CLI commands for using WireGuard


Last updated: 3 November 2020

This command line interface (CLI) guide explains how to connect to Mullvad's WireGuard® servers by using the terminal.

If you’re using the Mullvad VPN app, follow our guide on how to turn on WireGuard in the app.


You need

  • macOS, Linux or Windows
  • version 2019.6 or newer of the Mullvad VPN app – download it here
  • to use the Terminal (macOS/Linux) or Command Prompt

1. Open the terminal

Open a Terminal (macOS/Linux) or a Command Prompt.

2. Specify your account

This is only necessary if you are not already logged in. Replace the number string with your Mullvad account number.

mullvad account set 1234123412341234

3. Do you have a key pair?

Check if you already have a key pair.

mullvad tunnel wireguard key check

4. No key pair? Generate one.

This command will generate a new key pair but will not return any information.

mullvad tunnel wireguard key regenerate

5. New key pair? Wait.

If you generated a new key pair, you may need to wait up to two minutes before it starts working. If the Mullvad app fails to connect in the following steps, you still need to wait.

6. Turn on WireGuard

This command enables WireGuard.

mullvad relay set tunnel-protocol wireguard

7. Connect

Connect to the location that you selected.

mullvad connect

8. Further reading

To learn how to select a location/server and more please continue reading our guide How to use the Mullvad CLI.

9. Use WireGuard in the app

You can also continue to use the app just as you normally would. Launch the app. In the location menu, choose any available country, city, or server. The locations that don't have WireGuard servers will be greyed out and unavailable for selection.

10. Turn off WireGuard

This terminal command will disconnect you from WireGuard.

mullvad relay set tunnel-protocol openvpn

If you're connected to the app when you turn off WireGuard, notice that the app will automatically reconnect in order to implement this new configuration.


I get "BLOCKED CONNECTION" when I launch the app.

Simply choose another location. This just means that when you previously used the app, before turning on WireGuard, you were connected to a location that doesn't have a WireGuard server.

"WireGuard" is a registered trademark of Jason A. Donenfeld.