WireGuard on Linux terminal (advanced)
WireGuard Linux Installation Desktop
Son güncelleme:
This advanced terminal-only guide will show you how to use WireGuard® to connect to Mullvad in Linux.
We also have an easier setup guide which uses our easy configuration file generator.
What this guide covers
- How to install and use WireGuard
- Kill switch
- Local network sharing
- Multihop
- Multihop with SOCKS5 proxies
- FAQ
- External resources
Option 1: use the Mullvad app
The Mullvad VPN app for Linux uses the WireGuard protocol by default, so all you need to do is connect. After you install it you can use the normal app or the Mullvad command line interface.
Option 2: use WireGuard (command-line interface)
1. Install WireGuard
The following command applies to Debian. For other Linux distributions, follow the offical WireGuard installation instructions.
sudo apt-get update && sudo apt-get install curl jq openresolv wireguard
2. Download our configuration script
Download the mullvad-wg.sh configuration script from the Mullvad GitHub. If you want to verify its authenticity then you can also download the signature file.
curl -o mullvad-wg.sh https://raw.githubusercontent.com/mullvad/mullvad-wg.sh/main/mullvad-wg.sh curl -o mullvad-wg.sh.asc https://raw.githubusercontent.com/mullvad/mullvad-wg.sh/main/mullvad-wg.sh.asc
Verify the signature
curl -o mullvad-code-signing.asc https://mullvad.net/media/mullvad-code-signing.asc gpg --import mullvad-code-signing.asc gpg --verify mullvad-wg.sh.asc
3. Run the configuration script
When you run the script it will ask you to enter your Mullvad account number. Make sure to enter only the numbers without any spaces. It will then download the WireGuard configuration files into the folder /etc/wireguard.
chmod +x ./mullvad-wg.sh && ./mullvad-wg.sh
If you run the script again then it will download the configuration files again using the same WireGuard key (device) as in the existing files. This way you can download files for any new servers since you last ran the script.
If you want to run WireGuard on multiple devices, then create a new WireGuard key for each device. You will otherwise likely run into connectivity issues.
4. Connect with WireGuard
Log in to the root account with su --login
and change directory using cd /etc/wireguard
. Then run the command below but replace se-mma-wg-001 with the server config file that you want to use.
wg-quick up se-mma-wg-001
5. Verify your connection
Check if you are connected to Mullvad:
curl https://am.i.mullvad.net/connected
If it doesn't work, make sure that you still have time on your Mullvad account.
If you have a web browser you can use our Connection check to check your IP and verify that you don't have any DNS leaks.
You can also check that you get a handshake using the wg command.
wg
6. Disconnect
Replace "se-mma-wg-001" with your currently connected server.
wg-quick down se-mma-wg-001
Additional WireGuard options
Kill switch
You can add a kill switch to prevent leaking traffic outside of the WireGuard interface by adding the following lines under the [Interface] section of your WireGuard configuration files. See the section about Local network sharing below first.
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
You can view the documentation for this with man wg-quick
.
Local network sharing
If you added the kill switch above then you may have a problem to connect to your local network. You can modify the kill switch so it includes an exception for your local network, by adding for example ! -d 192.168.1.0/24
to exclude that subnet IP range.
PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
Make sure that you have a static route to the local network and that your firewall does not block it.
Multihop
Our WireGuard servers are connected to each other with WireGuard tunnels. This makes it possible to multihop from one server to another.
Multihop can be useful for different reasons, for example to increase your privacy by connecting through two different countries, or to improve latency/performance in some cases if your ISP has suboptimal peering or routing to the location where you want to exit.
How it works
In the WireGuard configuration file the Endpoint port defines the exit server, and the preceding IP-address or hostname defines the entry server: "INSERVER-IP:OUTSERVER-PORT". The PublicKey you have to use is the out (exit) server's.
Example:
[Peer]
PublicKey = UrQiI9ISdPPzd4ARw1NHOPKKvKvxUhjwRjaI0JpJFgM=
Endpoint = 193.138.218.220:3004
AllowedIPs = 0.0.0.0/0, ::/0
In this example, you connect to nl-ams-wg-001 (exit server) via se-mma-wg-001 (entry server). The PublicKey UrQiI9ISdPPzd4ARw1NHOPKKvKvxUhjwRjaI0JpJFgM=
belongs to nl-ams-wg-001 and the port 3004
is the multihop port for nl-ams-wg-001. The IP 193.138.218.220
belongs to se-mma-wg-001.
Make a multihop configuration file
You can make a multihop configuration file by editing an existing configuration file. You can use a text editor or the command below.
When you click on a server on our Servers page it will show its multihop port and WireGuard key.
The command below edits the existing configuration file for nl-ams-wg-001, so it has the PublicKey for that and it will be the exit server. It changes the Endpoint to 193.138.218.220:3004
and saves it to a new configuration file (se-mma-nl-ams.conf).
sudo sh -c "umask 077; sed 's/^Endpoint.*/Endpoint = 193.138.218.220:3004/' /etc/wireguard/nl-ams-wg-001.conf > /etc/wireguard/se-mma-nl-ams.conf"
Note: The configuration file name has to be no more than 15 characters long (not including ".conf").
MTU
If your connection does not work properly (in particular with https:// protocol) then set the MTU under the [Interface] section in the WireGuard configuration file like so:
[Interface]
MTU = 1280
Multihop with SOCKS5 proxies
You can also use our SOCKS5 proxies to multihop. See our SOCKS5 proxy guide. Using this together with a multihop config file will give you an additional hop for a total of three.
FAQ
How do I make WireGuard start automatically on boot?
Run the following command, replacing se-mma-wg-001 with the WireGuard server you wish to use.
systemctl enable wg-quick@se-mma-wg-001
I get an error message from wg-quick: "does not exist"
Make sure that the configuration file name is no more than 15 characters long (not including ".conf").
External resources
- WireGuard homepage
- WireGuard Whitepaper (PDF)
- Installation Instructions
- Quickstart Instructions
- Donate to Upstream WireGuard Development
- Formal Verification of WireGuard Protocol
- wg(8) man page
- wg-quick(8) man page
"WireGuard" is a registered trademark of Jason A. Donenfeld.