Encrypted Internet with WireGuard and Manjaro Linux

8 minute read Enclosure Updated

How to install and configure WireGuard on Linux Manjaro, a step-by-step guide.

One of the motivations behind dual-booting Linux on my MacBook Pro was to take back control of my personal data. Not just because Apple uses faux encryption on iCloud. And not because macOS has been shown to leave users open to eavesdropping exploits. But because when I use my Mac with macOS the operating system gratuitously beams out activity records1, sharing information I’d rather keep private with people I don’t personally know nor have I ever met. And without the ability to shut it off, I find my privacy – the sentient and autonomous nature of my very being – constantly under attack.

In many instances, privacy is threatened not by singular egregious acts, but by a slow series of relatively minor acts which gradually begin to add up.

I've Got Nothing to Hide and Other Misunderstandings of Privacy

In this short guide I’ll show you how to encrypt and route your local Internet traffic through a fast, modern, and secure VPN tunnel called WireGuard using a free and open source operating system called Manjaro Linux. I will explain how to install WireGuard on Manjro, share a simple means of establishing and testing an encrypted Internet connection, and leave you with next steps and personal experience to help further your understanding and gain confidence getting started.

I see that Jason actually made the pull request to have wireguard included in the kernel. Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn't perfect, but I've skimmed it, and compared to the horrors that are OpenVPN and IPSec, it's a work of art.

Linus Torvalds, LKML (2 Aug 2018)

Follow along if you’re ready take back control of your personal data too.

Install WireGuard

Unlike other VPN tunnels WireGuard runs entirely in the kernel. Currently it runs as a kernel module using DKMS. To start using it download and install the linux-headers package for module support, and also install the wireguard-dkms module and tools:

sudo pacman -S linux-headers wireguard-dkms wireguard-tools
Tip: Run uname -r or mhwd-kernel -li to check your current kernel version.

The DKMS module will activate itself during post-transaction hooks. If you have multiple kernels installed, expect to see Missing kernel headers appear for some kernels until headers for those kernels are installed (optional).

Confirm DKMS module installation run:

dkms status

You should see output like:

wireguard, 0.0.20190227, 5.0.5-1-MANJARO, x86_64: installed

If you do, installation is complete. Otherwise, run sudo modprobe wireguard to check for errors and be sure you install headers for the current kernel.


Visit the Manjaro Kernels wiki for info on managing kernels and how to switch between them. If you run into issues, head to the Manjaro Forums for help.

Connection Setup

Before you can tunnel anywhere you need a VPN gateway. There are literally hundreds of options to choose from. But for simplicity we’ll use Mullvad, chosen for its ease-of-use, reasonable privacy and Bitcoin payment support.

Start by solving a math problem to generate a Mullvad acccount number. From here you’ll have 3 hours on this account to try out Mullvad for free.

Take note of your account number then navigate to WireGuard config generator and enter your desired settings. If you’re not sure what to enter try:

  • Enter Account number generated
  • Leave Platform as Linux
  • Leave Key pair as Generate new key pair
  • Select Server location of your choice (i.e. Hong Kong)
  • Select Multihop server if desired (i.e. Singapore) (what's this?)
  • Expand Advanced settings and enable Kill switch

From there choose Download. Mullvad will give you conf file based on your config settings. Save the file to Downloads then modify its file permissions:

cd ~/Downloads && \
sudo chown root:root mullvad*.conf && \
sudo chmod 600 mullvad*.conf
Caution: The config contains your private key so best try not to share it.

Next run ls -al | grep mullvad to confirm ownership and file permissions:

-rw-------  1 root   root       720 Apr 16 15:45 mullvadsg1hk1.conf

Then move the file to the protected /etc/wireguard directory:

sudo mv mullvad*.conf /etc/wireguard

Now bring up the interface with wg-quick wireguard tool installed earlier:

wg-quick up mullvadsg1hk1

You should see output like:

Expand to view output...
[#] ip link add mullvadsg1hk1 type wireguard
[#] wg setconf mullvadsg1hk1 /dev/fd/63
[#] ip address add 10.99.36.73/32 dev mullvadsg1hk1
[#] ip address add fc00:bbbb:bbbb:bb01::2449/128 dev mullvadsg1hk1
[#] ip link set mtu 1420 up dev mullvadsg1hk1
[#] resolvconf -a mullvadsg1hk1 -m 0 -x
[#] wg set mullvadsg1hk1 fwmark 51820
[#] ip -6 route add ::/0 dev mullvadsg1hk1 table 51820
[#] ip -6 rule add not fwmark 51820 table 51820
[#] ip -6 rule add table main suppress_prefixlength 0
[#] ip -4 route add 0.0.0.0/0 dev mullvadsg1hk1 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
[#] iptables -I OUTPUT ! -o mullvadsg1hk1 -m mark ! --mark $(wg show mullvadsg1hk1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT && ip6tables -I OUTPUT ! -o mullvadsg1hk1 -m mark ! --mark $(wg show mullvadsg1hk1 fwmark) -m addrtype ! --dst-type LOCAL -j REJECT

In my case I saw a errors the first time I ran it:

[#] resolvconf -a mullvadsg1hk1 -m 0 -x
Error: ipv4: FIB table does not exist.
Dump terminated
Error: ipv6: FIB table does not exist.
Dump terminated
[#] wg set mullvadsg1hk1 fwmark 51820

After bringing the interface down and back up the errors stopped.

Heads Up! Mullvad docs suggest Debian and Ubuntu users install openresolv to avoid DNS leaks caused by a Debian bug identified and ticketed by the creator of WireGuard. In Manjaro openresolv should be installed already.

With your interface up, point a browser at am.i.mullvad.net. You should see:

Am I Mullvad?
Screenshot of the Mullvad connection checker from Firefox on Manjaro Linux.

If you don’t see a success, go back and try to debug or figure out if you did something wrong. Don’t worry as you’ve got some time. Once your three free hours of Mullvad service are up you can return to solve another math problem, generate a new account number and repeat the connection setup.

Next Steps

Now that you’ve seen how easy it is to get encrypted Internet with WireGuard and Manjaro take time to use it to explore the Mullvad docs, including their guides on Privacy and using BitTorrent. As a privacy company they’re going to have some good stuff. When you’re finished, enhance your understanding with:

There’s a ton to grok so take your time learning and enjoy taking it all in. And once you’ve absorbed all that check out some of the related content below.

Experience

Based on three weeks using Mullvad my WireGuard experience has been good. I purchased my account in Bitcoin Cash using the Bitcoin.com wallet downloaded from the Aurora Store and registration with Mullvad was near instant. From Terminal I can see Wireguard handshakes and transfer using the wg show command. I’ve also gone back and generated a QR code to use the WireGuard app on my EMUI/Android device since Mullvad allows up to 5 keys to be generated at one time.

From a speed perspective Wireguard is the fastest encryption protocol I’ve ever used, period. In fact, it’s so fast I’ve been using it in combination with Tor to surf the ZeroNet. On the surveillant (clearnet) Web I have encountered a here and there I couldn’t access. But that’s okay because they’re few and far between.

Based on some info I saw in the Manjaro forums it’s possible to start WireGuard automatically with the system as it starts using systemctl but I haven’t had a lot of luck with it yet. It’s easy enough, however, to simply Ctrl+R from Terminal after a system restart and type wg-q followed by Ctrl+R again to traverse bash history for WireGuard commands used previously.

Finally, when using with Tor, I’ve noticed Mullvad cannot determine WireGuard is in use, which makes sense given it’s an anonymizing overlay. In these cases I use sudo wg show to check if Wireguard is running and sometimes use tcpdump to confirm all data is being transported over UDP.

Summary

In this short guide I showed you how to encrypt and route your local Internet traffic through a fast, modern, and secure VPN tunnel called WireGuard using a free and open source operating system called Manjaro Linux. I explained how to install WireGuard on Manjro, shared a simple means of establishing and testing an encrypted Internet connection, and left you with next steps and personal experience to help further your understanding and gain confidence getting started.

Remember, the Internet is still young and this is a delicate time. And no thanks to the reptilian instincts of corporate greed your very free will as you know it may be in jeopardy. So secure yourself online and start digging your tunnel.

Please use this opportunity to safeguard your personal data with WireGuard.


  1. In the words of Edward Snowden in regards to collection of metadata.