Mullvad Exit Nodes

Mullvad Exit Nodes allow you to use Mullvad VPN endpoints as exit nodes for your tailnet.

This feature is currently in private alpha. Therefore, this topic is currently hidden. To try it, follow the steps below to enable it for your network using Tailscale v1.40.1 or later.

Enabling Mullvad Exit Nodes

You need to be an Owner, Admin, or Network admin of a tailnet in order to enable Mullvad Exit Nodes.

  1. Open the General settings page of the admin console.
  2. If Mullvad VPN is not already enabled, click the toggle.

Turning on Mullvad Exit Nodes in ACLs

Add a node attributes entry in your tailnet policy file, with an attr value of "mullvad". For example, in a small tailnet, you could allow all users in the tailnet (autogroup:members) to use Mullvad exit nodes:

"nodeAttrs": [
    {
         "target": ["autogroup:members"],
         "attr":   ["mullvad"],
     },
],

Adjust the values assigned to "target" if you don’t want all users to use Mullvad exit nodes.

Using Mullvad Exit Nodes

After you enable Mullvad Exit Nodes, and turn on Mullvad Exit Nodes in your tailnet policy file, you can use the exit nodes from devices in your tailnet. Each device must enable an exit node separately.

Instructions differ depending on the client OS:

Android

You can use an exit node from the ellipsis icon menu in the top-right of the screen.

From this menu, select Use exit node and then choose the Mullvad exit node you’d like to use. If you want to allow direct access to your local network when traffic is routed via an exit node, select Allow LAN access. You can also select None to disable use of an exit node.

iOS

You can use an exit node from the ellipsis icon menu in the top-right of the screen.

From this menu, select Use exit node and then choose the Mullvad exit node you’d like to use. You can also select None to disable use of an exit node.

Linux

Re-run tailscale up with the --exit-node= flag, passing the IP address of the Mullvad exit node. If MagicDNS is enabled, you can instead pass in the name of the Mullvad exit node.

sudo tailscale up --exit-node=<exit-node-name-or-ip>

You can find the exit node’s IP address (and name if MagicDNS is enabled) by running tailscale status.

Optionally, set --exit-node-allow-lan-access to true to allow direct access to your local network when traffic is routed via an exit node.

sudo tailscale up --exit-node=<exit-node-name-or-ip> --exit-node-allow-lan-access=true
macOS

You can use an exit node from the menu bar. Open the Tailscale menu and navigate to Use exit node. From here you can select the Mullvad exit node device you’d like to use by its machine name.

If you want to allow direct access to your local network when traffic is routed via an exit node, select Allow local network access.

Windows

You can use an exit node from the system tray menu. Click on the Tailscale icon and navigate to Use exit node. From here you can select the Mullvad exit node device you’d like to use by its machine name.

If you want to allow direct access to your local network when traffic is routed via an exit node, select Allow local network access.

Disabling Mullvad Exit Nodes

You need to be an Owner, Admin, or Network admin of a tailnet in order to disable Mullvad Exit Nodes.

  1. Open the General settings page of the admin console.
  2. If Mullvad VPN is not already disabled, click the toggle.

Last updated