Mullvad exit nodes
The Mullvad VPN add-on lets you use Mullvad VPN servers as exit nodes in a Tailscale network (known as a tailnet). Mullvad exit nodes function similarly to regular exit nodes but use Mullvad’s pre-existing VPN infrastructure instead of a device you own.
Mullvad exit nodes support most of the same functionality as other exit nodes, such as suggested exit nodes and mandatory exit nodes, but they have some limitations.
Requirements and limitations
Review the following requirements and limitations related to the Mullvad add-on:
- You must purchase the Mullvad VPN add-on before you can access Mullvad exit nodes.
- Access control policies for Mullvad exit nodes don’t work with Google-synced groups.
- If you use tailnet lock with the Mullvad VPN add-on, you must sign each Mullvad exit node.
- If you use GitOps to manage your tailnet policy file, the Mullvad VPN add-on checkout flow might be locked. To purchase additional licenses, go to the Billing page of the admin console, then select Manage add-ons.
- The Tailscale client for Windows does not support displaying the full list of Mullvad exit nodes. You can access a complete list of Mullvad exit nodes using the Tailscale CLI.
- You cannot use both the admin console and the tailnet policy file to manage Mullvad access. If you use the tailnet policy file to manage Mullvad access, you must manage all Mullvad access through the tailnet policy file.
Important DNS considerations
Tailscale v1.48.3 and later don’t require additional configuration.
Mullvad exit nodes with Tailscale v1.48.1 and v1.48.2 use the device’s local DNS configuration. As a result, you might lose access to DNS (effectively losing internet access) unless you configure one of the following:
- Allow local network access for exit nodes.
- Add a global nameserver and override local DNS settings.
Keep the following in mind when configuring either of these settings:
- Overriding local DNS causes Tailscale to configure all clients to use the selected DNS server for all DNS queries while Tailscale is connected, even if you are not using an exit node. When used with the Mullvad Public DNS nameservers, this ensures all DNS routes through Mullvad and provides a green check for DNS leaks on mullvad.net/check.
- Allowing exit nodes access to the local network might allow DNS leaks to occur but also ensures that local DNS names, such as a local printer name or a local NAS server name, continue to work.
Data privacy and anonymity
When you use Mullvad with Tailscale, you allow Tailscale to generate, manage, renew, and remove Mullvad accounts on your behalf. As a result, there are some important privacy and anonymity considerations:
- Tailscale generates and manages account information on users' behalf.
- Tailscale is identity-aware (Tailscale doesn't support anonymous tailnets). All Tailscale users are connected to an email address or GitHub account.
- Tailscale knows which Mullvad accounts belong to which Tailscale users.
- Users establish encrypted WireGuard connections with Mullvad servers. Tailscale can identify which users are connecting to which Mullvad servers using logs. As with any traffic in your tailnet, Tailscale cannot access any user traffic sent to Mullvad servers. This is because all user traffic is encrypted in WireGuard tunnels, and Tailscale cannot decrypt this information.
- Mullvad does not receive user identity information from Tailscale.
Available Mullvad regions
You can purchase and use the Mullvad add-on for you tailnet in most countries, however, some countries and regions are excluded. If your region is not listed, you can subscribe to the GitHub tracking issue for updates and request updates. After you purchase the Mullvad add-on, you have access to all available Mullvad servers.
For a current list of the Mullvad servers that are available to use as exit nodes by country and city, refer to the Mullvad Servers page. These regions are also displayed as exit node options in the Tailscale client.
Mullvad licensing
You must purchase the Mullvad VPN add-on through the admin console before you can access Mullvad exit nodes. The base add-on includes five licenses, but you can purchase additional licenses during the initial checkout flow or afterward through the Billing page of the admin console.
The Mullvad VPN add-on is available as a monthly or yearly subscription for users on Tailscale Personal Pro or GitHub Community plans. It’s only available as a monthly subscription for users on Tailscale Personal, Personal Plus, Starter, and Premium plans. Users on the Enterprise must contact their account team to purchase the Mullvad add-on.
How-to guides
Enable Mullvad exit nodes
You can enable Mullvad exit nodes by purchasing the Mullvad VPN add-on and configuring device access.
- From the General settings page of the admin console, scroll down to Mullvad VPN.
- Select Configure.
- Continue with the checkout flow to purchase Mullvad licenses.
If you use GitOps to manage your tailnet policy file, the Mullvad VPN add-on checkout flow might be locked. To purchase additional licenses, go to the Billing page of the admin console, then select Manage add-ons.
Manage Mullvad access
You can configure Mullvad access using the admin console user interface or the tailnet policy file. Using the tailnet policy file to manage Mullvad exit node access offers more flexibility. For example, it lets you assign Mullvad access to more devices than you have Mullvad licenses for.
You cannot use both the admin console and the tailnet policy file to manage Mullvad access. If you use the tailnet policy file to manage Mullvad access, you must manage all Mullvad access through the tailnet policy file.
From the admin console
You can manage Mullvad access through the admin console. If you manage Mullvad access this way, you must explicitly configure each device.
To grant devices access to Mullvad:
- From the General setting page of the admin console, scroll down to Mullvad VPN.
- Select Configure.
- Select Add devices.
- Select the devices to grant access to Mullvad's infrastructure as exit nodes.
- Then, save your changes.
Each device uses a slot in a Mullvad license. Each Mullvad license allows up to five devices. Your monthly bill automatically updates as you add or remove devices.
You can revoke a device’s access to Mullvad by selecting Remove.
From the tailnet policy file
You can also manage access to Mullvad exit nodes using node attributes in the tailnet policy file.
- Go to the Access controls page of the admin console.
- Add a
nodeAttrssection to your tailnet policy file that assigns themullvadattribute to the device you plan to use with Mullvad exit nodes.
The following example grants access to all devices owned by joe@example.com:
"nodeAttrs": [
{
"target": ["joe@example.com"\],
"attr": [
"mullvad",
],
},
],
When you use the tailnet policy file to manage Mullvad access, devices using a Mullvad license do not appear in the Mullvad VPN page of the admin console. You must manage Mullvad access through the tailnet policy file.
Share a pool of licenses
This method allows you to assign access to Mullvad for more devices than your Mullvad add-on current plan allows. For example, the following configuration allows all devices in the mullvad group to use Mullvad exit nodes:
"nodeAttrs": [
{
"target": ["group:mullvad"],
"attr": [
"mullvad"
],
},
],
When you share a license pool in this manner, devices use available Mullvad licenses on a first-come, first-served basis as they connect to the tailnet. Tailscale allocates Mullvad licenses to devices as they connect to the tailnet, not as they connect to Mullvad servers. If all paid slots are in use, devices outside the selected quota will not have Mullvad exit nodes as an option.
While it’s possible to effectively share a pool of Mullvad licenses, it’s important to ensure you have purchased enough Mullvad licenses to cover the needs of your environment.
Consider the following example:
The Society of Pangolin Enthusiasts organization has a tailnet with 100 devices in it, and they’ve purchased the Mullvad add-on with 50 licenses.
Using the tailnet policy file, an administrator set up a nodeAttrs policy that allows all 100 devices to Mullvad exit nodes (if they’re available). This allows the 100 devices to effectively share the pool of Mullvad exit nodes, even though there isn’t a Mullvad exit node for each device.
If 50 devices connect to the tailnet, Tailscale allocates a Mullvad license to each one. The next device (the 51st) won’t get a Mullvad license allocated to it. As a result, if that device tries to use a Mullvad exit node, it won’t be able to access any Mullvad exit nodes until one of the 50 devices releases a Mullvad license.
You can release a device's Mullvad license by removing the device from the tailnet policy file or by removing the device from the Mullvad VPN configuration in the admin console.
Use Mullvad exit nodes
After you enable Mullvad exit nodes and configure a device for Mullvad access, you can use the exit nodes from devices in your tailnet. Each device must enable an exit node separately. There might be a slight delay before Mullvad exit nodes appear in your Tailscale client.
You can also get a suggested Mullvad exit node.
Instructions differ depending on the client operating system:
- From the
menu, select Use exit node. - Choose the Mullvad exit node to use.
- (Optional) If you want to allow direct access to your local network when traffic routes through an exit node, select Allow LAN access.
If you do not select Allow LAN access, you might need to configure DNS. You can also select None to disable using an exit node.
Disable Mullvad on a device
You must be an Owner, Admin, or Network admin of a tailnet to disable Mullvad Exit Nodes on a device.
You can revoke a device’s access to Mullvad exit nodes through the admin console or the tailnet policy file. Use the same method you used to grant access.
To revoke a device’s access to Mullvad exit nodes from the admin console:
- Open the General settings page of the admin console.
- Go to the Mullvad VPN section and select Configure.
- Select Remove next to the device you want to remove, then select Save.
To revoke a device’s access to Mullvad exit nodes from the tailnet policy file:
- Go to the Access Controls page of the admin console.
- Update the
nodeAttrssection of your tailnet policy file to exclude themullvadattribute from the device.
The exact way to exclude a device’s access depends on how you configured its access. For example, if you granted a user explicit access using an email address, you can remove the line that assigns the mullvad attribute to that user. However, if you granted access using groups, tags, or other means, the process might involve more steps (such as removing the device from a group).
Remove the Mullvad add-on
You must be an Owner, Admin, or Billing admin of a tailnet to remove the Mullvad add-on.
You can remove the Mullvad VPN add-on from the admin console.
- Go to the Settings page of the admin console, then go to the Billing section.
- Select Manage add-ons.
- Select Mullvad VPN > Remove add-on.
Migrate from Mullvad to Tailscale
If you’re migrating from using Mullvad VPN to Tailscale’s Mullvad add-on, you might need to disable Mullvad’s settings to block connections without a VPN.
Before migrating from Mullvad to Tailscale's Mullvad add-on:
- Go to the Mullvad VPN application.
- Disable the Mullvad VPN.
- Turn off the Block connections without VPN setting.
Devices that are registering with Mullvad for the first time might experience a delay when synchronizing with all the Mullvad exit nodes. The synchronization process can take up to two minutes when you first use Mullvad on a particular device or if you have not used it for several weeks. With regular usage, activating Mullvad is instantaneous.
Sign Mullvad exit nodes
If you use tailnet lock with the Mullvad VPN add-on, you must sign each Mullvad exit node. Additionally, the device you use to each Mullvad exit node must access to the Mullvad exit nodes (it must have a valid Mullvad license). Otherwise, the Mullvad exit nodes won't be included in the signing device's netmap and when it runs tailscale lock, the list won't include the unsigned Mullvad exit nodes.