CLI commands for using WireGuard

WIREGUARD

Last updated: 12 October 2022


This guide explains how to use the Mullvad command line interface (CLI) to connect to the Mullvad WireGuard® servers, and how to use WireGuard related commands. For general and OpenVPN protocol related Mullvad commands see the guide How to use the Mullvad CLI.

You can use the CLI and the GUI interchangeably, you don't have to stick with one way. If you have a headless server then you can use Mullvad VPN by using only the Mullvad CLI.

What this guide covers

Requirements

You need:

  • Linux, macOS or Windows
  • The Mullvad VPN app
  • To use the Terminal (macOS/Linux) or Command Prompt (Windows)

Basic commands

1. Set your account

This is only necessary if you are not already logged in. Replace the number string with your Mullvad account number.

mullvad account login 1234123412341234

2. Verify your WireGuard key

Check your WireGuard key.

mullvad tunnel wireguard key check

3. Generate a WireGuard key

This will generate a new key or replace your current one.

mullvad tunnel wireguard key regenerate

Note: You may need to wait up to two minutes before the key starts working.

4. Set the protocol to WireGuard

This enables WireGuard.

mullvad relay set tunnel-protocol wireguard

5. Select a country

Set a country by using the two letter country code. (USA = us and UK = gb).

mullvad relay set location se

6. Connect

Connect to the country/location that you selected.

mullvad connect

7. Change from WireGuard to OpenVPN protocol

If you want to stop using WireGuard and change to OpenVPN protocol use this command.

mullvad relay set tunnel-protocol openvpn

Other commands

Change the key rotation interval

This command manages the automatic key rotation interval (given in hours). The default is 168 hours (7 days). To set it to every three days for example use this command:

mullvad tunnel wireguard key rotation-interval set 72

Use IPv6 to connect to WireGuard servers

With this command you can enable connecting to the Mullvad servers using their IPv6 addresses.

mullvad relay set tunnel wireguard --ipv 6

Use a specific WireGuard server port

Use this command to set the WireGuard port to connect to.

mullvad relay set tunnel wireguard --port 123

To set the port back to automatic use this command.

mullvad relay set tunnel wireguard --port any

Use WireGuard TCP obfuscation

To enable WireGuard TCP obfuscation use this command.

mullvad obfuscation set mode udp2tcp

To check if obfuscation is on use this command. It should say "Obfuscator: Udp2Tcp".

mullvad status -v

To set WireGuard TCP obfuscation back to automatic use this command.

mullvad obfuscation set mode auto

Use a quantum resistant WireGuard tunnel

Select a compatible WireGuard server with this command.

mullvad relay set hostname se9-wireguard

To enable a quantum resistant tunnel use this command.

mullvad tunnel wireguard quantum-resistant-tunnel set on

To check if it's on use this command. It should say "Quantum resistant tunnel: yes".

mullvad status -v

To disable the use of a quantum resistant tunnel use this command.

mullvad tunnel wireguard quantum-resistant-tunnel set off

Multihop

See our guide Multihop with WireGuard to learn more about this feature.

1. Select the exit server (second hop)

Choose the exit server in the same way that you do without multihop. You can use three different commands, depending on if you want to select a country, city or a specific server.

mullvad relay set location se

mullvad relay set location se got

mullvad relay set hostname se1-wireguard

(se=Sweden) (se got=Sweden Gothenburg)

2. Select the entry server (first hop)

You can use three variations, depending on if you want to select a country, city or a specific server.

mullvad relay set tunnel wireguard --entry-location dk

mullvad relay set tunnel wireguard --entry-location dk cph

mullvad relay set tunnel wireguard --entry-location dk cph dk2-wireguard

(dk=Denmark) (dk cph=Denmark Copenhagen)

3. Check the status

To  verify that you are using multihop use the mullvad status command.

mullvad status

Tunnel status: Connected to WireGuard 193.138.218.220:51820 over UDP via 176.125.235.71:17014 over UDP

The "via" part of the output shows the entry server, which verifies that you are using multihop.

4. Turn off multihop

To disable multihop use the following command.

mullvad relay set tunnel wireguard --entry-location none

FAQ

I get "BLOCKED CONNECTION" when I launch the app.

Simply choose another location. This just means that when you previously used the app, before turning on WireGuard, you were connected to a location that doesn't have a WireGuard server.
 

"WireGuard" is a registered trademark of Jason A. Donenfeld.