Mullvad exit nodes
Mullvad exit nodes let you use Mullvad VPN endpoints as exit nodes for your Tailscale network (called a tailnet). For more information on Mullvad's network infrastructure, refer to the Mullvad server documentation.
Mullvad exit nodes support suggested exit nodes and auto exit nodes.
Enable Mullvad exit nodes
Only an Owner, Admin, or Network admin of a tailnet can enable Mullvad exit nodes.
- In the General settings page of the admin console, scroll down to Mullvad VPN.
- Select Configure.
- Continue with the checkout flow to purchase Mullvad licenses.
Configure devices for Mullvad access
You must explicitly configure devices for Mullvad access.
- From the configuration page, select Add devices.
- Select the devices to grant access to Mullvad's infrastructure as exit nodes. Each device uses a slot in a Mullvad license. Each Mullvad license allows up to five devices. Your monthly bill automatically updates as you add or remove devices.
Use Mullvad exit nodes
After you enable Mullvad exit nodes and configure a device for Mullvad access, you can use the exit nodes from devices in your tailnet. Each device must enable an exit node separately.
You can also get a suggested Mullvad exit node.
There might be a slight delay before Mullvad exit nodes appear in your Tailscale client.
Instructions differ depending on the client operating system:
This option is only available in the Tailscale app on tvOS if you've already purchased Mullvad Exit Nodes for your tailnet.
You can configure your Apple TV to use a Mullvad exit node (location-based) instead of using another tailnet device as an exit node. For more information on how to set this up, see Apple TV.
Disable Mullvad on a device
You must be an Owner, Admin, or Network admin of a tailnet to disable Mullvad Exit Nodes on a device.
- Open the General page of the admin console.
- Go to the Mullvad VPN section and select Configure.
- Select Remove next to the device you want to remove, then select Save.
Important DNS considerations
This section currently applies to Tailscale clients v1.48.1 and v1.48.2. Future versions of Tailscale might not require additional configuration.
Mullvad exit nodes with Tailscale 1.48.1 or 1.48.2 use your current DNS configuration. If you do not have one of the following settings configured, you might lose access to DNS (effectively losing internet access).
- Select Allow Local Network Access from the Exit Nodes section of your Tailscale client (
--exit-node-allow-lan-accessin the Tailscale CLI) - Add a global nameserver and enable the Override local DNS setting in the DNS page of the admin console
Selecting Override local DNS causes Tailscale to configure all clients to use the selected DNS server for all DNS queries while Tailscale is connected, even if you are not using an exit node. When used with the Mullvad Public DNS nameservers, this ensures all DNS routes through Mullvad and provides a green check for DNS leaks on mullvad.net/check.
Using the Allow Local Network Access option in your client settings allows DNS leaks to occur but also ensures that local DNS names, such as a local printer name or a local NAS server name, continue to work.
Enable MagicDNS in your tailnet when using Mullvad exit nodes to access their friendly-names and leverage other MagicDNS features.
Remove the Mullvad add-on
You must be an Owner, Admin, or Billing admin of a tailnet to remove the Mullvad add-on.
-
Open the Settings page of the admin console, and go to the Billing section.
-
Select Manage add-ons.
-
Select Mullvad VPN > Remove add-on.
Configuration for teams
Using Mullvad for teams can become cumbersome when configuring access through the admin console. Tailscale provides an option to configure Mullvad access using access control policies for greater control.
You can use access control lists (ACLs) or grants directly to configure device access to Mullvad exit nodes adding a mullvad node attribute in your tailnet policy file to the devices you plan to use with Mullvad exit nodes.
The following example grants access to all devices owned by joe@example.com:
"nodeAttrs": [
{
"target": ["joe@example.com"],
"attr": [
"mullvad",
],
},
],
This method allows you to assign access to Mullvad for more devices than your current plan allows. When doing so, devices use available paid device slots on a first-come, first-served basis. If all paid slots are in use, devices outside the selected quota will not have Mullvad exit nodes as an option. When using ACLs to configure Mullvad access, ensure you have purchased enough Mullvad licenses to cover the needs of your environment.
Available regions
The following list contains the countries in which you can purchase the Tailscale Mullvad add-on. It is not a list of available Mullvad servers. After you purchase the Mullvad add-on, you have access to all Mullvad servers.
- Austria
- Belgium
- Bulgaria
- Canada
- Croatia
- Cyprus
- Czech Republic
- Denmark
- Estonia
- Finland
- France
- Germany
- Slovakia
- Slovenia
- Hungary
- Ireland
- Italy
- Latvia
- Lithuania
- Luxembourg
- Malta
- The Netherlands
- New Zealand
- Poland
- Portugal
- Romania
- Singapore
- Spain
- Sweden
- Switzerland
- UK
- US
We're working on expanding the service to other regions. If your region is not listed, you can subscribe to the GitHub tracking issue for updates.
Data privacy and anonymity
When you use Mullvad with Tailscale, you allow Tailscale to generate, manage, renew, and remove Mullvad accounts on your behalf. As a result, there are some important privacy and anonymity considerations:
- Tailscale generates and manages account information on users' behalf.
- Tailscale is identity-aware (Tailscale doesn't support anonymous tailnets). All Tailscale users are connected to an email address or GitHub account.
- Tailscale knows which Mullvad accounts belong to which Tailscale users.
- Users establish encrypted WireGuard connections with Mullvad servers. Tailscale can identify which users are connecting to which Mullvad servers via logs. As with any traffic in your tailnet, Tailscale cannot access any user traffic sent to Mullvad servers. All user traffic is encrypted in WireGuard tunnels, and Tailscale cannot decrypt this information.
- Mullvad does not receive user identity information from Tailscale. Mullvad explicitly does not want to track this information.
Mullvad FAQ
What should I consider before migrating from Mullvad to Tailscale?
- When migrating to Tailscale's Mullvad Exit Nodes, go to your Mullvad VPN application, disable the Mullvad VPN, and disable the setting Block connections without VPN.
- Devices that are registering with Mullvad for the first time might experience a delay in synchronizing with all the Mullvad exit nodes. Users should expect this to take up to two minutes the first time they attempt to use Mullvad on a particular device or if they have not used it for several weeks. With regular usage, activating Mullvad will be instantaneous.
What should I know about using the Tailscale client?
- Windows: The list of Mullvad exit nodes is too large to list all nodes in the Windows client. We are aware of this and plan to address this in a future release. To access a complete list, use the Tailscale CLI.
What should I know about purchasing Mullvad for use with Tailscale?
- Mullvad is available as a monthly add-on for users on Tailscale Personal, Personal Plus, Starter, and Premium plans. We recommend migrating your plan if you'd like access.
- Mullvad is available as a yearly add-on for users on Tailscale Personal Pro or GitHub Community plans.
- Users on the Enterprise plan should contact their account team to purchase the Mullvad add-on.
What should I know about using Mullvad with GitOps-managed ACLs?
- When using GitOps or externally managed ACLs, the Mullvad add-on checkout flow might be locked. To purchase additional licenses, go to the Billing page of the admin console and select Manage add-ons.
What should I know about using Mullvad with tailnet lock?
- When using tailnet lock, you need to sign each Mullvad exit node.