This guide explains how to use the Mullvad command line interface (CLI) to connect to the Mullvad WireGuard® servers, and how to use WireGuard related commands. For general and OpenVPN protocol related Mullvad commands see the guide How to use the Mullvad CLI.
You can use the CLI and the GUI interchangeably, you don't have to stick with one way. If you have a headless server then you can use Mullvad VPN by using only the Mullvad CLI.
What this guide covers
Requirements
You need:
- Linux, macOS or Windows
- The Mullvad VPN app
- To use the Terminal (macOS/Linux) or Command Prompt (Windows)
Basic commands
1. Set your account
This is only necessary if you are not already logged in. Replace the number string with your Mullvad account number.
mullvad account login 1234123412341234
2. Verify your WireGuard key
Check your WireGuard key.
mullvad tunnel wireguard key check
3. Generate a WireGuard key
This will generate a new key or replace your current one.
mullvad tunnel wireguard key regenerate
Note: You may need to wait up to two minutes before the key starts working.
4. Set the protocol to WireGuard
This enables WireGuard.
mullvad relay set tunnel-protocol wireguard
5. Select a country
Set a country by using the two letter country code. (USA = us and UK = gb).
mullvad relay set location se
6. Connect
Connect to the country/location that you selected.
mullvad connect
7. Status
Check status of connection
mullvad status
8. Change from WireGuard to OpenVPN protocol
If you want to stop using WireGuard and change to OpenVPN protocol use this command.
mullvad relay set tunnel-protocol openvpn
Other commands
Change the key rotation interval
This command manages the automatic key rotation interval (given in hours). The default is 168 hours (7 days). To set it to every three days for example use this command:
mullvad tunnel wireguard key rotation-interval set 72
Use IPv6 to connect to WireGuard servers
With this command you can enable connecting to the Mullvad servers using their IPv6 addresses.
mullvad relay set tunnel wireguard --ipv 6
Use a specific WireGuard server port
Use this command to set the WireGuard port to connect to.
mullvad relay set tunnel wireguard --port 123
To set the port back to automatic use this command.
mullvad relay set tunnel wireguard --port any
Use WireGuard TCP obfuscation
To enable WireGuard TCP obfuscation use this command.
mullvad obfuscation set mode udp2tcp
To check if obfuscation is on use this command. It should say "Obfuscator: Udp2Tcp".
mullvad status -v
To set WireGuard TCP obfuscation back to automatic use this command.
mullvad obfuscation set mode auto
Use a quantum resistant WireGuard tunnel
Select a compatible WireGuard server with this command.
mullvad relay set hostname se9-wireguard
To enable a quantum resistant tunnel use this command.
mullvad tunnel wireguard quantum-resistant-tunnel set on
To check if it's on use this command. It should say "Quantum resistant tunnel: yes".
mullvad status -v
To disable the use of a quantum resistant tunnel use this command.
mullvad tunnel wireguard quantum-resistant-tunnel set off
Multihop
See our guide Multihop with WireGuard to learn more about this feature.
1. Select the exit server (second hop)
Choose the exit server in the same way that you do without multihop. You can use three different commands, depending on if you want to select a country, city or a specific server.
mullvad relay set location se mullvad relay set location se got mullvad relay set hostname se1-wireguard
(se=Sweden) (se got=Sweden Gothenburg)
2. Select the entry server (first hop)
You can use three variations, depending on if you want to select a country, city or a specific server.
mullvad relay set tunnel wireguard --entry-location dk mullvad relay set tunnel wireguard --entry-location dk cph mullvad relay set tunnel wireguard --entry-location dk cph dk2-wireguard
(dk=Denmark) (dk cph=Denmark Copenhagen)
3. Check the status
To verify that you are using multihop use the mullvad status command.
mullvad status Tunnel status: Connected to WireGuard 193.138.218.220:51820 over UDP via 176.125.235.71:17014 over UDP
The "via" part of the output shows the entry server, which verifies that you are using multihop.
4. Turn off multihop
To disable multihop use the following command.
mullvad relay set tunnel wireguard --entry-location none
FAQ
I get "BLOCKED CONNECTION" when I launch the app.
Simply choose another location. This just means that when you previously used the app, before turning on WireGuard, you were connected to a location that doesn't have a WireGuard server.
"WireGuard" is a registered trademark of Jason A. Donenfeld.