WireGuard + Mullvad for macOS
This guide walks you through the steps and terminal-based commands to set up and use the WireGuard protocol with Mullvad on macOS.
What this guide covers:
- Setup instructions
- How to verify that your WireGuard connection is working
- Using multihop with WireGuard
- Using multihop with SOCKS5
- External resources
First, you will need to install Homebrew. (Note: Mullvad has not performed an audit of Homebrew. Downloading software via an untrusted third party could potentially mean acquiring unwanted malware, adware, and/or backdoors.)
To do so, run the following command:
mkdir homebrew && curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C homebrew
Then run the following command to install WireGuard:
brew install wireguard-tools
Step 2) Generate a configuration file
You have two options here.
Option 1 – use if you want to multihop
Use our WireGuard config generator to automatically generate the necessary file. Once downloaded, save the file in your local directory "/etc/wireguard".
Jump to the multihop section of this guide to learn more about this option.
First install jq if you do not already have it:
brew install jq
Then run the following command (with this option, you cannot as easily enable a kill switch or use multihopping):
curl -LO https://mullvad.net/media/files/mullvad-wg.sh && chmod +x ./mullvad-wg.sh && ./mullvad-wg.sh
Step 3) Turn WireGuard on/off
For this guide, we have selected Malmö, Sweden (se1), as our first server location. The downloaded config file is therefore named "mullvad-se1-wireguard.conf".
Turn on WireGuard by running the following command, replacing "se1" with your selected location's alias.
wg-quick up mullvad-se1
To disconnect, run the following command, and as before, replace "se1" with your selection:
wg-quick down mullvad-se1
That's it! With those two commands, you can start/stop WireGuard as needed.
If you run into any issues while using WireGuard, please contact us at firstname.lastname@example.org and let us know what you experience.
Read on for additional options and information.
Use our online tool Am I Mullvad to check your IP and verify that WireGuard is working.
When using our config generator in step 2, you have the option of selecting a second server location. Doing so allows your traffic to "hop" from the first location to the second before exiting at your destination.
Multihop can be used for many different reasons, for example, increasing your privacy or improving latency/performance due to suboptimal ISP peering.
Our SOCKS5 proxy guide includes steps for configuring your browser or other programs to multihop using our WireGuard SOCKS5 proxies.
Using this together with the multihop option in step 2 of this guide will give you an additional hop for a total of three.
Q: How do I enable port forwarding?
A: Log in to your Mullvad account page on our website. Under "Manage your forwarded ports," click on "Add port." Keep in mind that the ports will be forwarded to the latest pubkey that you have added.
- WireGuard homepage
- WireGuard Whitepaper (PDF)
- Installation Instructions
- Quickstart Instructions
- Donate to Upstream WireGuard Development
- Formal Verification of WireGuard Protocol
- wg(8) man page
- wg-quick(8) man page
"WireGuard" is a registered trademark of Jason A. Donenfeld.