Back to Guides

WireGuard + Mullvad for macOS

This guide walks you through the steps and terminal-based commands to set up and use the WireGuard protocol with Mullvad on macOS.

What this guide covers:

Step 1) Install WireGuard

First, you will need to install Homebrew. (Note: Mullvad has not performed an audit of Homebrew. Downloading software via an untrusted third party could potentially mean acquiring unwanted malware, adware, and/or backdoors.)

To do so, run the following command:

mkdir homebrew && curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C homebrew

Then run the following command to install WireGuard:

brew install wireguard-tools

Step 2) Generate a configuration file

You have two options here.

Option 1 –  use if you want to multihop
Use our WireGuard config generator to automatically generate the necessary file. Once downloaded, save the file in your local directory "/etc/wireguard".

Jump to the multihop section of this guide to learn more about this option.
 

Option 2
First install jq if you do not already have it:

brew install jq

Then run the following command (with this option, you cannot as easily enable a kill switch or use multihopping):

curl -LO https://mullvad.net/media/files/mullvad-wg.sh && chmod +x ./mullvad-wg.sh && ./mullvad-wg.sh


Step 3) Turn WireGuard on/off

For this guide, we have selected Malmö, Sweden (se1), as our first server location. The downloaded config file is therefore named "mullvad-se1-wireguard.conf".

Turn on WireGuard by running the following command, replacing "se1" with your selected location's alias.

wg-quick up mullvad-se1

To disconnect, run the following command, and as before, replace "se1" with your selection:

wg-quick down mullvad-se1

That's it! With those two commands, you can start/stop WireGuard as needed.

If you run into any issues while using WireGuard, please contact us at support@mullvad.net and let us know what you experience.

Read on for additional options and information.
 

Verify your connection

Use our online tool Am I Mullvad to check your IP and verify that WireGuard is working.
 

Multihop with WireGuard

When using our config generator in step 2, you have the option of selecting a second server location. Doing so allows your traffic to "hop" from the first location to the second before exiting at your destination.

Multihop can be used for many different reasons, for example, increasing your privacy or improving latency/performance due to suboptimal ISP peering.
 

Multihop via SOCKS5 proxies

Our SOCKS5 proxy guide includes steps for configuring your browser or other programs to multihop using our WireGuard SOCKS5 proxies.

Using this together with the multihop option in step 2 of this guide will give you an additional hop for a total of three.
 

FAQ

Q: How do I enable port forwarding?
A: Log in to your Mullvad account page on our website. Under "Manage your forwarded ports," click on "Add port." Keep in mind that the ports will be forwarded to the latest pubkey that you have added.
 

External resources

"WireGuard" is a registered trademark of Jason A. Donenfeld.