Installation and Setup of Mullvad VPN in 10 Steps
- Go to your account's default folder with
cd ~
and download the latest Mullvad VPN installation file withwget --content-disposition https://mullvad.net/download/app/deb/latest
- Use the command
ls
to list files in the folder, find the downloaded MullvadVPN-XXXX.X_amd64.deb file and install it withsudo apt install -y ./MullvadVPN-XXXX.X_amd64.deb
- Verify that Mullvad VPN is installed with the command
mullvad version
- Login to your account using the command
mullvad account login <account number>
. You can get the account number after logging in / during registration. The final command might look like this:mullvad account login 1234123412341234
. - On the Mullvad Servers page, you can review locations (VPN servers) to which you can connect. You can get the same list using the
mullvad relay list
command. - Select the desired server to connect using the command
mullvad relay set location se mma
, where you replace "se" with the country and "mma" with the city. You can also use the full server name from the Mullvad listmullvad relay list
. For example, for the USA and Los Angeles:mullvad relay set location us lax
, or if you prefer to let the client choose automatically, or connect to a specific server, seemullvad relay set location cz prg us-lax-wg-201
. - Allow LAN access with the command
mullvad lan set allow
- this allows access to other devices on the local network even when you're behind the VPN. - Connect to the VPN with
mullvad connect
and disconnect withmullvad disconnect
- Set up automatic VPN connection with
mullvad auto-connect set on
. - Check connection status with
mullvad status
, and connection logs withjournalctl -fu mullvad-daemon
.
To upgrade the Mullvad VPN client, repeat steps 1 and 2. You can find all Mullvad CLI commands on the How to use Mullvad Cli page.
Mullvad runs as a system service. As such, you can control it with system commands:
sudo systemctl status mullvad-daemon
- display service statussudo systemctl stop mullvad-daemon
- stop the servicesudo systemctl start mullvad-daemon
- start the servicesudo systemctl enable mullvad-daemon
- enable automatic service startup at OS loadsudo systemctl disable mullvad-daemon
- disable automatic service startup at OS load
Note: An active VPN might complicate external server access. For remote access to a local server, you can use a local intermediary and remote desktop control software (connect through a local computer on the same network as the server).
For more procedures and tips for Ubuntu Server, refer to the publication Installation, Security, and Management of Ubuntu Server.
VPN Split Tunnel
Split Tunnel allows routing some application or device traffic through an encrypted VPN while letting other applications or devices have direct internet access. This is especially useful for services that don't work as expected with a VPN.
VPN Split Tunnel for NTP service systemd-timesyncd
systemd-timesyncd
daemon is responsible for synchronizing the server's time with accurate world time based on the set time zone. Proper functioning of this daemon is crucial for all time-dependent services, including 2-factor authentication (2FA) to access the server.
Check
timedatectl
Statustimedatectl status
- check systemd-timesyncd daemon statusThe output includes various time-related information. Key lines are
NTP service
withactive
status (you can activate it withtimedatectl set-ntp true
) and then the lineSystem clock synchronized
with a value ofyes
. However, theyes
status might be odd in the case of using a VPN - it could be from the time before VPN activation. The issue is that the VPN might block access to NTP servers, preventing time synchronization.Check
systemd-timesyncd
Service StatusYou can check the service status with
systemctl status systemd-timesyncd
. The key value of interest isStatus
. The "Initial synchronization to time server ..." status is normal and indicates functioning. The status also includes the IP address of the NTP server used for time synchronization. TheIdle.
status is problematic.-
Test Access to NTP Server IP
You can also get the NTP server's IP from the
timedatectl timesync-status
command, which shows detailed time values related to accuracy on the server. The NTP server's IP used by the service is under theServer
key. You can test access to the server's IP using theping
command, for example,ping 8.8.8.8
. If you can successfully ping the NTP server's IP, everything is fine. -
Setting Up Split Tunnel for VPN When NTP Server Can't Be Pinged
- Split tunnel needs to be addressed for NTP server if:
timedatectl status
shows "System clock synchronized: no"systemctl status systemd-timesyncd
shows "Status: Idle."- you can't ping the NTP server
You can activate Split Tunnel for any service on the server based on its
pid
. You can get the PID using thesystemd-timesyncd
command, where thepid
number is under theMain PID
key. -
Insert the service's
pid
into the Mullvad VPN client withmullvad split-tunnel pid add <pid>
. Afterward, the service should be excluded from the VPN through Split Tunnel. Check the service status again withsystemctl status systemd-timesyncd
. The ping will still be unsuccessful as it's being done from your account, not the excluded service's account. -
Additional Useful Commands:
mullvad split-tunnel pid list
- Display all excluded services from VPNmullvad split-tunnel pid delete <pid>
- Revert a previously excluded process from VPNmullvad split-tunnel pid clear
- Restore all previously excluded processes
- Split tunnel needs to be addressed for NTP server if: