Get an account

Sign up and use code MOZILLA20 for a cheeky 20% discount!

Get a token in the browser

To start with, you'll need to get an authentication token. This requires you to be on a machine which can run a modern browser like Firefox or Chrome.

On a computer with a GUI, download MozWire. This is an unofficial way to download the necessary WireGuard config files.

Open up a terminal and make it executable:

chmod +x mozwire-linux

Run the app:

./mozwire-linux --print-token

That will automatically open your web browser. Sign in to the Mozilla VPN service in the browser. Return to your terminal and you'll see a long token like:

abc.123.qwe.rty.uio

It will be much longer than that! Save it somewhere safe.

Server time!

SSH into your server. Download MozWire.

wget https://github.com/NilsIrl/MozWire/releases/latest/download/mozwire-linux

Make it executable:

chmod +x mozwire-linux

Check that it works by getting it to list all the devices you have associated with your account:

./mozwire-linux --token abc.123.qwe.rty.uio device list

That should show the name of your devices - it won't include the server.

It's tedious to type in the token each time, so run:

export MOZ_TOKEN="abc.123.qwe.rty.uio"

Run:

./mozwire-linux device list

And you should get the same result as before.

Make sure you have installed WireGuard and resolvconf:

sudo apt install wireguard wireguard-tools resolvconf

Next, generate the public/private keypair and associate it with your server:

./mozwire-linux device add --name My-Awesome-Server --privkey $(wg genkey)

Once that's run, you can confirm the server has been added by again running:

./mozwire-linux device list

That should show your previous devices and the new one.

Next up, it's time to download all the Mozilla VPN WireGuard configs:

./mozwire-linux relay save -o ~/mozwireconf -n 0

That will upload your public key to Mozilla and then download a bunch of configurations into ~/mozwireconf (or wherever you choose).

Run Wireguard

To connect to, say, the Denmark Copenhagen server, run:

wg-quick up ~/mozwireconf/dk-cph-wg-101.conf

And... that's it! If you run ifconfig you'll see a new network entry for WireGuard.

You can check that it's working by running:

curl https://ifconfig.co/json ; echo

That will print out some diagnostic information about the IP address your server presents to the world.

To turn off the MozillaVPN, run:

wg-quick down ~/mozwireconf/dk-cph-wg-101.conf

To run MozillaVPN for a single program, install Vopono

vopono exec --custom ~/.config/vopono/mozilla/wireguard/fi-hel-wg-103.conf "curl https://ifconfig.co/json"

Create a file called myVPN.xml:

<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="http://schemas.xmlsoap.org/encoding/"
                   xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                   xsi:schemaLocation="http://schemas.xmlsoap.org/encoding/AnyConnectProfile.xsd">
   <ServerList>
      <HostEntry>
         <HostName>My Work VPN</HostName>    
         <HostAddress>vpn.example.com/connect</HostAddress>
      </HostEntry>
   </ServerList>
</AnyConnectProfile>

Place it in /opt/cisco/anyconnect/profile/

Now, when you launch your VPN client, it will show you your saved hosts.

Huge thanks to Alex Monk for showing me the way!