4 min read
Automating Wireguard Key Rotation

Automating Wireguard Key Rotation for Enhanced Security

In today’s digital age, maintaining the security of our online activities is more crucial than ever. One effective way to bolster your VPN security is by regularly rotating your Wireguard keys. This blog post will walk you through the process of automating Wireguard key rotation for your Mullvad VPN account..

Why Rotate Wireguard Keys?

Regularly rotating your Wireguard keys provides several security benefits:

  1. Minimizing Exposure: Regular key rotation reduces the window of opportunity for potential attackers to exploit compromised keys.
  2. Enhancing Anonymity: Changing IP addresses and endpoints frequently helps maintain anonymity by making it more difficult to track online activities.
  3. Compliance: Some security policies and compliance frameworks recommend or require regular key rotations as part of best practices for maintaining secure communications.

Prerequisites

Before diving into the script, ensure you have the following tools installed on your system:

  • curl
  • wg (Wireguard)
  • jq
  • systemctl

You can install them using the following commands:

sudo apt-get update
sudo apt-get install -y curl wireguard jq

Setting Up the Script

  1. Save your Mullvad account number: Create a file that contains only your 16-digit Mullvad account number without any extra spaces or newlines. Update the ACCOUNT_FILE variable in the script to point to this file.

  2. Clone the Repository: Start by cloning the repository and navigating into it.

git clone https://github.com/okbenito/mullvad-wireguard-rotation.git
cd mullvad-wireguard-rotation
  1. Run the Script: Execute the script using bash.
bash rotate.sh

What the Script Does

The script performs the following steps:

  1. Reads your Mullvad account number from the specified file.
  2. Generates a new Wireguard private and public key.
  3. Submits the new public key to Mullvad.
  4. Retrieves a new Wireguard IP and endpoint from Mullvad.
  5. Updates your local Wireguard configuration with the new keys and endpoint.
  6. Restarts the Wireguard service to apply the changes if it’s currently running.

Automating the Process

To maximize security, it is recommended to run this script on a regular basis. You can automate this process using a cron job to ensure your Wireguard keys are rotated daily. Here’s how you can set it up:

  1. Open the Crontab File for Editing:
crontab -e
  1. Add the Following Line to Schedule the Script to Run at Boot:
@reboot /path/to/rotate.sh

Replace /path/to/rotate.sh with the actual path to the rotate.sh script.

Troubleshooting

  • Ensure the account number file is correctly formatted and located at the specified location.

  • Check that all required commands (curl, wg, jq, systemctl) are installed and available in your PATH. Make sure you have the necessary permissions to read the account number file and write to the Wireguard configuration file.

Conclusion

By automating the rotation of your Wireguard keys, you can significantly enhance the security and privacy of your Mullvad VPN connection. This script provides a streamlined and efficient way to maintain secure communications online.

License

This project is released into the public domain under the terms of the Unlicense. For more information, see the LICENSE file or visit http://unlicense.org.

Contributing

Contributions are welcome! Please open an issue or submit a pull request for any improvements or bug fixes.

Disclaimer

This script is provided as-is without any warranties. Use at your own risk.