Mullvad VPN on Ubuntu Server

Author: Vlad Nepor
Published on

VPN is a paid service. If desired for your case, below is the 10-step installation and activation procedure for Mullvad VPN on Ubuntu server. Except for installation directly on the server, VPN can also be configured at the router level.

Installation and Setup of Mullvad VPN in 10 Steps

  1. Go to your account's default folder with cd ~ and download the latest Mullvad VPN installation file with wget --content-disposition https://mullvad.net/download/app/deb/latest
  2. Use the command ls to list files in the folder, find the downloaded MullvadVPN-XXXX.X_amd64.deb file and install it with sudo apt install -y ./MullvadVPN-XXXX.X_amd64.deb
  3. Verify that Mullvad VPN is installed with the command mullvad version
  4. Login to your account using the command mullvad account login <account number>. You can get the account number after logging in / during registration. The final command might look like this: mullvad account login 1234123412341234.
  5. On the Mullvad Servers page, you can review locations (VPN servers) to which you can connect. You can get the same list using the mullvad relay list command.
  6. Select the desired server to connect using the command mullvad relay set location se mma, where you replace "se" with the country and "mma" with the city. You can also use the full server name from the Mullvad list mullvad relay list. For example, for the USA and Los Angeles: mullvad relay set location us lax, or if you prefer to let the client choose automatically, or connect to a specific server, see mullvad relay set location cz prg us-lax-wg-201.
  7. Allow LAN access with the command mullvad lan set allow - this allows access to the PC behind VPN from other devices on the local network.
  8. Connect to the VPN with mullvad connect and disconnect with mullvad disconnect
  9. Set up automatic VPN connection with mullvad auto-connect set on.
  10. Check connection status with mullvad status, and connection logs with journalctl -fu mullvad-daemon.

To upgrade the Mullvad VPN client, repeat steps 1 and 2. You can find all Mullvad CLI commands on the How to use Mullvad Cli page.

Mullvad runs as a system service. As such, you can control it with system commands:

  • sudo systemctl status mullvad-daemon - display service status
  • sudo systemctl stop mullvad-daemon - stop the service
  • sudo systemctl start mullvad-daemon - start the service
  • sudo systemctl enable mullvad-daemon - enable automatic service startup at OS load
  • sudo systemctl disable mullvad-daemon - disable automatic service startup at OS load

The Mullvad account is managed through the command menu mullvad account, for information about the logged-in Mullvad account (device name and Mullvad ID) use the command mullvad account get.

Note: An active VPN might complicate external server access. For remote access to a local server, you can use a local intermediary and remote desktop control software (connect through a local computer on the same network as the server).

For more procedures and tips for Ubuntu Server, refer to the publication Installation, Security, and Management of Ubuntu Server.

VPN Split Tunnel

Split Tunnel allows routing some application or device traffic through an encrypted VPN while letting other applications or devices have direct internet access. This is especially useful for services that don't work as expected with a VPN.

VPN Split Tunnel for NTP service systemd-timesyncd

systemd-timesyncd daemon is responsible for synchronizing the server's time with accurate world time based on the set time zone. Proper functioning of this daemon is crucial for all time-dependent services, including 2-factor authentication (2FA) to access the server.

  • Check timedatectl Status

    timedatectl status - check systemd-timesyncd daemon status

    The output includes various time-related information. Key lines are NTP service with active status (you can activate it with timedatectl set-ntp true ) and then the line System clock synchronized with a value of yes. However, the yes status might be odd in the case of using a VPN - it could be from the time before VPN activation. The issue is that the VPN might block access to NTP servers, preventing time synchronization.

  • Check systemd-timesyncd Service Status

    You can check the service status with systemctl status systemd-timesyncd. The key value of interest is Status. The "Initial synchronization to time server ..." status is normal and indicates functioning. The status also includes the IP address of the NTP server used for time synchronization. The Idle. status is problematic.

  • Test Access to NTP Server IP

    You can also get the NTP server's IP from the timedatectl timesync-status command, which shows detailed time values related to accuracy on the server. The NTP server's IP used by the service is under the Server key. You can test access to the server's IP using the ping command, for example, ping 8.8.8.8. If you can successfully ping the NTP server's IP, everything is fine.

  • Setting Up Split Tunnel for VPN When NTP Server Can't Be Pinged

    • Split tunnel needs to be addressed for NTP server if:
      • timedatectl status shows "System clock synchronized: no"
      • systemctl status systemd-timesyncd shows "Status: Idle."
      • you can't ping the NTP server

      You can activate Split Tunnel for any service on the server based on its pid. You can get the PID using the systemctl status systemd-timesyncd command, where the pid number is under the Main PID key.

    • Insert the service's pid into the Mullvad VPN client with:
      mullvad split-tunnel add <pid>
      mullvad split-tunnel pid add <pid>

      Afterward, the service should be excluded from the VPN through Split Tunnel. Check the service status again with systemctl status systemd-timesyncd. The ping will still be unsuccessful as it's being done from your account, not the excluded service's account.

    • Additional Useful Commands:
      • mullvad split-tunnel list - Display all excluded services from VPN
      • mullvad split-tunnel delete <pid> - Revert a previously excluded process from VPN
      • mullvad split-tunnel clear - Restore all previously excluded processes
      • mullvad split-tunnel pid list - Display all excluded services from VPN
      • mullvad split-tunnel pid delete <pid> - Revert a previously excluded process from VPN
      • mullvad split-tunnel pid clear - Restore all previously excluded processes
    • Other commands

Automatic Time Synchronization Check and Split Tunnel Setup for Mullvad VPN When Time is Not Synchronized

Below is the procedure for creating a mechanism where, upon system startup and subsequently at regular intervals, a check of the system time synchronization status occurs. If the time is not synchronized, the VPN tunnel splitting for the time server managing service is set.

The procedure below determines the PID of the systemd-timesyncd service and subsequently exempts this service from traffic going through the VPN.

  1. Create a file set_mullvad_split_tunnel.sh 
    sudo nano /usr/local/bin/mullvad_split_tunnel_setup.sh
    Copy the code below into the file 
    #!/bin/bash
# check sync status of timedatectl
sync_status=$(timedatectl status | grep -oP 'System clock synchronized: \K\w+')

if [[ $sync_status == "no" ]]; then
    # system time is not synchronized - set split tunnel for systemd-timesyncd service
	
	# Get PID of systemd-timesyncd
	SERVICE_PID=$(pgrep -f systemd-timesyncd)

	if [[ ! -z "$SERVICE_PID" ]]; then
		# Add PID to Mullvad split tunnel configuration
		mullvad split-tunnel add $SERVICE_PID
		echo "New VPN Split tunnel was set for PID $SERVICE_PID"
	else
		echo "Failed to get PID of systemd-timesyncd."
	fi
else
    echo "System time is synchronized, no need of setting VPN split tunnel"
fi
    Set file permissions to execute 
    sudo chmod +x /usr/local/bin/mullvad_split_tunnel_setup.sh
  2. Create a systemd service file servertime_sync_check.service, through which the script mullvad_split_tunnel_setup.sh will be executed 
    sudo nano /etc/systemd/system/servertime_sync_check.service
    Copy the code below into the file 
    [Unit]
Description=Check time synchronization and setup Mullvad VPN split tunneling if needed

[Service]
Type=oneshot
ExecStart=/usr/local/bin/mullvad_split_tunnel_setup.sh

[Install]
WantedBy=multi-user.target
  3. Create a timer service servertime_sync_check 
    sudo nano /etc/systemd/system/servertime_sync_check.timer
    Copy the code below into the file 
    [Unit]
Description=Timer to regularly check time synchronization

[Timer]
# Run it in 30 minutes interval
OnCalendar=*:0/30
Persistent=true

[Install]
WantedBy=timers.target
  4. Reload the changes into the system 
    sudo systemctl daemon-reload
  5. Enable automatic start of services at computer startup 
    sudo systemctl enable servertime_sync_check.service
sudo systemctl enable servertime_sync_check.timer
  6. Start the servertime_sync_check.timer service 
    sudo systemctl start servertime_sync_check.timer

    The servertime_sync_check.service does not need to be started manually. It is triggered by the servertime_sync_check.timer. Since the directive Persistent=true is used, if any checks were missed (for instance, if the computer was turned off at the time), the check will be performed as soon as the computer starts.

  7. Check the service logs 
    journalctl -u servertime_sync_check.service