A quick guide to getting Mozilla VPN working on a headless Linux server

The Mozilla VPN service is great, but it doesn't work using the CLI if you have a "headless" server. After a bit of faffing about, I got it working. I suffered so you don't have to.

Get an account

Sign up and use code MOZILLA20 for a cheeky 20% discount!

Get a token in the browser

To start with, you'll need to get an authentication token. This requires you to be on a machine which can run a modern browser like Firefox or Chrome.

On a computer with a GUI, download MozWire. This is an unofficial way to download the necessary WireGuard config files.

Open up a terminal and make it executable:

chmod +x mozwire-linux

Run the app:

./mozwire-linux --print-token

That will automatically open your web browser. Sign in to the Mozilla VPN service in the browser. Return to your terminal and you'll see a long token like:


It will be much longer than that! Save it somewhere safe.

Server time!

SSH into your server. Download MozWire.

wget https://github.com/NilsIrl/MozWire/releases/latest/download/mozwire-linux

Make it executable:

chmod +x mozwire-linux

Check that it works by getting it to list all the devices you have associated with your account:

./mozwire-linux --token abc.123.qwe.rty.uio device list

That should show the name of your devices - it won't include the server.

It's tedious to type in the token each time, so run:

export MOZ_TOKEN="abc.123.qwe.rty.uio"


./mozwire-linux device list

And you should get the same result as before.

Make sure you have installed WireGuard and resolvconf:

sudo apt install wireguard wireguard-tools resolvconf

Next, generate the public/private keypair and associate it with your server:

./mozwire-linux device add --name My-Awesome-Server --privkey $(wg genkey)

Once that's run, you can confirm the server has been added by again running:

./mozwire-linux device list

That should show your previous devices and the new one.

Next up, it's time to download all the Mozilla VPN WireGuard configs:

./mozwire-linux relay save -o ~/mozwireconf -n 0

That will upload your public key to Mozilla and then download a bunch of configurations into ~/mozwireconf (or wherever you choose).

Run Wireguard

To connect to, say, the Denmark Copenhagen server, run:

wg-quick up ~/mozwireconf/dk-cph-wg-101.conf

And... that's it! If you run ifconfig you'll see a new network entry for WireGuard.

You can check that it's working by running:

curl https://ifconfig.co/json ; echo

That will print out some diagnostic information about the IP address your server presents to the world.

To turn off the MozillaVPN, run:

wg-quick down ~/mozwireconf/dk-cph-wg-101.conf

To run MozillaVPN for a single program, install Vopono

vopono exec --custom ~/.config/vopono/mozilla/wireguard/fi-hel-wg-103.conf "curl https://ifconfig.co/json"

Share this post on…

One thought on “A quick guide to getting Mozilla VPN working on a headless Linux server”

What are your reckons?

All comments are moderated and may not be published immediately. Your email address will not be published.Allowed HTML: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <p> <pre> <br> <img src="" alt="" title="" srcset="">