This guide walks you through the steps and terminal-based commands to set up and use the WireGuard® protocol with Mullvad on macOS.
Important: If you have macOS version 10.14 or newer, please use the WireGuard App instead.
What this guide covers:
- Setup instructions
- How to verify that your WireGuard connection is working
- Using multihop with WireGuard
- Using multihop with SOCKS5
- External resources
1. Install WireGuard
First, you will need to install Homebrew.
To do so, run the command
mkdir homebrew && curl -L https://github.com/Homebrew/brew/tarball/master | tar xz --strip 1 -C homebrew
brew install wireguard-tools to install WireGuard.
Note: Mullvad has not performed an audit of Homebrew. Downloading software via an untrusted third party could potentially mean acquiring unwanted malware, adware, and/or backdoors.
2. Generate a configuration file
You have two options here.
Option 1 – use if you want to multihop
Use our WireGuard config generator to automatically generate the necessary file. Once downloaded, save the file in your local directory "/etc/wireguard".
Jump to the multihop section of this guide to learn more about this option.
With this option, you cannot as easily enable a kill switch or use multihopping.
First install jq, if you do not already have it, by running
brew install jq
curl -LO https://mullvad.net/media/files/mullvad-wg.sh && chmod +x ./mullvad-wg.sh && ./mullvad-wg.sh
3. Turn WireGuard on/off
For this guide, we have selected Malmö, Sweden (se4), as our first server location. The downloaded config file is therefore named "mullvad-se4-wireguard.conf".
Turn on WireGuard by running the following command, replacing "se4" with your selected location's alias.
wg-quick up mullvad-se4
To disconnect, run the following command, and as before, replace "se4" with your selection:
wg-quick down mullvad-se4
That's it! With those two commands, you can start/stop WireGuard as needed.
If you run into any issues while using WireGuard, please contact us at firstname.lastname@example.org and let us know what you experience.
Read on for additional options and information.
Use our Connection check to check your IP and verify that WireGuard is working.
When using our config generator in step 2, you have the option of selecting a second server location. Doing so allows your traffic to "hop" from the first location to the second before exiting at your destination.
Multihop can be used for many different reasons, for example, increasing your privacy or improving latency/performance due to suboptimal ISP peering.
Our SOCKS5 proxy guide includes steps for configuring your browser or other programs to multihop using our WireGuard SOCKS5 proxies.
Using this together with the multihop option in step 2 of this guide will give you an additional hop for a total of three.
How do I enable port forwarding?
Log in to your Mullvad account page on our website. Under "Manage your forwarded ports," click on "Add port." Keep in mind that the ports will be forwarded to the latest pubkey that you have added.
- WireGuard homepage
- WireGuard Whitepaper (PDF)
- Installation Instructions
- Quickstart Instructions
- Donate to Upstream WireGuard Development
- Formal Verification of WireGuard Protocol
- wg(8) man page
- wg-quick(8) man page
"WireGuard" is a registered trademark of Jason A. Donenfeld.