Mullvad Nftables script
Note: The script was formerly called
mtc
. It is nowmnf
and has been improved.
This is a simple bash script that will allow you to run Mullvad VPN along with Tailscale or Zerotier on Linux.
mnf
(for Mullvad nftables
) was inspired by this gist, although it has been completely rewritten and improved.
This script works with Zerotier and Tailscale.
- Bring up Tailscale/Zerotier and Mullvad with a random server
- Connect to a specific country
- Blacklist countries to avoid connecting to them
- Use only RAM-only (diskless) servers
- Set custom DNS server(s) for Mullvad
- Bring down all (tailscale/zerotier+mullvad+nftables) or each one selectively
- Automatically update the Mullvad relay list at startup
- and more.
- Mullvad must be installed on your system, so that the mullvad cli command is available.
- Install the
nftables
package. tailscale
orzerotier-one
must be installed and configured properly.
- Clone this repo:
git clone https://github.com/r3nor/mullvad-tailscale
Or download and extract the latest release source from releases page.
- Go to the cloned dir:
cd mullvad-tailscale
- Make the script executable:
chmod +x mnf
- Inspect and edit the script file (
mnf
):
- Change the
RULES_DIR
variable to point to the directory in which themullvad.rules
file from this repository is located. If you cloned the repo, it should be inside themullvad-tailscale
folder. - Modify the
EXCLUDE_COUNTRY_CODES
variable if you want to exclude any countries from the VPN connection (don't connect to these countries). If you do not want to exclude any country, set this variable to''
. If you want to add more, just add most two-letter country codes, separated by spaces. - Uncomment the
INCLUDE_COUNTRY_CODES
variable if you want to force the connection to specific countries (only connect to these countries). This will overrideEXCLUDE_COUNTRY_CODES
. If you want to add more, just add most two-letter country codes, separated by spaces.
- Edit the
mullvad.rules
file:
- Set your Tailscale/Zerotier network IPs in the
EXCLUDED_IPS
variable (you can use CDIR notation). - Set your Tailscale/Zerotier network IPv6 IPs in the
EXCLUDED_IPV6
variable (you can use CDIR notation). If you do not want IPv6 support, comment this line as well as the one starting withip6 daddr $EXCLUDED_IPV6
. - Set your Tailscale/Zerotier DNS resolver in
RESOLVER_ADDRS
.- It should be
100.100.100.100
for Tailscale. - If you are using Zerotier, the DNS resolver IP can be found in the
/etc/resolv.conf
file after runningzerotier-one
service. You will find it in a new line. It should look like10.X.X.X
.
- It should be
You can find the Tailscale/Zerotier IPs in your dashboard. Just use copy and paste for each of your devices.
- Setup your Mullvad account if you haven't done it yet:
mullvad account login 1234123412341234
You might want to add
mnf
to your PATH. Jump to an example usage
Apply nftables configuration and connect to Mullvad and Tailscale/Zerotier.
mnf up [-OPTIONS]:
-h | --help Show this help message
-r | --ram No-disk/RAM only Mullvad relays (default: all servers)
-z | --zerotier Use Zerotier instead of Tailscale
-d | --dns Set custom Mullvad DNS server (i.e. -d 1.1.1.1 or -d 8.8.8.8,1.1.1.1)
-c | --country Specify country code(s) to connect to (i.e. -c gb or -c fr,pt,es)
-f | --file Specify a particular NFT rules file (default: mullvad.rules)
Bring down Mullvad and remove nftables configuration.
mnf down [-OPTIONS]:
-h | --help Show this help message
-a | --all Stop Mullvad and Tailscale/Zerotier (default: only stop Mullvad)
-z | --zerotier Use Zerotier instead of Tailscale
-t | --table Indicate the nft tablename to bring down (default: mullvad-ts)
Apply nftables configuration so Mullvad and Tailscale/Zerotier can work together and do nothing more.
mnf conf [-OPTIONS]:
-u Remove the nftables configuration
-h Show this help message
mnf up -rz -d 1.1.1.1 -c ee
or the same command with long flag names:
mnf up --ram --zerotier --dns 1.1.1.1 --country ee
This connects to Mullvad's RAM-only servers (-r
) in Estonia (-c ee
) and uses Zerotier (-z
). It also sets the MullvadVPN DNS to 1.1.1.1
.