Port Forwarding with Mullvad VPN - Instructions | MullvadVPN (2023)

This guide will show you how to set up port forwarding with Mullvad.

What this guide covers:

• What is port forwarding?
• Overview of Mullvad port forwarding
• Step 1 - Find your device name or WireGuard key
• Step 2 – Login to Mullvad.net
• Step 3 – Add a port
• Step 4 - Test port forwarding
  -Windows - using iPerf3
  -Linux - using nc
  -macOS - using nc
• Step 5 - Find the IP address to connect to
• Using Mullvad on a Router
• Problems solution
• frequently asked questions

What is port forwarding?

Port forwarding makes it possible for remote computers to access a specific computer or service within a private local area network (LAN).

For example, Gunilla has a web server on her private LAN that she wants Glenn to visit. It first requests that a port be forwarded to it. You then configure your web server to listen on that port for any other traffic. Glenn can then connect to the outgoing IP address of the VPN server Gunilla is using, as well as the port number, and voila, he has access!

It's like dialing a business phone number (the IP address) and then dialing the extension number (the port) to reach a certain person.

Overview of Mullvad port forwarding

Properly setting up port forwarding with Mullvad requires several steps. Here's an overview.

• Add a port for a specific city and a Mullvad device to your account on our website.
• Connect to a Mullvad server in the city you assigned the port to.
• Allow the port on your firewall.
• Enter the port into an application or service.
• Check if the port is open on the internet using our port checker tool.
• Find Mullvad IP address to connect from internet.

Keep reading for more details on this.

Step 1 - Find your device name or WireGuard key

If you are using the OpenVPN protocol, this step is not necessary. To configure the protocol in the Mullvad app, open the settings and go to Advanced > Tunneling Protocol.

If you use the WireGuard protocol, you must assign your port to your Mullvad device name when creating it. Each device name is associated with a WireGuard key. Mullvad desktop app version 2022.2inserteddevice management, which replaces the WireGuard key display previously found in the Mullvad app.

• In the Mullvad app, you can find your device name under Settings > Account. The following image shows the device name "Flying Puma", which we will use in Step 3 when adding a port.
  
• On a headless computer with no monitor, you can use the Mullvad CLI (command line interface) to find the WireGuard key. run the commandMullvad Tunnel Cable Guard Switch Verification.
  
• If you are using the WireGuard standalone app for Windows or macOS, your WireGuard key will show up as "Interface: Public Key" in the imported server settings.
  
• If you use standalone WireGuard on Linux, you can view the key with thework groupcommand in "interface: public key".
• If you are using Mullvad with WireGuard on your router, you can SSH into the router and runwork groupdomain.

Step 2 – Login to Mullvad.net

You can add and manage your ports on our website.

1. Log in to yourPage of account Mullvadwith your Mullvad account number.
2. click inport forwardingin the left column. If you can't see it, first click on the menu button in the top left corner.

The page looks like this.

If your Mullvad account is out of date, you will see the following message:

"You cannot add ports because you have no time left in your account".

You can save time by using one of the payment methods atyour account.

About automatic signatures

although we haveremotethe option to create new automatic subscriptions, some users still have ongoing subscriptions via PayPal or credit card. port forwardingNot allowedfor these accounts and it is not possible to add ports without automatic cancellation. The following message would be displayed on the port forwarding page.

If you have an automatic subscription, you can sign in toyour account, click "Manage Subscription" and cancel. Your paid time will remain in the account and you will be able to make one-time manual payments thereafter.

Step 3 – Add a port

You can add up to five ports. Each port can be used by an application or service.

Note that you cannot request a specific port number, you can only generate random port numbers.

Under Port Forwarding, you will see these dropdown menus:

1. click inselect a cityand select the city you will connect to with Mullvad on the computer or device you will be port forwarding to.
2. click inselect a device🇧🇷 Consider the following:
   • If using OpenVPN protocol, you can selectSin Device (OpenVPN only).
   • If using the WireGuard protocol, you must select Mullvaddevice namethat you are using with Mullvad on the machine you will be port forwarding to.
     
3. click inadd port🇧🇷 The port is added to "Active Ports". The port label includes the country and city designation and the port number.

Devices

click inDevicesin the left column. Here you can see the name of the Mullvad device, when it was created, the WireGuard key and the forwarding port assigned to it. The port label "se-got-57864" indicates that the port will work with our se-got locale, which is short for Sweden, Gothenburg, and the port number is 57864.

How to remove a door

If you want to remove a port, click on the red X button to the right of the port number. To donoclick the trash can icon next to the device unless you want to remove the Mullvad device and WireGuard key.

If you exit the Mullvad app, the device name, WireGuard key, and port will be deleted.

Step 4 - Test port forwarding

After you add a port, you can test it to make sure it works.

If you already have an application or service that is listening on the port, you can use ourconnection check(click "Port Check" tab) to test it.

If that fails, we recommend that you close the application or stop the service and follow the instructions below to test it first with iPerf or nc. See also theProblems solutionsection below.

Windows - using iPerf3

The following instructions are specific to Windows users, but iPerf3 can also be used with other operating systems.

1. In a browser, navigate tohttps://iperf.frand click "Download iPerf Binaries".
2. Scroll down to "Windows 64-bit" and click on the latest version of iPerf at the top to download it.
3. Open the ZIP file and copy the folder it contains.
4. Open your Downloads folder and paste it into the folder you just copied.
5. Right-click the Windows Start button and click "Command Prompt".
6. Rundownload the CD.
7. Runcd iperf-3.1.3-win64.
8. Runiperf3.exe -s -p 5410(Replace "5410" with the port assigned to it.)
9. In the Windows Firewall pop-up window, click "Allow Access". Make sure it's allowed on the public network that Mullvad uses. If you have a third-party firewall, make sure it's not restrictive.
10. The iPerf3 service is now active. Do not use the port in another application at the same time.
    
11. Now you can test your port with ourconnection check(click "Port Check" tab) or use the following command (replace 5555 with your port):
    rice https://ipv4.am.i.mullvad.net/port/5555

Linux - using nc

Follow these instructions and replace "5555" with the port you received.

Open the port on the firewall using for example:
sudo iptables -I INPUT -p tcp --dport 5555 -j OK
osudo ufw allow 5555.

1. Install curl and netcat or ncat if you don't already have it.
2. In a terminal window, runnc -l -p 5555.
3. In another tab or terminal window, runrice https://ipv4.am.i.mullvad.net/port/5555(if you want to test ipv6, replace "ipv4" with "ipv6").
4. If everything works correctly, the result will show "reachable: true".

macOS - using nc

Follow these instructions and replace "5555" with the port you received.

1. Abra Terminal.app.
2. use the commandnc-l 5555
3. In another tab or terminal window, runrice https://ipv4.am.i.mullvad.net/port/5555(if you want to test ipv6, replace "ipv4" with "ipv6").
4. If everything works correctly, the result will show "reachable: true".

Step 5 - Find the IP address to connect to

To connect to your application or service over the internet, you must use your Mullvad outgoing IP on the Mullvad VPN server, not your own public IP address. The port connection goes to the Mullvad VPN server and is forwarded through your VPN tunnel.

You can connect to a specific Mullvad server in the city the port is assigned to. However, your IP address may still change when you reconnect. We do not provide fully static or dedicated IP addresses as this is not good for privacy. It is recommended to use a dynamic DNS service to automatically update the IP address when it changes if you need to connect to the address.

If you use the Mullvad app, you can see your outgoing IP in the app by clicking on the server name to show the connection details.

If you are not using the Mullvad application, you can run the following command in a Terminal (Linux/macOS) or Command Prompt (Windows) on the machine running Mullvad.

curl https://am.i.mullvad.net/connected

You can also find the IP address with ourmole control(magnify the first green box).

Note that you cannot use the VPN server hostname as the incoming IP is different from your outgoing IP.

Using Mullvad on a Router

When you connect to Mullvad using the Mullvad app or another app on your computer, the port is forwarded and transported inside the encrypted VPN tunnel and will not be seen by your router. Therefore, no port forwarding configuration is required on the router.

However, if you are running Mullvad directly on the router (with OpenVPN or WireGuard configured) and you are not using the Mullvad application, you will need to port forward Mullvad from the VPN interface or zone to the computer running the desired service. to use.

Some of our guides for using Mullvad on a router have information on how to forward a port to a client on the LAN.

OpenWrt and Mullvad VPN Routers
DD-WRT and Mullvad VPN Routers
Asus Merlin e Mullvad VPN
Using pfSense with Mullvad

Problems solution

Consider the following:

• If you use the OpenVPN protocol, you must disconnect and reconnect to Mullvad after adding a port.
• When adding a port to a device name, it can take 10 minutes for it to be added to our VPN servers.
• The SOCKS5 protocol does not support port forwarding, so your application or service cannot use it.
• The port cannot be accessed using Mullvad's outgoing IP with an application on the same machine to which it is forwarding the port.
• The port cannot be accessed by another computer/device connected to Mullvad using the same VPN server.
• When using the OpenVPN protocol, if you are using multiple devices with the same account and connecting to the same server, only the most recently connected device will be forwarded.
• If you are connected to a remote computer with the public IP and then connect to Mullvad on it, you might get stuck if Mullvad's port forwarding doesn't work.

Because it does not work?

• Make sure you assigned the port to the device name the Mullvad app is using and that you are connecting to the city you assigned the port to.

• First test the port with iperf (if using Windows) or nc (if using Linux or macOS).

• Make sure there is no firewall on your computer blocking the port.

frequently asked questions

Q: Can I assign a port to all cities as before?
A: No, everything.Global ports have been removed.Because there isinsufficient portsexisting so that all users have a global port.

Q: Will my ports be removed if I don't pay?
A: We remove ports 20 days after accounts expire.

"WireGuard" is a registered trademark of Jason A. Donenfeld.