Skip to main content
 

CLI commands for using WireGuard

WireGuard Windows Linux macOS Desktop Feature Command Line Interface 

Last updated:

This guide explains how to use the Mullvad command line interface (CLI) to connect to the Mullvad WireGuard® servers, and how to use WireGuard related commands. For general and OpenVPN protocol related Mullvad commands see the guide How to use the Mullvad CLI.

You can use the CLI and the GUI interchangeably, you don't have to stick with one way. If you have a headless server then you can use Mullvad VPN by using only the Mullvad CLI.

What this guide covers

Requirements

You need:

  • Linux, macOS or Windows
  • The Mullvad VPN app
  • To use the Terminal (macOS/Linux) or Command Prompt (Windows)

Basic commands

1. Set your account

This is only necessary if you are not already logged in. Replace the number string with your Mullvad account number.

mullvad account login 1234123412341234

2. Verify your WireGuard key

Check your WireGuard key.

mullvad tunnel get

3. Generate a WireGuard key

This will generate a new key or replace your current one.

mullvad tunnel set wireguard rotate-key

Note: You may need to wait up to two minutes before the key starts working.

4. Set the protocol to WireGuard

This enables WireGuard.

mullvad relay set tunnel-protocol wireguard

5. Select a country

Set a country by using the two letter country code. (USA = us and UK = gb).

mullvad relay set location se

6. Connect

Connect to the country/location that you selected.

mullvad connect

7. Status

Check  status of connection.

mullvad status -v

8. Change from WireGuard to OpenVPN protocol

If you want to stop using WireGuard and change to OpenVPN protocol use this command.

mullvad relay set tunnel-protocol openvpn

Other commands

Change the key rotation interval

This command manages the automatic key rotation interval (given in hours). The default is 336 hours (14 days). To set it to every three days for example use this command.

mullvad tunnel set wireguard --rotation-interval 72

Use IPv6 to connect to WireGuard servers

With this command you can enable connecting to the Mullvad servers using their IPv6 addresses.

mullvad relay set tunnel wireguard --ip-version ipv6

Use a specific WireGuard server port

Use this command to set the WireGuard port to connect to.

mullvad relay set tunnel wireguard --port 123

To set the port back to automatic use this command.

mullvad relay set tunnel wireguard --port any

Use WireGuard TCP obfuscation

To enable WireGuard TCP obfuscation use this command.

Note that this does not currently work if you connect to a Mullvad server using its IPv6 address.

mullvad obfuscation set mode udp2tcp

To check if obfuscation is on use this command. It should say "Obfuscator: Udp2Tcp".

mullvad status -v

To set WireGuard TCP obfuscation back to automatic use this command.

mullvad obfuscation set mode auto

Use a quantum resistant WireGuard tunnel

To enable a quantum resistant tunnel use this command.

mullvad tunnel set wireguard --quantum-resistant on

To check if it's on use this command. It should say "Quantum resistant tunnel: yes".

mullvad status -v

To disable the use of a quantum resistant tunnel use this command.

mullvad tunnel set wireguard --quantum-resistant off

Multihop

See our guide Multihop with WireGuard to learn more about this feature.

1. Enable Multihop

Use this command to enable Multihop.

mullvad relay set tunnel wireguard --use-multihop on

2. Select the entry server (first hop)

Select either a country, city or a specific server.

mullvad relay set tunnel wireguard entry location dk

mullvad relay set tunnel wireguard entry location dk cph

mullvad relay set tunnel wireguard entry location dk cph dk-cph-wg-001

(dk=Denmark) (dk cph=Denmark Copenhagen)

3. Select the exit server (second hop)

Choose the exit server in the same way that you do without multihop. Select either a country, city or a specific server.

mullvad relay set location se

mullvad relay set location se got

mullvad relay set location se-got-wg-001

(se=Sweden) (se got=Sweden Gothenburg)

3. Check the status

To  verify that you are using multihop use the following command.

mullvad status

Connected to se-mma-wg-001 in Malmö, Sweden via dk-cph-wg-001

The "via" part of the output shows the entry server, which verifies that you are using multihop. To see more details add the -v flag.

4. Turn off multihop

To disable multihop use the following command.

mullvad relay set tunnel wireguard --use-multihop off

FAQ

I get "BLOCKED CONNECTION" when I launch the app.

Simply choose another location. This just means that when you previously used the app, before turning on WireGuard, you were connected to a location that doesn't have a WireGuard server.
 

"WireGuard" is a registered trademark of Jason A. Donenfeld.