Mullvad VPN on Ubuntu Server

Author: Vlad Nepor
Published on

VPN is a paid service. If desired for your case, below is the 10-step installation and activation procedure for Mullvad VPN on Ubuntu server. Except for installation directly on the server, VPN can also be configured at the router level.

Installation and Setup of Mullvad VPN in 10 Steps

  1. Go to your account's default folder with cd ~ and download the latest Mullvad VPN installation file with wget --content-disposition https://mullvad.net/download/app/deb/latest
  2. Use the command ls to list files in the folder, find the downloaded MullvadVPN-XXXX.X_amd64.deb file and install it with sudo apt install -y ./MullvadVPN-XXXX.X_amd64.deb
  3. Verify that Mullvad VPN is installed with the command mullvad version
  4. Login to your account using the command mullvad account login <account number>. You can get the account number after logging in / during registration. The final command might look like this: mullvad account login 1234123412341234.
  5. On the Mullvad Servers page, you can review locations (VPN servers) to which you can connect. You can get the same list using the mullvad relay list command.
  6. Select the desired server to connect using the command mullvad relay set location se mma, where you replace "se" with the country and "mma" with the city. You can also use the full server name from the Mullvad list mullvad relay list. For example, for the USA and Los Angeles: mullvad relay set location us lax, or if you prefer to let the client choose automatically, or connect to a specific server, see mullvad relay set location cz prg us-lax-wg-201.
  7. Allow LAN access with the command mullvad lan set allow - this allows access to other devices on the local network even when you're behind the VPN.
  8. Connect to the VPN with mullvad connect and disconnect with mullvad disconnect
  9. Set up automatic VPN connection with mullvad auto-connect set on.
  10. Check connection status with mullvad status, and connection logs with journalctl -fu mullvad-daemon.

To upgrade the Mullvad VPN client, repeat steps 1 and 2. You can find all Mullvad CLI commands on the How to use Mullvad Cli page.

Mullvad runs as a system service. As such, you can control it with system commands:

  • sudo systemctl status mullvad-daemon - display service status
  • sudo systemctl stop mullvad-daemon - stop the service
  • sudo systemctl start mullvad-daemon - start the service
  • sudo systemctl enable mullvad-daemon - enable automatic service startup at OS load
  • sudo systemctl disable mullvad-daemon - disable automatic service startup at OS load

Note: An active VPN might complicate external server access. For remote access to a local server, you can use a local intermediary and remote desktop control software (connect through a local computer on the same network as the server).

For more procedures and tips for Ubuntu Server, refer to the publication Installation, Security, and Management of Ubuntu Server.

VPN Split Tunnel

Split Tunnel allows routing some application or device traffic through an encrypted VPN while letting other applications or devices have direct internet access. This is especially useful for services that don't work as expected with a VPN.

VPN Split Tunnel for NTP service systemd-timesyncd

systemd-timesyncd daemon is responsible for synchronizing the server's time with accurate world time based on the set time zone. Proper functioning of this daemon is crucial for all time-dependent services, including 2-factor authentication (2FA) to access the server.

  • Check timedatectl Status

    timedatectl status - check systemd-timesyncd daemon status

    The output includes various time-related information. Key lines are NTP service with active status (you can activate it with timedatectl set-ntp true ) and then the line System clock synchronized with a value of yes. However, the yes status might be odd in the case of using a VPN - it could be from the time before VPN activation. The issue is that the VPN might block access to NTP servers, preventing time synchronization.

  • Check systemd-timesyncd Service Status

    You can check the service status with systemctl status systemd-timesyncd. The key value of interest is Status. The "Initial synchronization to time server ..." status is normal and indicates functioning. The status also includes the IP address of the NTP server used for time synchronization. The Idle. status is problematic.

  • Test Access to NTP Server IP

    You can also get the NTP server's IP from the timedatectl timesync-status command, which shows detailed time values related to accuracy on the server. The NTP server's IP used by the service is under the Server key. You can test access to the server's IP using the ping command, for example, ping 8.8.8.8. If you can successfully ping the NTP server's IP, everything is fine.

  • Setting Up Split Tunnel for VPN When NTP Server Can't Be Pinged

    • Split tunnel needs to be addressed for NTP server if:
      • timedatectl status shows "System clock synchronized: no"
      • systemctl status systemd-timesyncd shows "Status: Idle."
      • you can't ping the NTP server

      You can activate Split Tunnel for any service on the server based on its pid. You can get the PID using the systemd-timesyncd command, where the pid number is under the Main PID key.

    • Insert the service's pid into the Mullvad VPN client with mullvad split-tunnel pid add <pid>. Afterward, the service should be excluded from the VPN through Split Tunnel. Check the service status again with systemctl status systemd-timesyncd. The ping will still be unsuccessful as it's being done from your account, not the excluded service's account.
    • Additional Useful Commands:
      • mullvad split-tunnel pid list - Display all excluded services from VPN
      • mullvad split-tunnel pid delete <pid> - Revert a previously excluded process from VPN
      • mullvad split-tunnel pid clear - Restore all previously excluded processes