Encrypted Internet with WireGuard

9 minute read Enclosure Updated

How to install and configure WireGuard on Manjaro Linux, a step-by-step guide.
Table of Contents

One of the motivations behind dual-booting Linux on my MacBook Pro was to take back control of my personal data. Not just because Apple uses faux encryption on iCloud. And not because macOS has been shown to leave users open to eavesdropping exploits. But because when I use my Mac with macOS the operating system gratuitously beams out activity records1, sharing information I’d rather keep private with people I don’t personally know nor have I ever met. And without the ability to shut it off, I find my privacy – the sentient and autonomous nature of my very being – constantly under attack.

In many instances, privacy is threatened not by singular egregious acts, but by a slow series of relatively minor acts which gradually begin to add up.

I've Got Nothing to Hide and Other Misunderstandings of Privacy

In this short guide I’ll show you how to encrypt and route your local Internet traffic through a fast, modern, and secure VPN tunnel called WireGuard using a free and open source operating system called Manjaro Linux. I will explain how to install WireGuard on Manjaro, share a simple means of establishing and testing an encrypted Internet connection, and leave you with next steps and personal experience to help further your understanding and gain confidence getting started.

2019-09-04: Mullvad started offering a 10% off purchases made with Bitcoin.

I see that Jason actually made the pull request to have wireguard included in the kernel. Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art.

Linus Torvalds, LKML (2 Aug 2018)

Follow along if you’re ready take back control of your personal data too.

Install WireGuard

Unlike other VPN tunnels WireGuard runs entirely in the kernel. Currently it runs as a kernel module using DKMS. To start using it download and install the linux-headers package for module support, and also install the wireguard-dkms module and tools:

sudo pacman -S linux-headers wireguard-dkms wireguard-tools
Tip: Run uname -r or mhwd-kernel -li to check your current kernel version.

The DKMS module will activate itself during post-transaction hooks. If you have multiple kernels installed, expect to see Missing kernel headers appear for some kernels until headers for those kernels are installed (optional).

Confirm DKMS module installation run:

dkms status

You should see output like:

wireguard, 0.0.20190227, 5.0.5-1-MANJARO, x86_64: installed

If you do, installation is complete. Otherwise, run sudo modprobe wireguard to check for errors and be sure you install headers for the current kernel.

Note: A reader pointed out a reboot may be necessary for DKMS to work.

Visit the Manjaro Kernels wiki for info on managing kernels and how to switch between them. If you run into issues, head to the Manjaro Forums for help.

Connection Setup

Before you can tunnel anywhere you need a VPN gateway. There are literally hundreds of options to choose from. But for simplicity we’ll use Mullvad, chosen for its ease-of-use, reasonable privacy and Bitcoin payment support.

Start by solving a math problem to generate a Mullvad acccount number. From here you’ll have 3 hours on this account to try out Mullvad for free.

Take note of your account number then navigate to WireGuard config generator and enter your desired settings. If you’re not sure what to enter try:

  • Enter Account number generated
  • Leave Platform as Linux
  • Leave Key pair as Generate new key pair
  • Select Server location of your choice (i.e. Hong Kong)
  • Select Multihop server if desired (i.e. Singapore) ( what's this?)
  • Expand Advanced settings and enable Kill switch

From there choose Download. Mullvad will give you conf file based on your config settings. Save the file to Downloads then modify its file permissions:

cd ~/Downloads && \
sudo chown root:root mullvad*.conf && \
sudo chmod 600 mullvad*.conf
Caution: The config contains your private key so best try not to share it.

Next run ls -al | grep mullvad to confirm ownership and file permissions:

-rw-------  1 root   root       720 Apr 16 15:45 mullvadsg1hk1.conf

Then move the file to the protected /etc/wireguard directory:

sudo mv mullvad*.conf /etc/wireguard

Now bring up the interface with wg-quick wireguard tool installed earlier:

wg-quick up mullvadsg1hk1

You should see output like:

Expand to view output...
[#] ip link add mullvadsg1hk1 type wireguard
[#] wg setconf mullvadsg1hk1 /dev/fd/63
[#] ip address add 10.99.36.73/32 dev mullvadsg1hk1
[#] ip address add fc00:bbbb:bbbb:bb01::2449/128 dev mullvadsg1hk1
[#] ip link set mtu 1420 up dev mullvadsg1hk1
[#] resolvconf -a mullvadsg1hk1 -m 0 -x
[#] wg set mullvadsg1hk1 fwmark 51820
[#] ip -6 route add ::/0 dev mullvadsg1hk1 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip -4 route add 0.0.0.0/0 dev mullvadsg1hk1 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables -I OUTPUT ! -o mullvadsg1hk1 -m mark ! --mark $(wg show mullvadsg1hk1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o mullvadsg1hk1 -m mark ! --mark $(wg show mullvadsg1hk1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

In my case I saw a errors the first time I ran it:

[#] resolvconf -a mullvadsg1hk1 -m 0 -x
Error: ipv4: FIB table does not exist.
Dump terminated
Error: ipv6: FIB table does not exist.
Dump terminated
[#] wg set mullvadsg1hk1 fwmark 51820

After bringing the interface down and back up the errors stopped.

Heads Up! Mullvad docs suggest Debian and Ubuntu users install openresolv to avoid DNS leaks caused by a Debian bug identified and ticketed by the creator of WireGuard. In Manjaro openresolv should be installed already.

With your interface up, point a browser at am.i.mullvad.net. You should see:

Am I Mullvad?
Screenshot of the Mullvad connection checker from Firefox on Manjaro Linux.

If you don’t see a success, go back and try to debug or figure out if you did something wrong. Don’t worry as you’ve got some time. Once your three free hours of Mullvad service are up you can return to solve another math problem, generate a new account number and repeat the connection setup.

Starting and Stopping

Unless configured as a system service and automatically run on start-up you’ll need to manually start your WireGuard connection each time you wish to connect. The following video shows you how to start and stop WireGuard from Terminal:

Once started confirm the WireGuard interface is working by using tcpdump (requires install). Run as a privileged user and wait a moment for it to log connection details. You should see only UDP connections output if it’s working.

Personal Experience

Based on three weeks using Mullvad my WireGuard experience has been good. I purchased my account in Bitcoin Cash using the Bitcoin.com wallet downloaded from the Aurora Store and registration with Mullvad was near instant. From Terminal I can see Wireguard handshakes and transfer using the wg show command. I’ve also gone back and generated a QR code to use the WireGuard app on my EMUI/Android device since Mullvad allows up to 5 keys to be generated at one time.

From a speed perspective Wireguard is the fastest encryption protocol I’ve ever used, period. In fact, it’s so fast I’ve been using it in combination with Tor to surf the ZeroNet. On the surface Web I have encountered a site here and there I couldn’t access. But that’s okay by me as they are few and far between.

Based on some info I saw in the Manjaro forums it’s possible to start WireGuard automatically with the system as it starts using systemctl but I haven’t had a lot of luck with it yet. It’s easy enough, however, to simply Ctrl+R from Terminal after a system restart and type wg-q followed by Ctrl+R again to traverse bash history for WireGuard commands used previously.

Finally, when using with Tor, I’ve noticed Mullvad cannot determine WireGuard is in use, which makes sense given it’s an anonymizing overlay. In these cases I use sudo wg show to check if Wireguard is running and sometimes use tcpdump to confirm all data is being transported over UDP.

Next Steps

Now that you’ve seen how easy it is to encrypt your Internet connection with WireGuard and Manjaro try using what you’ve learned here to connect securely to ZeroNet using Tor Browser so you can start Surfing the Uncensorable Web:

Surfing ZeroNet using Tor may be combined with WireGuard.

Additional Resources

Now that you’ve seen how easy it is to get encrypted Internet with WireGuard and Manjaro take time to use it to explore the Mullvad docs, including their guides on Privacy and using BitTorrent. As a privacy company they’re going to have some good stuff. When you’re finished, enhance your understanding with:

There’s a ton to grok so take your time learning and enjoy taking it all in. And once you’ve absorbed all that check out some of the related content below.

Summary

In this short guide I showed you how to encrypt and route your local Internet traffic through a fast, modern, and secure VPN tunnel called WireGuard using a free and open source operating system called Manjaro Linux. I explained how to install WireGuard on Manjaro, shared a simple means of establishing and testing an encrypted Internet connection, and left you with next steps and personal experience to help further your understanding and gain confidence getting started.

Remember, the Internet is still young and this is a delicate time. And no thanks to the reptilian instincts of corporate greed your very free will as you know it may be in jeopardy. So secure yourself online and start digging your tunnel.

Please use this opportunity to safeguard your personal data with WireGuard.


  1. In the words of Edward Snowden in regards to collection of metadata. ↩︎