNS leakages. Follow the steps under DNS_caching_and_conditional_forwarding. Mind you, using dnsmasq together with the Mullvad app will result in poorer performance as NetworkManager cannot manage per-interface configs via dnsmasq.
Using OpenVPN
First make sure the packages openvpn and openresolv are installed, then proceed to download Mullvad's OpenVPN configuration file package from their website and unzip the downloaded file to /etc/openvpn/client/. From here you can either use the NetworkManager front-ends when using NetworkManager, or you can use systemd to start it automatically at boot.
Using NetworkManager front-ends
See OpenVPN#NetworkManager-native VPN configuration.
Using systemd
Rename mullvad_linux.conf for a shorter name to be used with the systemd service later:
# mv /etc/openvpn/client/mullvad_linux.conf /etc/openvpn/client/mullvad.conf
In order to use the nameservers supplied by Mullvad, update-resolv-conf script is being called upon starting and stopping the connection with OpenVPN to modify resolv.conf to include the correct IP addresses. This script is also included in the Mullvad configuration zipfile, but should be moved to /etc/openvpn/ to match the path specified in the Mullvad configuration file:
# mv /etc/openvpn/client/update-resolv-conf /etc/openvpn/
Ensure that the script is executable.
The script can be kept updated with the openvpn-update-resolv-conf script, which also contains a fix for DNS leaks.
After configuration the VPN connection can be managed with openvpn-client@mullvad.service. If the service fails to start with an error like Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19), you might need to reboot the system to enable OpenVPN creating the correct network device for the task.
Enabling a Kill Switch
To enable a Kill Switch function to prevent data leakage in case the VPN connection goes down, you can use iptables as explained in the Mullvad OpenVPN on Linux page, under Enabling a Kill Switch.
Using WireGuard
Using WG-Quick
Install the wireguard-tools and openresolv packages. Log in to Mullvad with your account and then go to the WireGuard configuration file generator. Under Generate a WireGuard key, click generate key to generate a private key, or you can issue the following command to generate a private key and import it.
# wg genkey
Fill out the next step under Select one or multiple exit locations on the generator and download the file. Extract the file you downloaded to get one or several configuration files depending on your selections. Move the configuration files into /etc/wireguard.
For this example, we have selected Malmö, Sweden (se-mma-wg-001), as our server location, so the downloaded configuration file is named se-mma-wg-001.conf.
As root, run the following command. Replace se-mma-wg-001 with your selected server.
# wg-quick up se-mma-wg-001
To stop it, run the following command.
# wg-quick down se-mma-wg-001
To automatically have it run at boot, enable/start wg-quick@se-mma-wg-001.service.
With NetworkManager
To add a WireGuard connection from a config-file, issue following command in terminal:
# nmcli connection import type wireguard file configuration_file
If the file was called WG1.conf a connection called WG1 should have been added.
If you at any point want to delete the connection, issue the command:
# nmcli connection delete connection_name
To actually start the WireGuard tunnel, issue command:
# nmcli connection up connection_name
Make sure the connection is listed when you run nmcli:
# nmcli
You might want to verify that the private and public keys are correct and corresponds with what you got from your VPN provider:
# WG_HIDE_KEYS=never wg
Mullvad has provided a shell script to automate this process - with a caveat: the automatically generated configuration files do not contain kill switches, which need to be manually added if you so desire.
with KDE
KDE settings (`systemsettings kcm_networkmanagement`), which is a frontend for Network Manager, can either import individual files that you download from mullvad's website (linux configuration), or you can open those files and manually add the values.
The required fields are:
| settings tab | field | mullvad config file |
|---|---|---|
| IP V4 | Method: Manual | n/a |
| IP V4 | Address/Netmask | Interface.Address (must split on `,` and interpret the mask value. Same for IPV6) |
| IP V6 | Method: Manual (or ignored) | n/a |
| Wireguard Interface | Private Key | Interface.PrivateKey |
| Peers | Public Key | Peer.PublicKey |
| Peers | Allowed IPs | Peer.AllowedIPs |
| Peers | Endpoint address | Peer.Endpoing (must split on `:`) |
| Peers | Endpoint port | Peer.Endpoing (must split on `:`) |
Note that there's an easy to miss "Peers" button in the "Wireguard Interface" tab to open the Peers section.
To use multiple peers, you will have to open the `zip` file, and add one peer from each individual file on the Peers dialog. Note that the "Wireguard Interface" and IP tabs will be the same for all the files inside the `zip` archive you got from mullbad.
With systemd-networkd
/etc/systemd/network/99-wg0.netdev
[NetDev] Name=wg0 Kind=wireguard Description=WireGuard VPN [WireGuard] FirewallMark=0x8888 ListenPort=51820 RouteTable=off PrivateKey=<private key> [WireGuardPeer] PublicKey=<public key> AllowedIPs=0.0.0.0/0 AllowedIPs=::0/0 Endpoint=<ip>:<port>
/etc/systemd/network/99-wg0.network
[Match] Name=wg0 [Network] Address=<ipv4 addr>/32 Address=<ipv6 addr>/128 DNS=<dns> DNSDefaultRoute=yes Domains=~. [RoutingPolicyRule] Family=both SuppressPrefixLength=0 Priority=999 Table=main [RoutingPolicyRule] Family=both FirewallMark=0x8888 InvertRule=true Table=1000 Priority=1000 [Route] Gateway=0.0.0.0 Table=1000 [Route] Gateway=:: Table=1000
For basic kill-switch functionality you can use iptables to block all outgoing connections except those with fwmark 0x8888:
iptables incomplete example
-A OUTPUT -m mark --mark 0x8888 -j ACCEPT -A OUTPUT -j DROP
DNS leaks
By default, the Mullvad OpenVPN configurations allow DNS leaks and for usual VPN use cases this is an unfavorable privacy defect. Mullvad's GUI client automatically stops DNS leaks by removing every DNS server IP from the system configuration and replacing them with an IP pointing out to Mullvad's own non-logging DNS server, valid during the VPN connection. This fix can also be applied with the plain OpenVPN method by configuring resolv.conf to use only the Mullvad DNS server IP specified on their website.
The resolv.conf update script version in openvpn-update-resolv-conf implements a different fix for the leaks by using the exclusive interface switch -x when running the resolvconf command, but this might cause another form of DNS leakage by making even every local network address resolve via the DNS server provided by Mullvad, as noted in the script's GitHub issue page.
If you use Mullvad with wireguard remember to install the openresolv package to prevent DNS leaks.
IPv6
Mullvad's Wireguard servers fully support IPv6, both inside and outside the tunnel. Users of the GUI app can enable tunneling IPv6 in VPN settings, and enable running the tunnel itself over IPv6 in VPN settings > WireGuard settings > IP version. This may improve performance somewhat by allowing/encouraging larger packet sizes in the WireGuard tunnel. These preferences can be chosen on the WireGuard config generator for manual users.
Preferring IPv6 inside the tunnel
Because the VPN assigns a unique local address and performs network address translation (an unusual way to configure IPv6 connections to the public Internet), getaddrinfo(3) de-prioritizes IPv6 within the tunnel and will only use it when it is the only available option for a connection. To solve this and prefer IPv6 within the tunnel (as is the default on a standard connection), edit the gai.conf(5) file and add the following line:
/etc/gai.conf
label fc00:bbbb:bbbb::/48 1
Automatic configuration
vopono supports automatically generating configuration files for Mullvad, allowing you to instantly run applications via Mullvad connections in temporary network namespaces.
Both OpenVPN and Wireguard connections are supported. Shadowsocks is supported for OpenVPN connections, and port forwarding is supported for Wireguard connections.