Mullvad-Tailscale Guide

content/posts/mullvad-tailscale.md

@@ -0,0 +1,128 @@
+---
+title: "How to Use Mullvad & Tailscale Simultaneously on Linux Using iproute2"
+draft: false
+date: 2025-12-29
+tags:
+    - Mullvad
+    - Tailscale
+    - Linux
+---
+
+This guide will show you two different methods, one temporary, one permanant, on how to set up your VPN to work with Tailscale simultaneously on Linux. This steps below work as of January 1st 2026.
+
+All commands listed in this guide will be ran as root, and this guide assumess that your Mullvad VPN interface is `wg0-mullvad` and your Tailscale interface is `tailscale0`.
+
+**NOTE:** I've only tested this with Mullvad VPN on Arch Linux, so if your setup differs, your mileage may vary.
+
+**WARNING:** If you use ***Mullvad's DNS*** with Mullvad, make sure to also follow the [Mullvad DNS Routing](#mullvad-dns-routing) part of the guide.
+
+## Installation
+
+Make sure the `iproute2` package (ip command) is installed.
+
+## Temporary Setup
+
+To route all Tailscale traffic to the proper interface, run the command:
+
+`ip route add 100.64.0.0/10 dev tailscale0`
+
+Breaking down the command:
+
+`ip route add`: Command to add routes to the database.
+
+`100.64.0.0/10`: CIDR/IP whos route we want to change.
+
+`dev tailscale0`: Device we want the traffic routed to.
+
+If you have subnet routers setup on Tailscale you need to access, make sure to check out the [Subnet Routers](#subnet-routers) section.
+
+## Permanant Setup
+
+All routes configured under iproutes2 have only been made temporary so far and will be wiped on reboot, to opt for a more persistent setup, extra configuration will be needed.
+
+### With SystemD
+
+Wiith your text editor, open:
+
+`/etc/systemd/system/tailscale-mullvad.service`
+
+place the following config inside the file, save it, making any changes as necessary.
+
+```ini
+[Unit]
+Description=Mullvad-Tailscale Routing (shadeouts.net)
+
+[Service]
+Type=oneshot
+ExecStart=/sbin/ip route add 100.64.0.0/10 dev tailscale0
+# If you have a subnet router (see Subnet Routers):
+# ExecStart=/sbin/ip route add <router-cidr> dev tailscale0
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+```
+
+Then enable the service:
+
+```bash
+systemctl daemon-reload
+systemctl enable tailscale-mullvad.service
+```
+
+### With Dinit 👑
+
+With your text editor, open:
+
+`/etc/dinit.d/tailscale-mullvad`
+
+place the following config inside the file, save it, making any changes as necessary.
+
+```ini
+type    = scripted
+command = /sbin/ip route add 100.64.0.0/10 dev tailscale0
+# Subnets: command = /sbin/ip route add <router-cidr> dev tailscale0
+after   = login.target
+```
+
+Then enable the service:
+
+```bash
+dinitctl enable tailscale-mullvad
+```
+
+## Subnet Routers
+
+If you've configured subnets in Tailscale that you need to access, run the command:
+
+`ip route add <router-cidr> dev tailscale0`
+
+replacing \<router-cidr> with the range you've setup within Tailscale.
+
+For example: `ip route add 192.168.0.0/24 dev tailscale0`
+
+**NOTE:** If you've opted to set up these routes permanantly, make sure to make any edits necessary in the system service files.
+
+## Mullvad DNS Routing
+
+Since Mullvad uses the `100.64.0.0/24` CIDR for its DNS, we'll have to route these IPs to the `wg0-mullvad` interface.
+
+The simplest way to to this is:
+
+`ip route add 100.64.0.0/24 dev wg0-mullvad`
+
+but may conflict with some of your Tailscale devices within this range.
+
+To counter this, you can either (i) change the IPs of your devices in Tailscale to IPs outside of this range, or (ii) route just the IP used by Mullvad for its DNS services. If you chose the ladder, setup is as follows:
+
+```bash
+cat /etc/resolv.conf
+
+# With the IP listed after nameserver, add it to the <dns-ip> section of the command below
+
+# Example: ip route add 100.64.0.7 dev wg0-mullvad
+
+ip route add <dns-ip> dev wg0-mullvad
+```
+
+**NOTE:** If you change any of the toggles in Mullvad's DNS menu, the IP listed in this file willl change and you'll have to configure it again.