Mullvad Exit Nodes

Mullvad Exit Nodes let you use Mullvad VPN endpoints as exit nodes for your tailnet. For more information on Mullvad’s network infrastructure, see the Mullvad server documentation.

This feature is currently in beta. To try it, follow the steps below to enable it for your network using Tailscale v1.48.2 or later.

Enable Mullvad Exit Nodes

You need to be an Owner, Admin, or Network admin of a tailnet in order to enable Mullvad Exit Nodes.

  1. In the General settings page of the admin console, scroll down to Mullvad VPN.
  2. Click Configure.
  3. Continue through the checkout flow to purchase Mullvad licenses.

Configure devices for Mullvad access

Devices must be explicitly configured for Mullvad access. In the configuration page, select Add devices, and select which devices will be granted access for Mullvad’s infrastructure as exit nodes. Each device will consume a slot in a Mullvad license, each of which comes with access for up to 5 devices. As you add or remove devices, your monthly bill will change accordingly.

A screenshot displaying configuration of devices with Mullvad access.

Use Mullvad Exit Nodes

After you enable Mullvad Exit Nodes, and configure a device for Mullvad access, you can use the exit nodes from devices in your tailnet. Each device must enable an exit node separately. Note that a small delay is expected before Mullvad Exit Nodes will be visible in your Tailscale client.

Instructions differ depending on the client OS:

Android

You can use an exit node from the ellipsis icon menu in the top-right of the screen.

From this menu, select Use exit node and then choose the Mullvad exit node you’d like to use. If you want to allow direct access to your local network when traffic is routed via an exit node, select Allow LAN access.

Note that if you do not select Allow LAN access you may need to configure DNS. You can also select None to disable use of an exit node.

iOS

You can use an exit node from the ellipsis icon menu in the top-right of the screen.

From this menu, select Use exit node and then choose the Mullvad exit node you’d like to use. You can also select None to disable use of an exit node.

You may need to configure Override local DNS as described in the DNS section.

Linux

Re-run tailscale up with the --exit-node= flag, passing the IP address of the Mullvad exit node. If MagicDNS is enabled, you can instead pass in the name of the Mullvad exit node.

sudo tailscale up --exit-node=<exit-node-name-or-ip>

You can find the exit node’s IP address (and name if MagicDNS is enabled) by running tailscale exit-node list.

Optionally, set --exit-node-allow-lan-access to true to allow direct access to your local network when traffic is routed via an exit node. If you do not configure this option you may need to configure DNS.

sudo tailscale up --exit-node=<exit-node-name-or-ip> --exit-node-allow-lan-access=true
macOS

You can use an exit node from the menu bar. Open the Tailscale menu and select Exit Nodes, then select Mullvad VPN. (If you are running a Tailscale client version earlier than v1.60.0, select Use exit node to see the Mullvad option.) From here you can select the exit node device you’d like to use by its machine name.

If Mullvad VPN does not appear in the Exit Nodes menu, ensure that the Mullvad add-on has been enabled for the Mac that you are using.

If you want to allow direct access to your local network when traffic is routed via an exit node, select Allow Local Network Access. Note if you do not select Allow Local Network Access you may need to configure DNS.

tvOS
This option is only available in the Tailscale app on tvOS if you’ve already purchased Mullvad Exit Nodes for your tailnet.

You can configure your Apple TV to use a Mullvad exit node (location-based) instead of using another tailnet device as an exit node. For more information on how to set this up, see Apple TV.

Windows

You can use an exit node from the system tray menu. Click on the Tailscale icon and navigate to Use exit node. From here you can select the Mullvad exit node device you’d like to use by its machine name.

If you want to allow direct access to your local network when traffic is routed via an exit node, select Allow local network access.

Disable Mullvad on a device

You need to be an Owner, Admin, or Network admin of a tailnet in order to disable Mullvad Exit Nodes on a device.

  1. Open the General page of the admin console.
  2. Go to the Mullvad VPN section and click Configure.
  3. Click Remove next to the device you want to remove, then click Save.

Important DNS considerations

This section currently applies to Tailscale clients v1.48.1 and v1.48.2. Future versions of Tailscale may not require special configuration.

Mullvad Exit Nodes with Tailscale 1.48.1 or 1.48.2 use your current DNS configuration. If you do not have one of the following settings configured, you may lose access to DNS — effectively losing internet access.

Selecting Override local DNS will cause Tailscale to configure all clients to use the selected DNS server for all DNS queries while Tailscale is connected, even if you are not using an exit node. Particularly, when used with the Mullvad Public DNS nameservers, this will ensure that all DNS is routed through Mullvad, and will provide a green check for DNS leaks on mullvad.net/check.

Using the Allow Local Network Access option in your client settings will allow DNS leaks to occur, but also ensures that local DNS names such as a local printer name, or a local NAS server name will continue to work.

We also recommend enabling MagicDNS in your tailnet when using Mullvad Exit Nodes.

Remove the Mullvad add-on

You need to be an Owner, Admin, or Billing admin of a tailnet in order to remove the Mullvad add-on.

  1. Open the Settings page of the admin console, and go to the Billing section.

  2. Click Manage add-ons.

  3. Click Mullvad VPN and select Remove add-on.

    A screenshot displaying configuration of devices with Mullvad access.

Configuration for teams

Using Mullvad for teams can become cumbersome when configuring access via the admin console interface. Tailscale provides an option to configure Mullvad access using access control lists for greater control.

If you wish to use access control lists (ACLs) directly in order to configure device access to Mullvad Exit Nodes, you can do so by adding a mullvad node attribute in your tailnet policy file to the devices you wish to use with Mullvad Exit Nodes.

The following example grants access to all devices owned by joe@example.com:

"nodeAttrs": [
    {
        "target": ["joe@example.com"],
        "attr": [
            "mullvad",
        ],
    },
],

It is possible to assign access to Mullvad for more devices than you are currently paying for through this method. When doing so, devices will use available paid device slots on a first-come first-served basis. If all paid slots are in use, devices outside the selected quota will not see Mullvad Exit Nodes as an option. When using ACLs to configure Mullvad access, ensure you have purchased enough Mullvad licenses to cover the needs of your environment.

Available regions

Mullvad is available for Tailscale customers in the following countries:

  • Austria
  • Belgium
  • Bulgaria
  • Canada
  • Croatia
  • Cyprus
  • Czech Republic
  • Denmark
  • Estonia
  • Finland
  • France
  • Germany
  • Slovakia
  • Slovenia
  • Hungary
  • Ireland
  • Italy
  • Latvia
  • Lithuania
  • Luxembourg
  • Malta
  • The Netherlands
  • New Zealand
  • Poland
  • Portugal
  • Romania
  • Singapore
  • Spain
  • Sweden
  • Switzerland
  • UK
  • US

We’re working on expanding the service to other regions. If your region is not listed, use our issues repository to submit a request.

Data privacy and anonymity

When using Mullvad with Tailscale, users allow Tailscale to generate, manage, renew, and remove Mullvad accounts on their behalf as their needs change. As a result, there are some important privacy and anonymity considerations:

  • Tailscale generates and manages account information on users’ behalf.
  • Tailscale is identity-aware: we do not support anonymous tailnets. All Tailscale users are connected to an email address or GitHub account.
  • Tailscale knows which Mullvad accounts belong to which Tailscale users.
  • Users establish encrypted WireGuard connections with Mullvad servers. Tailscale can identify which users are connecting to which Mullvad servers via logs. As with any traffic on your tailnet, Tailscale cannot see any user traffic that is sent to Mullvad servers. All user traffic is encrypted in WireGuard tunnels, and Tailscale cannot decrypt this information.
  • Mullvad does not receive user identity information from Tailscale. Mullvad explicitly does not want to track this information.

Mullvad FAQ

What should I consider before migrating from Mullvad to Tailscale?

  • When migrating to Tailscale’s Mullvad Exit Nodes, go to your Mullvad VPN application, disable the Mullvad VPN, and disable the setting Block connections without VPN.
  • Devices that are registering with Mullvad for the first time may experience a delay in synchronizing with all the Mullvad exit nodes. Users should expect this to take up to two minutes the first time they attempt to use Mullvad on a particular device or if they have not used it for several weeks. With regular usage, activating Mullvad will be instantaneous.
  • IPv6 is not currently supported. Tailscale will be removing this restriction in the future.

What should I know about using the Tailscale client?

  • Windows: Currently, the list of Mullvad exit nodes is so large as to be cumbersome in the Windows client. We are aware of this and plan to address this in a future release. Command line savvy users can also use the Tailscale CLI to set their exit node instead.
  • Android: Currently, the list of Mullvad exit nodes is so large as to be cumbersome in the Android client. We are aware of this and plan to address this in a future release.
  • macOS: You will need a Tailscale client version later than 1.50 to see an improved interface for exit node selection.
  • iOS: You will need a Tailscale client version later than 1.48 to see an improved interface for exit node selection.

What should I know about purchasing Mullvad for use with Tailscale?

What should I know about using Mullvad with GitOps-managed ACLs?

  • When using GitOps or externally managed ACLs, the Mullvad add-on checkout flow may be locked. To purchase additional licenses, go to the Billing page of the admin console, and select Manage add-ons.

What should I know about using Mullvad with tailnet lock?