Port forwarding with Mullvad VPN

CONNECTIVITY

Last updated: 4 May 2022


Follow these steps to add and manage your forwarded ports with Mullvad.

What this guide covers:

What is port forwarding?

Port forwarding makes it possible for remote computers to access a specific computer or service within a private local area network (LAN).

For example, Gunilla has a web server on her private LAN that she wants Glenn to visit. She first requests a port to be forwarded to her. Then she configures her web server to listen to that port for any other traffic. Glenn can then connect to the exit IP address of the VPN server that Gunilla is using, as well as the port number, and voila – he has access!

It's like dialing a company's phone number (the IP address) and then punching in the extension number (port) to reach a particular person.

How to set up port forwarding with Mullvad

Setting up port forwarding with Mullvad successfully requires several steps. Here is an overview.

  1. Add a port to a specific city in your Mullvad account on our website.
    - If you use WireGuard protocol then assign it to your WireGuard key when you create it.
  2. Set up a service or use a listener on the assigned port.
  3. Allow it in your firewall.
  4. Connect to a Mullvad server in the city that you created the port for.
    - If you use WireGuard protocol then make sure that you are using the assigned WireGuard key.
  5. Check if the port is open from the Internet using our Port check tool.
  6. Find out what IP address to connect to from the Internet.

Read on for more details about how to do all this.

Step 1 - Manage your ports on the Mullvad website

You can add and manage your ports on our website. These instructions work for any operating system.

  1. Log in to your Mullvad account page.
  2. Click on Manage ports and WireGuard keys

The page looks like this.

In case your Mullvad account has no time left on it you will see the following message:

"You can't add ports because you don't have any time left on your account".

You can buy time using one of the payment methods in your account.

Port forwarding is not allowed for accounts that have an active automatic recurring subscription (via PayPal or credit card). It is therefore not possible to add ports to such accounts unless you cancel it first. You will see the following message on the port forwarding page.

If you have an automatic subscription then you can log in to your account, click on "Manage subscription" and cancel it. Your paid for time will remain on the account and you can make manual one-time payments from then on.

Adding a port

Follow the steps described below to add a port.

  1. Click on Select a city and select the city that you will connect to with Mullvad on the computer or device that you will forward the port to.
  2. Click on Select a key. Note the following:
    • If you are using OpenVPN protocol then you can select No key (only OpenVPN).
    • If you are using WireGuard protocol then you have to select the public WireGuard key that you are using with Mullvad on the machine that you will forward the port to (see instructions below).
  3. Click on Add port. If you selected "No key (only OpenVPN)" then the key is added to "Active ports". If you selected a WireGuard key then the port is added to the key and to "Active ports" (or just to the key if you had a port under Active ports that was not connected to a key yet). The port label includes the country and city designation and the port number.

In the screenshot above you can see the WireGuard key and which port is connected to it. The port label "se-got-55260" means that the port will work with our se-got location, which is the short name for Sweden, Gothenburg, and the port number is 55260.

You cannot request a specific port number, you can only generate a random port number.

Where to find the WireGuard key

  • In the Mullvad app you can see it in the Advanced settings > WireGuard settings > WireGuard key.
  • In the Windows/macOS standalone WireGuard apps you can see it as the "Interface: Public key" on the server configuration.
  • If you use the Mullvad CLI you can use the command mullvad tunnel wireguard key check.
  • If you use standalone WireGuard in Linux you can see it with the wg command under "interface: public key".
  • If you use Mullvad with WireGuard on your router then you can log in with SSH to the router and run the wg command.

Removing a port

To remove a port, click on the red button with an X on the right side of the port number under "Active ports". Do not click on the trash can icon next to the WireGuard key unless you want to remove your WireGuard key.

Steps 2-5 - Test your port forwarding

Once you've added a port, you can check to make sure that it's working. Note:

  • When adding a port to a WireGuard key it can take 10 minutes for it to be added to our VPN servers.
  • Make sure to connect to the city you specified for the port when you added it. If you use OpenVPN protocol you have to disconnect and reconnect to Mullvad after adding a port.
  • Make sure that you don't have a firewall that might be blocking your port (for example Windows Firewall or iptables).

Note: Don't try to test it directly using the Mullvad exit IP with an app on the same machine that you port forward to. That won't work.

Do you have a service listening on the port?

  • Yes – then you can use our Connection check (click on the "Port check" tab) to test your port.
  • No – a service is necessary if you want to test your port. Install the service of your choice or follow our instructions below to use iPerf or nc.

Windows (and other platforms) - how to use iPerf3

Although the following steps are specific for Windows users, the instructions are similar for other operating systems.

  1. In a browser, navigate to https://iperf.fr and click on "Download iPerf binaries."
  2. Scroll down to "Windows 64 bits" and click on the latest iPerf version in the top to download it.
  3. Open the ZIP file and copy the folder within it.
  4. Open your Downloads folder and paste in the folder you just copied.
  5. Right-click on the Windows Start button and click on "Command Prompt".
  6. Run cd Downloads.
  7. Run cd iperf-3.1.3-win64.
  8. Run iperf3.exe -s -p 5410 (replace "5410" with the port that you have been assigned).
  9. In the Windows Firewall pop-up window, click on "Allow access". Make sure that it's allowed in the Public network that Mullvad uses. If you have a third-party firewall, make sure that it is not restrictive.
  10. The iPerf3 service is now active. Do not use the port in another app at the same time.
  11. Now you can test your port with our Connection check (click on the "Port check" tab), or use the following command (replace 5555 with your port):
    curl https://ipv4.am.i.mullvad.net/port/5555

Linux - using nc and curl for port testing

After adding a port via the Mullvad website, follow these instructions, replacing 5555 with the port that you are assigned.

Open the port in the firewall using for example:
sudo iptables -I INPUT -p tcp --dport 5555 -j ACCEPT
or sudo ufw allow 5555.

  1. Install curl and netcat or ncat if you don't already have it.
  2. In a terminal window, run nc -l -p 5555.
  3. In another terminal tab or window, run curl https://ipv4.am.i.mullvad.net/port/5555 (if you wish to test ipv6, replace "ipv4" with "ipv6").
  4. If everything is working properly, the result will show "reachable:true".

macOS - using nc and curl for port testing

After adding a port via the Mullvad website, follow these instructions, replacing 5555 with the port that you are assigned:

  1. Open Terminal.app.
  2. Use the command nc -l 5555
  3. In another terminal tab or window, run curl https://ipv4.am.i.mullvad.net/port/5555 (if you wish to test ipv6, replace "ipv4" with "ipv6").
  4. If everything is working properly, the result will show "reachable:true".

Step 6 - Find the IP address to connect to

For the port forwarding to work it needs to go through our VPN server so that the port is forwarded inside the tunnel. You need to connect from the outside to your Mullvad exit IP on the VPN server and not your own public IP.

Run the following command in a Terminal (Linux/macOS) or Command Prompt (Windows) on the machine that is running Mullvad.

curl https://am.i.mullvad.net/connected

You can also find the IP-address with our Mullvad Check (expand the first green box).

Note that you cannot use the VPN server's hostname since the entry IP is different from the exit IP.

We do not offer static or dedicated IPs as it's not good for privacy.

You can use a dynamic DNS service to update the IP address automatically if it should change.

Using Mullvad on a router

When you connect to Mullvad using the Mullvad app or other app on your computer, then the port is forwarded and transported inside the encrypted VPN tunnel and your router will not see it. So any port forwarding setting in the router is not needed.

However if you are running Mullvad directly on the router (with OpenVPN or WireGuard set up) and don't use the Mullvad app then you need to forward the Mullvad port from the VPN interface or zone to your computer that runs the service that you want to use.

Some of our guides for using Mullvad on a router have information about how to forward a port to a client in the LAN.

OpenWrt routers and Mullvad VPN
DD-WRT routers and Mullvad VPN
Asus Merlin and Mullvad VPN
Using pfSense with Mullvad

Troubleshooting

Note the following:

  • If you are using multiple devices that share the same account and connect to the same server, then only the most recently connected device will have the ports forwarded to it. (This does not apply if you are using WireGuard since you can move the ports around to different pubkeys).
  • The port forwarded service cannot be accessed with a computer/device that is using Mullvad with the same VPN server.
  • You need to add one port for each service/application that you want to access.
  • The SOCKS5 protocol does not support port forwarding so your service cannot be using that.

FAQ

Q: Does port forwarding work with both TCP and UDP?
A: Yes

Q: Does port forwarding work with both IPv4 and IPv6?
A: Yes

Q: Can I assign a port to all cities like before?
A: No, all global ports have been removed because there are not enough ports in existence for all users to have a global port.

Q: Will you remove my ports if I don't pay?
A: We do remove ports 20 days after the accounts expires.

 

"WireGuard" is a registered trademark of Jason A. Donenfeld.