Port forwarding with Mullvad VPN


Last updated: 28 October 2021

Follow these steps to add and manage your forwarded ports with Mullvad.

What this guide covers:

What is port forwarding?

Port forwarding makes it possible for remote computers to access a specific computer or service within a private local area network (LAN).

For example, Gunilla has a web server on her private LAN that she wants Glenn to visit. She first requests a port to be forwarded to her. Then she configures her web server to listen to that port for any other traffic. Glenn can then connect to the exit IP address of the VPN server that Gunilla is using, as well as the port number, and voila – he has access!

It's like dialing a company's phone number (the IP address) and then punching in the extension number (port) to reach a particular person.

Managing ports via Mullvad website

The simplest way to add and manage your ports is via our website. These instructions work for any operating system.

You can only add a port if your Mullvad account has time left on it.

Port forwarding is not allowed for accounts that have an active automatic recurring subscription (via PayPal or credit card). It is therefore not possible to add ports to such accounts. If you have an automatic subscription then you can log in to your account, click on "Manage subscription" and cancel it. Your current time will remain on the account and you can make manual one-time payments from then on.

Adding a port

  1. Log in to your Mullvad account page.
  2. Click on Manage ports and WireGuard keys
  3. Click on Select a city under "Port forwarding" and select the city that you connect to with Mullvad on the machine you will forward the port to.
  4. Click on Select a key.
    • If you are using OpenVPN protocol then you can select No key (only OpenVPN).
    • If you are using WireGuard protocol then you have to select the public WireGuard key that you are using with Mullvad on the machine you will forward the port to (see instructions below).
  5. Click on Add port. If you selected "No key (only OpenVPN)" then the key is added to "Active ports". If you selected a WireGuard key then the port is added to the key and to "Active ports" (or just to the key if you had a port under Active ports that was not connected to a key yet). The port label includes the country and city designation and the port number.
You cannot request a specific port number, you can only generate a random port number.

Where to find the WireGuard key

  • In the Mullvad app you can see it in the Advanced settings under "WireGuard key".
  • In the Windows/macOS standalone WireGuard apps you can see it as the "Interface: Public key" on the server configuration.
  • If you use the Mullvad CLI you can use the command mullvad tunnel wireguard key check.
  • If you use standalone WireGuard in Linux you can see it with the wg command under "interface: public key".
  • If you use Mullvad with WireGuard on your router then you can log in with SSH to the router and run the wg command.

Removing a port

To remove a port, click on the red button with an X on the right side of the port number under "Active ports". Do not click on the trash can icon next to the WireGuard key unless you want to remove your WireGuard key.

Before you start

Check the following:

  • When adding a port to a WireGuard key it can take 10 minutes for it to be added to our VPN servers.
  • Make sure to connect to the city you specified for the port when you added it. If you use OpenVPN protocol you have to disconnect and reconnect to Mullvad after adding a port.
  • Make sure that you don't have a firewall that might be blocking your port (for example Windows Firewall or iptables).

Find the IP address to connect to

Run the following command in a Terminal (Linux/macOS) or Command Prompt (Windows 10) on the machine running Mullvad.

curl https://am.i.mullvad.net/connected

You can also find the IP-address with Mullvad Check (expand the first green box).

Note that you cannot use the VPN server's hostname since the entry IP is different from the exit IPs for users. We do not offer static or dedicated IPs but the IP seldom changes when you connect to the same Mullvad server. You can use a dynamic DNS service to update the IP address automatically if it should change.

Test your port forwarding

Once you've added a port, you can check to make sure that it's working.

Note: Don't try to test it directly using the Mullvad exit IP with an app on the same machine that you port forward to. That won't work.

Do you have a service listening on the port?

  • Yes – then you can use our Connection check (click on the "Port check" tab) to test your port.
  • No – a service is necessary if you want to test your port. Install the service of your choice or follow our instructions below to use iPerf or nc.

Windows (and other platforms) - how to use iPerf3

Although the following steps are specific for Windows users, the instructions are similar for other operating systems.

  1. In a browser, navigate to https://iperf.fr and click on "Download iPerf binaries."
  2. Scroll down to your operating system and click on the iPerf link to download the file.
  3. Open the ZIP file and copy the folder within it.
  4. Open your Downloads folder and paste in the folder you just copied.
  5. Right-click on the Windows Start button and click on "Command Prompt".
  6. Run cd Downloads.
  7. Run cd iperf-3.1.3-win64.
  8. Run iperf3.exe -s -p 5410 (replace "5410" with the port that you have been assigned).
  9. In the Windows Firewall pop-up window, click on "Allow access". If you have a third-party firewall, please make sure that it is not restrictive.
  10. The iPerf3 service is now installed.
  11. Now you can test your port with our Connection check (click on the "Port check" tab).

Linux - using nc and curl for port testing

After adding a port via the Mullvad website, follow these instructions, replacing 5555 with the port that you are assigned.

Open the port in the firewall using for example sudo iptables -I INPUT -p tcp --dport 5555 -j ACCEPT or sudo ufw allow 5555.

  1. Install curl and netcat or ncat if you don't already have it.
  2. In a terminal window, run nc -l -p 5555.
  3. In another terminal tab or window, run curl https://ipv4.am.i.mullvad.net/port/5555 (if you wish to test ipv6, replace "ipv4" with "ipv6").
  4. If everything is working properly, the result will show "reachable:true".

macOS - using nc and curl for port testing

After adding a port via the Mullvad website, follow these instructions, replacing 5555 with the port that you are assigned:

  1. Open Terminal.app.
  2. Use the command nc -l 5555
  3. In another terminal tab or window, run curl https://ipv4.am.i.mullvad.net/port/5555 (if you wish to test ipv6, replace "ipv4" with "ipv6").
  4. If everything is working properly, the result will show "reachable:true".

Using Mullvad on a router

You do not need to forward a port in your router unless you are running Mullvad on the router (with an OpenVPN or WireGuard client).

Some of our guides to use Mullvad on a router have information about how to forward a port to a client in the LAN.

OpenWrt routers and Mullvad VPN
DD-WRT routers and Mullvad VPN
Asus Merlin and Mullvad VPN
Using pfSense with Mullvad


Note the following:

  • If you are using multiple devices that share the same account and connect to the same server, then only the most recently connected device will have the ports forwarded to it. (This does not apply if you are using WireGuard since you can move the ports around to different pubkeys).
  • The port forwarded service cannot be accessed with a computer/device that is using Mullvad with the same VPN server.
  • You need to add one port for each service/application that you want to access.
  • The SOCKS5 protocol does not support port forwarding so your service cannot be using that.


Q: Does port forwarding work with both TCP and UDP?
A: Yes

Q: Does port forwarding work with both IPv4 and IPv6?
A: Yes

Q: Can I assign a port to all cities like before?
A: No, all global ports have been removed because there are not enough ports in existence for all users to have a global port.

Q: Will you remove my ports if I don't pay?
A: We do remove ports 20 days after the accounts expires.


"WireGuard" is a registered trademark of Jason A. Donenfeld.