CLI commands for using WireGuard


Last updated: 16 March 2022

This guide explains how to use the Mullvad command line interface (CLI) to connect to Mullvad's WireGuard® servers and use WireGuard related commands. For general Mullvad commands see the guide How to use the Mullvad CLI.

You can use the CLI and the GUI interchangeably, you don't have to stick with one way. If you have a headless server then you can use Mullvad VPN by using only the Mullvad CLI.

What this guide covers


You need:

  • Linux, macOS or Windows
  • The Mullvad VPN app
  • To use the Terminal (macOS/Linux) or Command Prompt (Windows)

Basic commands

1. Set your account

This is only necessary if you are not already logged in. Replace the number string with your Mullvad account number.

mullvad account set 1234123412341234

2. Verify your WireGuard key

Check if you already have a key.

mullvad tunnel wireguard key check

3. Generate a WireGuard key

This will generate a new key or replace your current one.

mullvad tunnel wireguard key regenerate

Note: You may need to wait up to two minutes before the key starts working.

4. Set the protocol to WireGuard

This enables WireGuard.

mullvad relay set tunnel-protocol wireguard

5. Select a country

Set a country by using the two letter country code. (USA = us and UK = gb).

mullvad relay set location se

6. Connect

Connect to the country/location that you selected.

mullvad connect

7. Change from WireGuard to OpenVPN protocol

If you want to stop using WireGuard and change to OpenVPN protocol use this command.

mullvad relay set tunnel-protocol openvpn

Other commands

Change the key rotation interval

This command manages the automatic key rotation interval (given in hours). The default is 168 hours (7 days). To set it to every three days for example use this command:

mullvad tunnel wireguard key rotation-interval set 72

Connect to WireGuard servers over IPv6

With this command you can enable connecting to the Mullvad servers using their IPv6 addresses.

mullvad relay set tunnel wireguard --ipv 6


See our guide Multihop with WireGuard to learn more about this feature.

1. Select the exit server (second hop)

Choose the exit server in the same way that you do without multihop. You can use three different commands, depending on if you want to select a country, city or a specific server.

mullvad relay set location se

mullvad relay set location se got

mullvad relay set hostname se1-wireguard

(se=Sweden) (se got=Sweden Gothenburg)

2. Select the entry server (first hop)

You can use three variations, depending on if you want to select a country, city or a specific server.

mullvad relay set tunnel wireguard --entry-location no

mullvad relay set tunnel wireguard --entry-location no osl

mullvad relay set tunnel wireguard --entry-location no osl no1-wireguard

(no=Norway) (no osl=Norway Oslo)

3. Check the status

To  verify that you are using multihop use the mullvad status command.

mullvad status

Tunnel status: Connected to WireGuard over UDP via over UDP

The "via" part of the output shows the entry server, which verifies that you are using multihop.

4. Turn off multihop

To disable multihop use the following command.

mullvad relay set tunnel wireguard --entry-location none


I get "BLOCKED CONNECTION" when I launch the app.

Simply choose another location. This just means that when you previously used the app, before turning on WireGuard, you were connected to a location that doesn't have a WireGuard server.

"WireGuard" is a registered trademark of Jason A. Donenfeld.