Zum Hauptinhalt springen

WireGuard on Linux terminal (easy)

WireGuard Linux Installation Desktop 

Letzte Aktualisierung:

This guide uses our easy configuration file generator and the necessary terminal-based commands to use WireGuard® with Mullvad in Linux.

We also have an advanced terminal-only setup guide.

Option 1: use the Mullvad app

The Mullvad VPN app for Linux uses the WireGuard protocol by default, so all you need to do is to connect.

Option 2: use WireGuard (command-line interface)

1. Install WireGuard

Ubuntu / Debian

This applies to Ubuntu  (using kernel 5.4 or newer). Users with Debian releases older than Debian 11 (Bullseye) should first enable backports. Then install openresolv and wireguard:

sudo apt update && sudo apt install openresolv wireguard

Fedora

This applies to Fedora 32 and newer (using kernel 5.6 or newer).

sudo dnf install wireguard-tools

For other Linux distributions, follow the official installation instructions.

2. Generate a configuration file

Visit our WireGuard configuration file generator. Options include enabling a kill switch and selecting two locations for multihop.

If you are running WireGuard on multiple devices, generate a separate key for each device. You will otherwise likely run into connectivity issues.

For this guide, we have selected Malmö, Sweden (se-mma-wg-001), as our server location. The downloaded config file is named se-mma-wg-001.conf.

Save the downloaded file in your Downloads folder and then move it to the /etc/wireguard folder.

sudo mv se-mma-wg-001.conf /etc/wireguard

Make sure that you have the correct permissions so only root can read them:

sudo chown root:root -R /etc/wireguard && sudo chmod 600 -R /etc/wireguard

3. Connect with WireGuard

As root (sudo su), change directory to /etc/wireguard (cd /etc/wireguard) and run the following command. Replace se-mma-wg-001 with your selected server.

wg-quick up se-mma-wg-001

4. Verify your connection

To verify that WireGuard is working, use our Connection check to check your IP and verify that you don't have any DNS leaks. You can also check that you are connected using this command:

curl https://am.i.mullvad.net/connected

If it doesn't work, make sure that you still have time on your Mullvad account.

You can also check that you get a handshake using the wg command.

wg

Disconnect

Replace "se-mma-wg-001" with the currently connected server.

wg-quick down se-mma-wg-001

Local network sharing

If you enabled the kill switch in the WireGuard configuration file generator then you may get a problem to connect to your local network. You can modify the kill switch in your WireGuard configuration files so it includes an exception for your local network, for example "! -d 192.168.1.0/24". Here is a full example:

PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 192.168.1.0/24 -j REJECT && ip6tables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

Make sure that you have a static route to the local network and that your firewall does not block it.

Multihop with WireGuard

When using our configuration generator in step two, you have the option of enabling Multihop and to select an entry server. Doing so allows your traffic to "hop" from the entry location to the exit location. This can be useful for different reasons, for example to increase your privacy by connecting through different countries or to improve latency/performance in some cases if your ISP has suboptimal peering or routing to the location where you want to exit.

MTU

If your connection does not work properly (in particular with https:// protocol) then set the MTU under the  [Interface] section in the WireGuard configuration file like so:

[Interface]
MTU = 1280

Multihop via SOCKS5 proxies

You can also use our SOCKS5 proxies to multihop. See our SOCKS5 proxy guide. Using this together with the Multihop option in step 2 of this guide will give you an additional hop for a total of three.

Troubleshooting

How do I make WireGuard start automatically on boot?

Run the following command, replacing se-mma-wg-001 with the WireGuard server you wish to use.

systemctl enable wg-quick@se-mma-wg-001

External resources


"WireGuard" is a registered trademark of Jason A. Donenfeld.