WireGuard on Linux terminal (easy)
WireGuard Linux Installation Desktop
Последнее обновление:
This guide uses our easy configuration file generator and the necessary terminal-based commands to use WireGuard® with Mullvad in Linux.
We also have an advanced terminal-only setup guide.
Option 1: use the Mullvad app
The Mullvad VPN app for Linux uses the WireGuard protocol by default, so all you need to do is to connect.
Option 2: use WireGuard (command-line interface)
1. Install WireGuard
Ubuntu / Debian
This applies to Ubuntu (using kernel 5.4 or newer). Users with Debian releases older than Debian 11 (Bullseye) should first enable backports. Then install openresolv and wireguard:
sudo apt update && sudo apt install openresolv wireguard
Fedora
This applies to Fedora 32 and newer (using kernel 5.6 or newer).
sudo dnf install wireguard-tools
For other Linux distributions, follow the official installation instructions.
2. Generate a configuration file
Visit our WireGuard configuration file generator. Options include enabling a kill switch and selecting two locations for multihop.
If you are running WireGuard on multiple devices, generate a separate key for each device. You will otherwise likely run into connectivity issues.
For this guide, we have selected Malmö, Sweden (se-mma-wg-001), as our server location. The downloaded config file is named se-mma-wg-001.conf.
Save the downloaded file in your Downloads folder and then move it to the /etc/wireguard
folder.
sudo mv se-mma-wg-001.conf /etc/wireguard
Make sure that you have the correct permissions so only root can read them:
sudo chown root:root -R /etc/wireguard && sudo chmod 600 -R /etc/wireguard
3. Connect with WireGuard
As root (sudo su
), change directory to /etc/wireguard (cd /etc/wireguard
) and run the following command. Replace se-mma-wg-001 with your selected server.
wg-quick up se-mma-wg-001
4. Verify your connection
To verify that WireGuard is working, use our Connection check to check your IP and verify that you don't have any DNS leaks. You can also check that you are connected using this command:
curl https://am.i.mullvad.net/connected
If it doesn't work, make sure that you still have time on your Mullvad account.
You can also check that you get a handshake using the wg command.
wg
Disconnect
Replace "se-mma-wg-001" with the currently connected server.
wg-quick down se-mma-wg-001
Local network sharing
If you enabled the kill switch in the WireGuard configuration file generator then you may get a problem to connect to your local network. You can modify the kill switch in your WireGuard configuration files so it includes an exception for your local network, for example "! -d 192.168.1.0/24
". Here is a full example:
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
Make sure that you have a static route to the local network and that your firewall does not block it.
Multihop with WireGuard
When using our configuration generator in step two, you have the option of enabling Multihop and to select an entry server. Doing so allows your traffic to "hop" from the entry location to the exit location. This can be useful for different reasons, for example to increase your privacy by connecting through different countries or to improve latency/performance in some cases if your ISP has suboptimal peering or routing to the location where you want to exit.
MTU
If your connection does not work properly (in particular with https:// protocol) then set the MTU under the [Interface] section in the WireGuard configuration file like so:
[Interface]
MTU = 1280
Multihop via SOCKS5 proxies
You can also use our SOCKS5 proxies to multihop. See our SOCKS5 proxy guide. Using this together with the Multihop option in step 2 of this guide will give you an additional hop for a total of three.
Troubleshooting
How do I make WireGuard start automatically on boot?
Run the following command, replacing se-mma-wg-001 with the WireGuard server you wish to use.
systemctl enable wg-quick@se-mma-wg-001
External resources
- WireGuard homepage
- WireGuard Whitepaper (PDF)
- Installation Instructions
- Quickstart Instructions
- Donate to Upstream WireGuard Development
- Formal Verification of WireGuard Protocol
- wg(8) man page
- wg-quick(8) man page
"WireGuard" is a registered trademark of Jason A. Donenfeld.