CLI commands for using WireGuard
WireGuard Windows Linux macOS Desktop Feature Command Line Interface
Laatst bijgewerkt:
This guide explains how to use the Mullvad command line interface (CLI) to connect to the Mullvad WireGuard® servers, and how to use WireGuard related commands. For general and OpenVPN protocol related Mullvad commands see the guide How to use the Mullvad CLI.
You can use the CLI and the GUI interchangeably, you don't have to stick with one way. If you have a headless server then you can use Mullvad VPN by using only the Mullvad CLI.
What this guide covers
Requirements
You need:
- Linux, macOS or Windows
- The Mullvad VPN app
- To use the Terminal (macOS/Linux) or Command Prompt (Windows)
Basic commands
1. Set your account
This is only necessary if you are not already logged in. Replace the number string with your Mullvad account number.
mullvad account login 1234123412341234
2. Verify your WireGuard key
Check your WireGuard key.
mullvad tunnel get
3. Generate a WireGuard key
This will generate a new key or replace your current one.
mullvad tunnel set wireguard rotate-key
Note: You may need to wait up to two minutes before the key starts working.
4. Set the protocol to WireGuard
This enables WireGuard.
mullvad relay set tunnel-protocol wireguard
5. Select a country
Set a country by using the two letter country code. (USA = us and UK = gb).
mullvad relay set location se
6. Connect
Connect to the country/location that you selected.
mullvad connect
7. Status
Check status of connection.
mullvad status -v
8. Change from WireGuard to OpenVPN protocol
If you want to stop using WireGuard and change to OpenVPN protocol use this command.
mullvad relay set tunnel-protocol openvpn
Other commands
Change the key rotation interval
This command manages the automatic key rotation interval (given in hours). The default is 720 hours (30 days). To set it to every three days for example use this command.
mullvad tunnel set wireguard --rotation-interval 72
Use IPv6 to connect to WireGuard servers
With this command you can enable connecting to the Mullvad servers using their IPv6 addresses.
mullvad relay set tunnel wireguard --ip-version ipv6
Use a specific WireGuard server port
Use this command to set the WireGuard port to connect to.
mullvad relay set tunnel wireguard --port 123
To set the port back to automatic use this command.
mullvad relay set tunnel wireguard --port any
Use WireGuard TCP obfuscation
To enable WireGuard TCP obfuscation use this command.
Note that this does not currently work if you connect to a Mullvad server using its IPv6 address.
mullvad obfuscation set mode udp2tcp
To check if obfuscation is on use this command. It should say "Obfuscator: Udp2Tcp".
mullvad status -v
To set WireGuard TCP obfuscation back to automatic use this command.
mullvad obfuscation set mode auto
Use a quantum resistant WireGuard tunnel
To enable a quantum resistant tunnel use this command.
mullvad tunnel set wireguard --quantum-resistant on
To check if it's on use this command. It should say "Quantum resistant tunnel: yes".
mullvad status -v
To disable the use of a quantum resistant tunnel use this command.
mullvad tunnel set wireguard --quantum-resistant off
Multihop
See our guide Multihop with WireGuard to learn more about this feature.
1. Enable Multihop
Use this command to enable Multihop.
mullvad relay set tunnel wireguard --use-multihop on
2. Select the entry server (first hop)
Select either a country, city or a specific server.
mullvad relay set tunnel wireguard entry location dk mullvad relay set tunnel wireguard entry location dk cph mullvad relay set tunnel wireguard entry location dk cph dk-cph-wg-001
(dk=Denmark) (dk cph=Denmark Copenhagen)
3. Select the exit server (second hop)
Choose the exit server in the same way that you do without multihop. Select either a country, city or a specific server.
mullvad relay set location se mullvad relay set location se got mullvad relay set location se-got-wg-001
(se=Sweden) (se got=Sweden Gothenburg)
3. Check the status
To verify that you are using multihop use the following command.
mullvad status Connected to se-mma-wg-001 in Malmö, Sweden via dk-cph-wg-001
The "via" part of the output shows the entry server, which verifies that you are using multihop. To see more details add the -v flag.
4. Turn off multihop
To disable multihop use the following command.
mullvad relay set tunnel wireguard --use-multihop off
FAQ
I get "BLOCKED CONNECTION" when I launch the app.
Simply choose another location. This just means that when you previously used the app, before turning on WireGuard, you were connected to a location that doesn't have a WireGuard server.
"WireGuard" is a registered trademark of Jason A. Donenfeld.