How does Mullvad Browser Starter/Downloader work?

Note I am posting this on Whonix forums and not for Kicksecure , as there is a mullvadbrowser executable available on Whonix Workstation PATH, which triggers Mullvad Browser Starter (by Kicksecure developers) downloader.

Mentioned downloader tries to use socksified curl , despite having disabled uwt via echo 'uwtwrapper_global="0"' >> /etc/uwt.d/50_user.conf. I think main purpose of using Mullvad Browser instead of Tor Browser is some form of tunneling technique like User -> Tor -> VPN -> Inet or User -> VPN -> Tor -> Inet. Hence it would be appreciated if downloader could work on an “unproxied” workstation and respect uwt settings for curl - at least until verified Mullvad browser Flatpak package is provided and installable with Flatpak in Whonix.

  1. Is Mullvad Browser Downloader officially supported with Whonix/Qubes-Whonix?
  2. If yes: Could you provide an option to download to the template similar to the Tor Browser downloader, to be used easily in multiple workstations? (I think current solution tries to download to $HOME.)

Thanks in advance!

uwt only affects uwt wrapped applications.

What are uwt wrapped applications? → By uwt wrapper

So uwt is irrelevant here.

That would be nice.

But guessing the rationale can go very wrong.

All that happened can be looked up by reading Mullvad Browser support · Issue #25 · Kicksecure/tb-updater · GitHub and following links. Someone contributed to tb-updater in context of Kicksecure. No reference to Whonix or VPNs.

or User -> VPN -> Tor -> Inet.

In this case why not use Tor Browser?

No. If it’s not mentioned in the Whonix documentation in this context, best to assume no.

The VPN related wiki pages need a lot of work but it’s very complicated and time consuming.

I don’t think this issue exists. Tested in a Kicksecure Template.

> update-mullvadbrowser 

INFO: Automatically setting download folder to ‘/var/cache/tb-binary’, because running inside Qubes Template but not run from postinst. This is useful so you get up to date versions of ‘Mullvad Browser’ in newly created App Qubes inherited from updated Templates.
More info:

Thanks for your answer @Patrick .

If starting mullvadbrowser, I got following process log output:

INFO: CURL_PROXY: '--proxy socks5h://tb-updater_xxxx:password@10.x.x.x:91xx

, which let me assume, curl is used for the download process - hence the mentioning of uwt.

Not sure, what you are referring to to be nice here - usage of Mullvad Browser or ability to use Tor before VPN? Latter probably should best used with Qubes-Whonix to prevent leaks, former can already be used of now, but it is cumbersome to install and update (manual process).

Yes, right. I was just giving tunneling examples, but the relevant here is User -> Tor -> VPN -> Inet.

Thanks for clarifying. Still hoping for a verified flatpak package in the long run.

Ah, I have not tried mullvadbrowser from within the template yet. From AppVM it said:

Mullvad Browser is currently not installed.
(Folder /home/user/.mullvadbrowser/mullvad-browser does not exist.)
Start Mullvad Browser Downloader (by Kicksecure developers)?

Great, so despite being unofficial, does anything speak against still using this routine in Whonix (apparently same installer executable as in Kicksecure exists )? I might execute it in the template for download, and later on in the AppVM workstation to actually install the browser, without need to deproxy anything for sake of install process, right?

  • That’s just the downloader of Mullvad Browser and not the browser itself. Hence unrelated.
  • Using proxy settings. Hence also unrelated to uwt which is only used in case proxy settings are unsupported or infeasible to configure.

I mean you seeing some executable in PATH (“mullvadbrowser”) to assume it must have something to do with Whonix and/or VPN. Guessing these things can easily get wrong.

Maybe an educated guess for research with search engines but that’s about it.

Users are free to experiment with it as they are with any other application of their choice.


Some details about Mullvad Browser downloader by Kicksecure developers, Whonix environment variables and Mullvad Browser’s own settings have been documented here just now:
Mullvad Browser, Whonix Specific

Not being able to start the downloader is the issue I tried to describe in OP. I did not come past the point of downloading, as curl without enabled proxy settings was needed in my case for tunneling mode. Sorry if that didn’t become clear.

Yes. At least it was surprising for me to see some kind of Mullvad binary be present on PATH within Whonix environment. I didn’t assume it to have anything to do with VPN, as Mullvad browser is independent of their VPN service.

Allright, I am gonna test the download from within template. Thanks for adding documentation.

Disabling stream isolation (CURL_PROXY) for tb-updater is documented on this wiki page:

When following any documentation for combining tunnels with Whonix, this topic will be mentioned and contain a link to that wiki page.

1 Like

Would it be possible to reuse this CURL_PROXY environment variable for mullvadbrowser downloader implementation? From my tests, Tor Browser Downloader/tb-updater could be “un-socksified” by setting


in /etc/torbrowser.d/50_user.conf. But this did not work for the Mullvad Browser Downloader. (Also tried CURL_PROXY="--fail" mullvadbrowser without success.)


1 Like

Yep that works - appreciated.

I also needed to use update-mullvadbrowser to only install/update without start, as seen in the commit.