Installation and Setup of Mullvad VPN in 10 Steps
- Go to your account's default folder with
cd ~and download the latest Mullvad VPN installation file withwget --content-disposition https://mullvad.net/download/app/deb/latest - Use the command
lsto list files in the folder, find the downloaded MullvadVPN-XXXX.X_amd64.deb file and install it withsudo apt install -y ./MullvadVPN-XXXX.X_amd64.deb - Verify that Mullvad VPN is installed with the command
mullvad version - Login to your account using the command
mullvad account login <account number>. You can get the account number after logging in / during registration. The final command might look like this:mullvad account login 1234123412341234. - On the Mullvad Servers page, you can review locations (VPN servers) to which you can connect. You can get the same list using the
mullvad relay listcommand. - Select the desired server to connect using the command
mullvad relay set location se mma, where you replace "se" with the country and "mma" with the city. You can also use the full server name from the Mullvad listmullvad relay list. For example, for the USA and Los Angeles:mullvad relay set location us lax, or if you prefer to let the client choose automatically, or connect to a specific server, seemullvad relay set location cz prg us-lax-wg-201. - Allow LAN access with the command
mullvad lan set allow- this allows access to the PC behind VPN from other devices on the local network. - Connect to the VPN with
mullvad connectand disconnect withmullvad disconnect - Set up automatic VPN connection with
mullvad auto-connect set on. - Check connection status with
mullvad status, and connection logs withjournalctl -fu mullvad-daemon.
To upgrade the Mullvad VPN client, repeat steps 1 and 2. You can find all Mullvad CLI commands on the How to use Mullvad Cli page.
Mullvad runs as a system service. As such, you can control it with system commands:
sudo systemctl status mullvad-daemon- display service statussudo systemctl stop mullvad-daemon- stop the servicesudo systemctl start mullvad-daemon- start the servicesudo systemctl enable mullvad-daemon- enable automatic service startup at OS loadsudo systemctl disable mullvad-daemon- disable automatic service startup at OS load
The Mullvad account is managed through the command menu mullvad account, for information about the logged-in Mullvad account (device name and Mullvad ID) use the command mullvad account get.
Note: An active VPN might complicate external server access. For remote access to a local server, you can use a local intermediary and remote desktop control software (connect through a local computer on the same network as the server).
For more procedures and tips for Ubuntu Server, refer to the publication Installation, Security, and Management of Ubuntu Server.
VPN Split Tunnel
Split Tunnel allows routing some application or device traffic through an encrypted VPN while letting other applications or devices have direct internet access. This is especially useful for services that don't work as expected with a VPN.
VPN Split Tunnel for NTP service systemd-timesyncd
systemd-timesyncd daemon is responsible for synchronizing the server's time with accurate world time based on the set time zone. Proper functioning of this daemon is crucial for all time-dependent services, including 2-factor authentication (2FA) to access the server.
Check
timedatectlStatustimedatectl status- check systemd-timesyncd daemon statusThe output includes various time-related information. Key lines are
NTP servicewithactivestatus (you can activate it withtimedatectl set-ntp true) and then the lineSystem clock synchronizedwith a value ofyes. However, theyesstatus might be odd in the case of using a VPN - it could be from the time before VPN activation. The issue is that the VPN might block access to NTP servers, preventing time synchronization.Check
systemd-timesyncdService StatusYou can check the service status with
systemctl status systemd-timesyncd. The key value of interest isStatus. The "Initial synchronization to time server ..." status is normal and indicates functioning. The status also includes the IP address of the NTP server used for time synchronization. TheIdle.status is problematic.-
Test Access to NTP Server IP
You can also get the NTP server's IP from the
timedatectl timesync-statuscommand, which shows detailed time values related to accuracy on the server. The NTP server's IP used by the service is under theServerkey. You can test access to the server's IP using thepingcommand, for example,ping 8.8.8.8. If you can successfully ping the NTP server's IP, everything is fine. -
Setting Up Split Tunnel for VPN When NTP Server Can't Be Pinged
- Split tunnel needs to be addressed for NTP server if:
timedatectl statusshows "System clock synchronized: no"systemctl status systemd-timesyncdshows "Status: Idle."- you can't ping the NTP server
You can activate Split Tunnel for any service on the server based on its
pid. You can get the PID using thesystemctl status systemd-timesyncdcommand, where thepidnumber is under theMain PIDkey. -
Insert the service's
pidinto the Mullvad VPN client with:
Ver 2023.6 +mullvad split-tunnel add <pid>Prior vermullvad split-tunnel pid add <pid>Afterward, the service should be excluded from the VPN through Split Tunnel. Check the service status again with
systemctl status systemd-timesyncd. The ping will still be unsuccessful as it's being done from your account, not the excluded service's account. -
Additional Useful Commands:
Ver 2023.6 +mullvad split-tunnel list- Display all excluded services from VPNmullvad split-tunnel delete <pid>- Revert a previously excluded process from VPNmullvad split-tunnel clear- Restore all previously excluded processes
Prior vermullvad split-tunnel pid list- Display all excluded services from VPNmullvad split-tunnel pid delete <pid>- Revert a previously excluded process from VPNmullvad split-tunnel pid clear- Restore all previously excluded processes
- Other commands
- Split tunnel needs to be addressed for NTP server if: