WireGuard Protocol

Overview

Mullvad VPN uses WireGuard as its primary VPN protocol. WireGuard is a modern VPN protocol that offers significant advantages over traditional protocols like OpenVPN and IPSec:

High performance: Minimal overhead and efficient cryptography
Modern cryptography: Uses Curve25519, ChaCha20, Poly1305, BLAKE2s, and SipHash24/13
Simple codebase: Easier to audit and maintain (approximately 4,000 lines of code)
Built-in roaming: Seamlessly handles network changes

How It Works

WireGuard establishes a secure tunnel using public-key cryptography:

Key Exchange: Each device has a private key and derives a corresponding public key using x25519 elliptic curve cryptography
Peer Configuration: Devices exchange public keys to establish trust
Encrypted Tunnel: All traffic is encrypted using ChaCha20-Poly1305 AEAD cipher
IP Routing: Allowed IPs determine which traffic goes through the tunnel

WireGuard uses UDP as its transport protocol, which provides better performance than TCP-based VPN protocols. When UDP is blocked, Mullvad offers obfuscation protocols to tunnel WireGuard over TCP.

Key Features

Cryptographic Primitives

WireGuard uses carefully selected, modern cryptographic algorithms:

Curve25519: For Elliptic-curve Diffie–Hellman (ECDH) key exchange
ChaCha20: Symmetric encryption cipher
Poly1305: Message authentication code (MAC)
BLAKE2s: Cryptographic hash function
SipHash24/13: Hash function for hashtable keys

Performance Benefits

Lower CPU usage compared to OpenVPN
Faster connection establishment
Better battery life on mobile devices
Efficient handling of roaming between networks

Connection Persistence

WireGuard maintains connections even when your device:

Switches between WiFi and mobile data
Changes IP addresses
Wakes from sleep mode

Implementation Details

Kernel vs Userspace

Mullvad supports both implementations:

Kernel Module
Userspace (wireguard-go)

Default on Linux, Windows (wireguard-nt), and macOS
Highest performance
Runs in kernel space for minimal overhead
Available when kernel module is present

Fallback implementation
Cross-platform Go-based implementation
Used when kernel module is unavailable
Can be forced via TALPID_FORCE_USERSPACE_WIREGUARD environment variable

On Android and iOS, the userspace implementation is used by default as kernel modules cannot be loaded on these platforms.

Configuring WireGuard

Using the GUI

Open Mullvad VPN
Go to Settings → VPN settings
WireGuard is selected by default under Tunnel protocol
Configure additional options:
- MTU (Maximum Transmission Unit)
- Port selection (automatic or specific ports)

Using the CLI

WireGuard is the default protocol. To explicitly configure settings:

# Check current tunnel settings
mullvad relay set tunnel-protocol wireguard

# Set specific WireGuard port
mullvad relay set tunnel wireguard port 51820

# Use any available port
mullvad relay set tunnel wireguard port any

Platform Support

WireGuard is available on all platforms:

Platform	Implementation	Notes
Windows	wireguard-nt (kernel)	Native Windows driver
Linux	Kernel module	Built into Linux kernel 5.6+
macOS	Kernel extension	Custom kernel extension
Android	wireguard-go (userspace)	Go implementation
iOS	wireguard-go (userspace)	Go implementation

Security Considerations

Key Rotation

Mullvad automatically rotates WireGuard keys:

Keys are ephemeral and rotated regularly
Old keys are securely deleted
No manual key management required

Perfect Forward Secrecy

While WireGuard itself doesn’t provide perfect forward secrecy in the traditional sense, Mullvad’s implementation includes:

Regular key rotation
Quantum-resistant tunnels with ephemeral pre-shared keys
Session-based security

WireGuard assigns static tunnel IPs to each key pair. Mullvad handles key rotation to prevent long-term tracking of your tunnel IP address.

Troubleshooting

Connection Issues

If WireGuard connections fail:

Check UDP connectivity: WireGuard requires UDP to be allowed
Try different ports: Some networks block specific ports
Enable obfuscation: If UDP is blocked, use WireGuard over TCP
Check firewall rules: Ensure your firewall allows WireGuard traffic

Performance Optimization

MTU tuning: Adjust MTU if experiencing fragmentation issues
Port selection: Some ISPs prioritize certain ports
Server selection: Choose geographically closer servers

Technical Resources

Quantum-Resistant Tunnels - Add post-quantum cryptography
DAITA - Traffic analysis protection
Multihop - Route through multiple servers
Obfuscation - Bypass VPN blocking

Getting Started

Features

Platform Guides

Security & Privacy

Account & Devices

Overview

How It Works

Key Features

Cryptographic Primitives

Performance Benefits

Connection Persistence

Implementation Details

Kernel vs Userspace

Configuring WireGuard

Using the GUI

Using the CLI

Platform Support

Security Considerations

Key Rotation

Perfect Forward Secrecy

Troubleshooting

Connection Issues

Performance Optimization

Technical Resources

Build docs developers (and LLMs) love

Getting Started

Features

Platform Guides

Security & Privacy

Account & Devices

​Overview

​How It Works

​Key Features

​Cryptographic Primitives

​Performance Benefits

​Connection Persistence

​Implementation Details

​Kernel vs Userspace

​Configuring WireGuard

​Using the GUI

​Using the CLI

​Platform Support

​Security Considerations

​Key Rotation

​Perfect Forward Secrecy

​Troubleshooting

​Connection Issues

​Performance Optimization

​Technical Resources

​Related Features

Build docs developers (and LLMs) love

Overview

How It Works

Key Features

Cryptographic Primitives

Performance Benefits

Connection Persistence

Implementation Details

Kernel vs Userspace

Configuring WireGuard

Using the GUI

Using the CLI

Platform Support

Security Considerations

Key Rotation

Perfect Forward Secrecy

Troubleshooting

Connection Issues

Performance Optimization

Technical Resources

Related Features