The new official GUI client is available as AUR.
After installation, you will need to start/enable
If you do not want to use the Mullvad app you can set it up manually with standard Linux software. Mullvad supports the OpenVPN and WireGuard protocols. Mullvad themselves advise to use WireGuard. However, using OpenVPN may be preferable since for instance the GNOME GUI can handle OpenVPN graphically, which makes it easy to see that the VPN is being used, or switching between VPN servers.
No matter if you opt for OpenVPN or WireGuard, if you use NetworkManager you may want to set up dnsmasq to decrease DNS-lookup times and also decreasing risk of DNS leakages. Follow the steps under DNS_caching_and_conditional_forwarding. Mind you, using dnsmasq together with the Mullvad app will result in poorer performance as NetworkManager cannot manage per-interface configs via dnsmasq.
First make sure the packages their website[dead link 2023-05-06 ⓘ] (under the "other platforms" tab) and unzip the downloaded file to
/etc/openvpn/client/. From here you can either use the NetworkManager front-ends when using NetworkManager, or you can use systemd to start it automatically at boot.
Using NetworkManager front-ends
mullvad_linux.conf for a shorter name to be used with the systemd service later:
# mv /etc/openvpn/client/mullvad_linux.conf /etc/openvpn/client/mullvad.conf
In order to use the nameservers supplied by Mullvad, update-resolv-conf script is being called upon starting and stopping the connection with OpenVPN to modify resolv.conf to include the correct IP addresses. This script is also included in the Mullvad configuration zipfile, but should be moved to
/etc/openvpn/ to match the path specified in the Mullvad configuration file:
# mv /etc/openvpn/client/update-resolv-conf /etc/openvpn/
Ensure that the script is executable.
The script can be kept updated with the openvpn-update-resolv-conf script, which also contains a fix for DNS leaks.
After configuration the VPN connection can be managed with
firstname.lastname@example.org. If the service fails to start with an error like
Cannot open TUN/TAP dev /dev/net/tun: No such device (errno=19), you might need to reboot the system to enable OpenVPN creating the correct network device for the task.
Enabling a Kill Switch
Install the package. Log in to Mullvad with your account and then go to the Wireguard-config page. Choose Linux as platform, then click generate key to generate a public key. In a terminal, issue the following command to generate a private key:
# wg genkey
Click on Manage keys on the Mullvad WireGuard-config page, and insert the private key you just generated into the field that says Enter private key, and click on import key. Fill out step 3 on the website and download the file. Unzip the file you downloaded to get one or several configuration files depending on your selections in step 3. With these configuration files you can use the terminal interface of NetworkManager, nmcli.
After following the guide in Using Networkmanager to obtain the configuration zip file that we will be using you can go ahead and unzip the file you obtained and moving it to your working folder. Next we shall go ahead and import our wg connection by moving our mullvad configuration file into
/etc/wireguard and naming it
wg0.conf for the below commands to work. Then we shall go ahead
# wg-quick up wg0
If you want to stop it run the command below. This is not permanent however and you will need to run the above command manually whenever your PC restarts.
# wg-quick down
To permanently have it run, enable/start
email@example.com which will always enable the configuration whenever your PC starts up.
To add a WireGuard connection from a config-file, issue following command in terminal:
# nmcli connection import type wireguard file configuration_file
If the file was called WG1.conf a connection called WG1 should have been added.
If you at any point want to delete the connection, issue the command:
# nmcli connection delete connection_name
To actually start the WireGuard tunnel, issue command:
# nmcli connection up connection_name
Make sure the connection is listed when you run nmcli:
You might want to verify that the private and public keys are correct and corresponds with what you got from your VPN provider:
# WG_HIDE_KEYS=never wg
Mullvad has provided a shell script to automate this process - with a caveat: the automatically generated configuration files do not contain kill switches, which need to be manually added if you so desire.
KDE settings (`systemsettings kcm_networkmanagement`), which is a frontend for Network Manager, can either import individual files that you download from mullvad's website (linux configuration), or you can open those files and manually add the values.
The required fields are:
|mullvad config file
|Interface.Address (must split on `,` and interpret the mask value. Same for IPV6)
|Method: Manual (or ignored)
|Peer.Endpoing (must split on `:`)
|Peer.Endpoing (must split on `:`)
Note that there's an easy to miss "Peers" button in the "Wireguard Interface" tab to open the Peers section.
To use multiple peers, you will have to open the `zip` file, and add one peer from each individual file on the Peers dialog. Note that the "Wireguard Interface" and IP tabs will be the same for all the files inside the `zip` archive you got from mullbad.
[NetDev] Name=wg0 Kind=wireguard Description=WireGuard VPN [WireGuard] FirewallMark=0x8888 ListenPort=51820 RouteTable=off PrivateKey=<private key> [WireGuardPeer] PublicKey=<public key> AllowedIPs=0.0.0.0/0 AllowedIPs=::0/0 Endpoint=<ip>:<port>
[Match] Name=wg0 [Network] Address=<ipv4 addr>/32 Address=<ipv6 addr>/128 DNS=<dns> DNSDefaultRoute=yes Domains=~. [RoutingPolicyRule] Family=both SuppressPrefixLength=0 Priority=999 Table=main [RoutingPolicyRule] Family=both FirewallMark=0x8888 InvertRule=true Table=1000 Priority=1000 [Route] Gateway=0.0.0.0 Table=1000 [Route] Gateway=:: Table=1000
For basic kill-switch functionality you can use iptables to block all outgoing connections except those with fwmark 0x8888:
iptables incomplete example
-A OUTPUT -m mark --mark 0x8888 -j ACCEPT -A OUTPUT -j DROP
By default, the Mullvad OpenVPN configurations allow DNS leaks and for usual VPN use cases this is an unfavorable privacy defect. Mullvad's new GUI client automatically stops DNS leaks by removing every DNS server IP from the system configuration and replacing them with an IP pointing out to Mullvad's own non-logging DNS server, valid during the VPN connection. This fix can also be applied with the plain OpenVPN method by configuring resolv.conf to use only the Mullvad DNS server IP specified on their website.
The resolv.conf update script version in openvpn-update-resolv-conf implements a different fix for the leaks by using the exclusive interface switch
-x when running the
resolvconf command, but this might cause another form of DNS leakage by making even every local network address resolve via the DNS server provided by Mullvad, as noted in the script's GitHub issue page.
If you use Mullvad with wireguard remember to install the openresolv package to prevent DNS leaks.
vopono supports automatically generating configuration files for Mullvad, allowing you to instantly run applications via Mullvad connections in temporary network namespaces.
Both OpenVPN and Wireguard connections are supported. Shadowsocks is supported for OpenVPN connections, and port forwarding is supported for Wireguard connections.