WireGuard on macOS terminal (brew)


Last updated: 3 November 2020

This guide walks you through the steps and terminal-based commands to set up and use the WireGuard® protocol with Mullvad on macOS.

Important: If you have macOS version 10.14 or newer, please use the WireGuard App instead.

What this guide covers:

Set-up instructions

1. Install WireGuard

First, you will need to install Homebrew.

To do so, run the command mkdir homebrew && curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C homebrew

Then run brew install wireguard-tools to install WireGuard.

Note: Mullvad has not performed an audit of Homebrew. Downloading software via an untrusted third party could potentially mean acquiring unwanted malware, adware, and/or backdoors.

2. Generate a configuration file

You have two options here.

Option 1 –  use if you want to multihop

Use our WireGuard config generator to automatically generate the necessary file. Once downloaded, save the file in your local directory "/etc/wireguard".

Jump to the multihop section of this guide to learn more about this option.

Option 2

With this option, you cannot as easily enable a kill switch or use multihopping.

First install jq, if you do not already have it, by running brew install jq

Then run curl -LO https://mullvad.net/media/files/mullvad-wg.sh && chmod +x ./mullvad-wg.sh && ./mullvad-wg.sh

3. Turn WireGuard on/off

For this guide, we have selected Malmö, Sweden (se4), as our first server location. The downloaded config file is therefore named "mullvad-se4-wireguard.conf".

Turn on WireGuard by running the following command, replacing "se4" with your selected location's alias.

wg-quick up mullvad-se4

To disconnect, run the following command, and as before, replace "se4" with your selection:

wg-quick down mullvad-se4

That's it! With those two commands, you can start/stop WireGuard as needed.

If you run into any issues while using WireGuard, please contact us at support@mullvad.net and let us know what you experience.

Read on for additional options and information.

Verify your connection

Use our Connection check to check your IP and verify that WireGuard is working.

Multihop with WireGuard

When using our config generator in step 2, you have the option of selecting a second server location. Doing so allows your traffic to "hop" from the first location to the second before exiting at your destination.

Multihop can be used for many different reasons, for example, increasing your privacy or improving latency/performance due to suboptimal ISP peering.

Multihop via SOCKS5 proxies

Our SOCKS5 proxy guide includes steps for configuring your browser or other programs to multihop using our WireGuard SOCKS5 proxies.

Using this together with the multihop option in step 2 of this guide will give you an additional hop for a total of three.


How do I enable port forwarding?

Log in to your Mullvad account page on our website. Under "Manage your forwarded ports," click on "Add port." Keep in mind that the ports will be forwarded to the latest pubkey that you have added.

External resources

"WireGuard" is a registered trademark of Jason A. Donenfeld.