One of the things I struggled with initailly when using immutables was installing programs like VPNS that need to interact with the immutable parts of the distro but don’t have a flatpak option. I figured I’d just make a post to help anyone with this specific issue regarding mullvad or if it helps people install other software they need.
Adding the repo
Jump into a location to download the repo file
cd Downloads/
Download the repo
wget https://repository.mullvad.net/rpm/stable/mullvad.repo
copy the repo file to the yum.repos.d folder
sudo cp mullvad.repo /etc/yum.repos.d
Install mullvad vpn
rpm-ostree install mullvad-vpn
Reboot to reimage
systemctl reboot
Join the client to the service
sudo systemctl enable --now mullvad-daemon
Install libappindicator that at the time wasn’t included in Kinoite
sudo rpm-ostree install libappindicator-gtk3
Reboot to reimage
systemctl reboot
I don’t know anything about immutable distros, but any good VPN provide Wireguard or OpenVPN config that you can just import into your network settings/manager. Mullvad does.
They do, but networkmanager doesnt have the necessary features like a block mode. Read my other comment.
Btw there is a GNOME applet for mullvadvpn, so you dont need to use electron, just the background stuff.
Came here to say this too
deleted by creator
Very cool! Mullvad also updated their Linux install guides to reference the repos immediately, but they use dnf for whatever reason, making it unnecessarily complicated (issue report).
Your commands where good and secure, but this is a quicker way
curl https://repository.mullvad.net/rpm/stable/mullvad.repo` | sudo tee /etc/yum.repos.d/mullvad.repo rpm-ostree install --reboot mullvad-vpn libappindicator-gtk3 systemctl enable --now mullvad-daemon
You dont need sudo for rpm-ostree and systemctl, they work natively with polkit. In general you can replace
sudo
withpkexec
in your shell config and have easier and more granular permission controls. But dont remove sudo, that will currently break at least some things like shutdown.Top-tier comment thanks for the contribution
Why not just “Flatpak” it and be done with it?
Doesnt work. Networkmanager has no native concept of a “airtight VPN mode”.
The mullvad daemon does stuff like
- control DNS
- block internet when not connected
- prevent early boot connections
Those require it to be privileged. For sure it would be nice to have all these features integrated into networkmanager, and vpn apps just placing their wireguard configs and DNS settings in there.
But for now the Mullvad App is way better than what we have. You can also keep a very insecure DNS conf (no DNSSEC, no DOT, no custom servers) as a fallback for public wifi bs, and when the Mullvad app is running the system uses a secure DNS.
Very good points. But can’t you provide those permissions to the flatpak via flatseal or something?
Good question, but nope: https://discourse.flathub.org/t/vpn-mullvad-vpn/2594/7
Well, that sucks.
Only if there was a portal, I would suppose. But idk to be honest. Flatpaks can write to /etc if they want.