Bridges and proxies with Mullvad CLI (Mullvad app)

In this guide you will install a bridge client on your computer that connects to one of Mullvad's bridge servers using the SSH Protocol. Using this bridge, the Mullvad app can then access Mullvad's VPN servers that are for some reason blocked from being directly accessed.

The bridge client will run locally on your computer and Mullvad will access it via the local address 127.0.0.1 and a port, port 1234 in this case.

The Mullvad app will work with any SOCKS5 proxy. You can even run your own remote server and client (locally) that uses a different set of protocols that might work better for you, and then use that to connect to our VPN servers.

Requirements

You need

  • Windows, macOS, or Linux
  • the latest version of the Mullvad VPN app – download it here
  • to use the terminal.

Set-up instructions

In this guide, we are using SSH. Our examples make use of bridge server se-mma-br-001.mullvad.net with IP address 193.138.218.71. Please refer to our list of bridge servers and their locations in order to use another bridge.

Set up SSH in Linux and macOS

In a terminal, run the command ssh -f -N -D 1234 mullvad@193.138.218.71.

Set up SSH in Windows

Download KiTTY (a putty fork) from FossHub.

Run KiTTY and then configure it with the following settings:

  1. Click on Session.
  2. In the Host Name (or IP Address) field, enter "193.138.218.71".
  3. In the Port field, enter "22".
  4. Click on Connection → SSH → Tunnels.
  5. Enter "1234" as source port.
  6. Select Dynamic and then click Add.
  7. Click on Connection → SSH.
  8. Enable "Don't start a shell or command at all".
  9. Click on Connection → Data.
  10. In the Auto-login username field, enter "mullvad".
  11. In the Auto-login password field enter "mullvad".
  12. Click on Session and then enter a name under Saved sessions.
  13. Click on Save.
  14. Double-click on the saved session.

First-time connection to a bridge

When you connect for the first time to each bridge, you will be asked to accept the fingerprint for that server (see our list of bridges). This is what it looks like when connecting via Linux:

The authenticity of host 'se-mma-br-001.mullvad.net (193.138.218.71)' can't be established.
ED25519 key fingerprint is SHA256:LuBJ1HTfEWNQsvDc5tZrwoG+CokMypcflLMObEnCeMg.
Are you sure you want to continue connecting (yes/no)?

Configure Mullvad VPN app to use the proxy settings

  1. Open the terminal:
    • Linux and macOS: open a terminal window.
    • Windows: open the command prompt and navigate to C:\Program Files\Mullvad VPN\resources
  2. Run the command mullvad bridge set custom local 1234 193.138.218.71 22
  3. Connect to Mullvad either by using the GUI or by running mullvad connect in the command prompt.

Disable the bridge

Open a command prompt or terminal and then run mullvad bridge set state off.

Multihop connections

By connecting via one location using our bridges and exiting via another location, you will enable so-called multihopping.

Multihop connections offer higher levels of anonymity and privacy. This is because adversaries would need to launch sophisticated, timed attacks against the traffic in multiple locations and in different jurisdictions simultaeously. However, this additional security comes at the cost of slower performance due to the additional 'hop' that your traffic takes.

Other Bridge methods (protocols)

Shadowsocks

Shadowsocks is an open-source proxy project intended to circumvent internet censorship. It is high performing and has support for new ciphers.

  • Available for: Windows, Linux, OS X
  • Ports: 443, 1234, 1235, 1236

Follow our Shadowsocks guide for more information on how to use Shadowsocks instead of SSH. The Shadowsocks guide will use the bridge 185.65.134.66 (instead of 193.138.218.71) and the local port 1080 (instead of 1234).