Mullvad Exit Nodes

Mullvad Exit Nodes allow you to use Mullvad VPN endpoints as exit nodes for your tailnet. For more information on Mullvad’s network infrastructure, see the Mullvad server documentation.

This feature is currently in beta. To try it, follow the steps below to enable it for your network using Tailscale v1.48.2 or later.

Enable Mullvad Exit Nodes

You need to be an Owner, Admin, or Network admin of a tailnet in order to enable Mullvad Exit Nodes.

In the General settings page of the admin console, scroll down to Mullvad VPN.
Click Configure.
Continue through the checkout flow to purchase Mullvad licenses.

Configure devices for Mullvad access

Devices must be explicitly configured for Mullvad access. In the configuration page, select Add devices, and select which devices will be granted access for Mullvad’s infrastructure as exit nodes. Each device will consume a slot in a Mullvad license, each of which comes with access for up to 5 devices. As you add or remove devices, your monthly bill will change accordingly.

A screenshot displaying configuration of devices with Mullvad access.

Use Mullvad Exit Nodes

After you enable Mullvad Exit Nodes, and configure a device for Mullvad access, you can use the exit nodes from devices in your tailnet. Each device must enable an exit node separately. Note that a small delay is expected before Mullvad Exit Nodes will be visible in your Tailscale client.

Instructions differ depending on the client OS:

Android

You can use an exit node from the menu in the top-right of the screen.

From this menu, select Use exit node and then choose the Mullvad exit node you’d like to use. If you want to allow direct access to your local network when traffic is routed via an exit node, select Allow LAN access.

Note that if you do not select Allow LAN access you may need to configure DNS. You can also select None to disable use of an exit node.

iOS

You can use an exit node from the menu in the top-right of the screen.

From this menu, select Use exit node and then choose the Mullvad exit node you’d like to use. You can also select None to disable use of an exit node.

You may need to configure Override local DNS as described in the DNS section.

Linux

Re-run tailscale up with the --exit-node= flag, passing the IP address of the Mullvad exit node. If MagicDNS is enabled, you can instead pass in the name of the Mullvad exit node.

sudo tailscale up --exit-node=<exit-node-name-or-ip>

You can find the exit node’s IP address (and name if MagicDNS is enabled) by running tailscale exit-node list.

Optionally, set --exit-node-allow-lan-access to true to allow direct access to your local network when traffic is routed via an exit node. If you do not configure this option you may need to configure DNS.

sudo tailscale up --exit-node=<exit-node-name-or-ip> --exit-node-allow-lan-access=true

macOS

You can use an exit node from the menu bar. Open the Tailscale menu and navigate to Use exit node. From here you can select the Mullvad exit node device you’d like to use by its machine name.

If you want to allow direct access to your local network when traffic is routed via an exit node, select Allow local network access. Note if you do not select Allow LAN access you may need to configure DNS.

tvOS

This option is only available in the Tailscale app on tvOS if you’ve already purchased Mullvad Exit Nodes for your tailnet.

You can configure your Apple TV to use a Mullvad exit node (location-based) instead of using another tailnet device as an exit node. For more information on how to set this up, see Apple TV.

Windows

You can use an exit node from the system tray menu. Click on the Tailscale icon and navigate to Use exit node. From here you can select the Mullvad exit node device you’d like to use by its machine name.

If you want to allow direct access to your local network when traffic is routed via an exit node, select Allow local network access.

Disable Mullvad on a device

You need to be an Owner, Admin, or Network admin of a tailnet in order to disable Mullvad Exit Nodes on a device.

Open the General settings page of the admin console.
Click Configure on the Mullvad VPN section.
Click Remove on any given device.

Important DNS considerations

This section currently applies to Tailscale clients v1.48.1 and v1.48.2. Future versions of Tailscale may not require special configuration.

Mullvad Exit Nodes with Tailscale 1.48.1 or 1.48.2 use your current DNS configuration. If you do not have one of the following settings configured, you may lose access to DNS — effectively losing internet access.

Select Allow Local Network Access from the Exit Node section of your Tailscale client (--exit-node-allow-lan-access in the Tailscale CLI)
Add a global nameserver and enable the Override local DNS setting in DNS page of the admin console

Selecting Override local DNS will cause Tailscale to configure all clients to use the selected DNS server for all DNS queries while Tailscale is connected, even if you are not using an exit node. Particularly, when used with the Mullvad Public DNS nameservers, this will ensure that all DNS is routed through Mullvad, and will provide a green check for DNS leaks on mullvad.net/check.

Using the Allow Local Network Access option in your client settings will allow DNS leaks to occur, but also ensures that local DNS names such as a local printer name, or a local NAS server name will continue to work.

Remove the Mullvad Add-On

You need to be an Owner, Admin, or Network admin of a tailnet in order to disable Mullvad Exit Nodes on a device.

Open the General settings page of the admin console.
Click Configure on the Mullvad VPN section.
Click Remove add-on at the bottom of the page.
Click Remove add-on in the confirmation modal.

Configuration for teams

Using Mullvad for teams can become cumbersome when configuring access via the admin console interface. Tailscale provides an option to configure Mullvad access using access control lists for greater control.

If you wish to use access control lists (ACLs) directly in order to configure device access to Mullvad Exit Nodes, you can do so by adding a mullvad node attribute in your tailnet policy file to the devices you wish to use with Mullvad Exit Nodes.

The following example grants access to all devices owned by joe@example.com:

"nodeAttrs": [
    {
        "target": ["joe@example.com"],
        "attr": [
            "mullvad",
        ],
    },
],

It is possible to assign access to Mullvad for more devices than you are currently paying for through this method. When doing so, devices will use available paid device slots on a first-come first-served basis. If all paid slots are in use, devices outside of the selected quota will not see Mullvad Exit Nodes as an option. When using an ACLs to configure Mullvad access, ensure you have purchased enough Mullvad licenses to cover the needs of your environment.

Available regions

Mullvad is available for Tailscale customers in the following countries:

Austria
Belgium
Bulgaria
Canada
Croatia
Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany
Slovakia
Slovenia
Hungary
Ireland
Italy
Latvia
Lithuania
Luxembourg
Malta
The Netherlands
New Zealand
Poland
Portugal
Romania
Singapore
Spain
Sweden
Switzerland
UK
US

We’re working on expanding the service to other regions. If your region is not listed, use our issues repository to submit a request.

Mullvad FAQ

What should I consider before migrating from Mullvad to Tailscale?

When migrating to Tailscale’s Mullvad Exit Nodes, go to your Mullvad VPN application, disable the Mullvad VPN, and disable the setting Block connections without VPN.
Devices that are registering with Mullvad for the first time may experience a delay in synchronizing with all of the Mullvad exit nodes. Users should expect this to take up to two minutes the first time they attempt to use Mullvad on a particular device or if they have not used it for several weeks. With regular usage, activating Mullvad will be instantaneous.
IPv6 is not currently supported. Tailscale will be removing this restriction in the future.

What should I know about using the Tailscale client?

Windows: Currently, the list of Mullvad exit nodes is so large as to be cumbersome in the Windows client. We are aware of this and plan to address this in a future release. Command line savvy users can also use the Tailscale CLI to set their exit node instead.
Android: Currently, the list of Mullvad exit nodes is so large as to be cumbersome in the Android client. We are aware of this and plan to address this in a future release.
macOS: You will need a Tailscale client version later than 1.50 to see an improved interface for exit node selection.
iOS: You will need a Tailscale client version later than 1.48 to see an improved interface for exit node selection.

What should I know about purchasing Mullvad for use with Tailscale?

Mullvad is available as a monthly add-on for users on Tailscale Free, Starter, and Premium plans. We recommend migrating your plan if you’d like access.
Mullvad is available as a yearly add-on for users on Tailscale Personal Pro or GitHub Community plans.
Users on the Enterprise plan should contact their account team for next steps on purchasing the Mullvad add-on.

What should I know about using Mullvad with GitOps-managed ACLs?

When using GitOps or externally managed ACLs, the Mullvad add-on checkout flow may be locked. To purchase additional licenses, go to the Billing page of the admin console, and select Manage add-ons.

What should I know about using Mullvad with tailnet lock?

When using tailnet lock, you will need to sign each Mullvad exit node.