SSH tunneling is one method of using bridges to get around a restrictive firewall. It is available for Windows, Linux, and macOS. It uses port 22.
In this guide, we take you through the steps to use SSH tunneling to connect to Mullvad's VPN servers. This involves connecting to one of our bridge servers and then running a local SOCKS server that you can connect OpenVPN to. We will connect to the bridge server se-mma-br-101 (45.83.220.117) in our examples, but you can change this to one of our other bridge servers that you can find the Servers list.
What this guide covers
Using OpenVPN
Start SSH as a SOCKS server
Linux and macOS - use the SSH command
In a Terminal, issue ssh -f -N -D 1234 mullvad@45.83.220.117.
When you connect to a bridge for the first time, you will be asked to accept the unique fingerprint for each server. You can view the fingerprints in our Servers list (uncheck OpenVPN and WireGuard).
The authenticity of host '45.83.220.117 (45.83.220.117)' can't be established.
ED25519 key fingerprint is SHA256:rvSXn5DqeYAmcMq5TyEL3E0FE47Zxqhp+sx+jKaumJ0.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])?
Type 'yes' to save the fingerprint.
You will then be prompted to enter a password. Type in 'mullvad'.
After entering the password you will be returned to the prompt and the process will run in the background.
Windows - use the PuTTY SSH client
Follow the instructions below using the PuTTY client. (Note: Mullvad has not performed an audit of PuTTY. Downloading software via an untrusted third party could potentially mean acquiring unwanted malware, adware, and/or backdoors.)
- Click on Session. In the Host Name (or IP Address) field, enter 45.83.220.117 In the Port field, enter 22.
- Click on Connection → SSH → Tunnels. Enter 1234 as source port. Select "Dynamic" and then click Add.
- Click on Connection → SSH. Enable "Don't start a shell or command at all".
- Click on Connection → Data. In the Auto-login username field, enter mullvad.
- Click on Session and then enter a name under Saved sessions and click on Save. Double-click on the saved session and then click on Accept in the security alert window. When asked for a password enter mullvad.
Configure OpenVPN
You can use standalone OpenVPN instead of the Mullvad VPN app. The following instructions help you to configure OpenVPN to use the SSH proxy.
Follow our guides on how to install OpenVPN for your operating system:
After installing OpenVPN follow these instructions:
- Go to our OpenVPN configuration file generator and click on Advanced settings and enable Connect via bridges.
- In the downloaded config file, edit the port on the socks-proxy line in the configuration file from 1080 to 1234 which we used above:
socks-proxy 127.0.0.1 1234 - Make sure that you have your SSH client running (see instructions above).
- Use the configuration file to connect with your OpenVPN client.
- Verify your connection with the Mullvad connection check.
Using the Mullvad app (Linux or Windows)
On Linux and Windows you can use the Mullvad app instead of OpenVPN standalone. Follow the instructions above for using OpenVPN, with the following changes.
Start SSH as a SOCKS server
Linux - use the SSH command
In a Terminal, issue mullvad-exclude ssh -f -N -D 1234 mullvad@45.83.220.117 1234.
Windows - use the PuTTY SSH client
After installing PuTTY using the instructions above, do this:
- Go to the Mullvad app settings by clicking on the gear icon in the top right corner of the app.
- Click on Split tunneling.
- Scroll down to the bottom and click on Find another app.
- Browse to
C:\Program Files\PuTTYand double-click on putty.exe to exclude it. - Open PuTTY and connect to the session you saved before.
Configure Mullvad
In a Terminal or Command Prompt, run the following commands:
mullvad bridge set custom local 1234 45.83.220.117 22 mullvad relay set tunnel-protocol openvpn mullvad bridge set state on mullvad connect
Verify your connection with the Mullvad connection check.