Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/mullvad/mullvadvpn-app/llms.txt

Use this file to discover all available pages before exploring further.

Overview

The mullvad tunnel command manages tunnel configuration including MTU, quantum resistance, DAITA, allowed IPs, key rotation, and IPv6 settings.

Syntax

mullvad tunnel <SUBCOMMAND>

Subcommands

get

Display current tunnel configuration: 
mullvad tunnel get

set

Configure tunnel options: 
mullvad tunnel set <OPTION>

Set Options

mtu

Configure tunnel MTU (Maximum Transmission Unit): 
mullvad tunnel set mtu <VALUE>
Arguments:
  • <VALUE> - MTU value in bytes (e.g., 1380, 1420), or “any” for automatic

quantum-resistant

Configure quantum-resistant key exchange: 
mullvad tunnel set quantum-resistant <STATE>
Values:
  • auto - Automatically select based on Mullvad recommendations
  • on - Always use quantum-resistant tunnels
  • off - Never use quantum-resistant tunnels

daita

Enable or disable DAITA (Defense against AI-guided Traffic Analysis): 
mullvad tunnel set daita <on|off>

daita-direct-only

Configure whether DAITA should only work on direct connections: 
mullvad tunnel set daita-direct-only <on|off>

allowed-ips

Specify custom allowed IPs for WireGuard tunnels: 
mullvad tunnel set allowed-ips <IP_RANGES>
Arguments:
  • <IP_RANGES> - Comma-separated IPs and CIDR ranges, or empty string to reset
Format:
  • Single IPs: 192.168.1.1
  • CIDR ranges: 10.0.0.0/24, fd00::/8
  • Multiple: 10.0.0.0/24,192.168.1.1,fd00::/8
  • Reset: “ (empty string)
WARNING: Incorrect configuration may block internet access or break VPN functionality.

rotation-interval

Set WireGuard key rotation interval: 
mullvad tunnel set rotation-interval <HOURS>
Arguments:
  • <HOURS> - Number of hours between key rotations, or “any” for default

rotate-key

Immediately rotate the WireGuard key: 
mullvad tunnel set rotate-key

ipv6

Enable or disable IPv6 in the tunnel: 
mullvad tunnel set ipv6 <on|off>

Examples

View Current Configuration

mullvad tunnel get
Output: 
WireGuard options
        MTU: 1380
        Quantum resistance: auto
        DAITA: off
        Public key: wg-public-key-here
        Created 2025-03-03 10:30:00 +01:00
        Rotation interval: 7 days
        Allowed IPs: all traffic (default)
Generic options
        IPv6: on

Set MTU

Set specific MTU: 
mullvad tunnel set mtu 1380
Output: 
MTU parameter has been updated
Set automatic MTU: 
mullvad tunnel set mtu any

Configure Quantum Resistance

Enable quantum resistance: 
mullvad tunnel set quantum-resistant on
Output: 
Quantum resistant setting has been updated
Use automatic mode: 
mullvad tunnel set quantum-resistant auto

Enable DAITA

mullvad tunnel set daita on
Output: 
DAITA setting has been updated

Configure Allowed IPs

Route only specific networks: 
mullvad tunnel set allowed-ips "10.0.0.0/8,192.168.0.0/16"
Output: 
WireGuard allowed IPs have been updated
Reset to default (all traffic): 
mullvad tunnel set allowed-ips ""

Key Rotation

Set rotation interval to 7 days: 
mullvad tunnel set rotation-interval 168
Output: 
Set key rotation interval to 7 days
Reset to default interval: 
mullvad tunnel set rotation-interval any
Output: 
Reset key rotation interval to 7 days
Rotate key immediately: 
mullvad tunnel set rotate-key
Output: 
Rotated WireGuard key

IPv6 Configuration

Enable IPv6: 
mullvad tunnel set ipv6 on
Output: 
IPv6: on
Disable IPv6: 
mullvad tunnel set ipv6 off

WireGuard Key Management

The tunnel command displays information about your current WireGuard key:
  • Public key - Your device’s public WireGuard key
  • Created - When the key was generated
  • Rotation interval - How often the key is automatically rotated
Keys are rotated automatically based on the configured interval, or you can manually rotate them using rotate-key.

Quantum Resistance

Quantum-resistant tunnels use post-quantum cryptography to protect against future quantum computers. The three states are:
  • auto - Uses quantum resistance when Mullvad recommends it
  • on - Always establishes quantum-resistant tunnels
  • off - Uses standard WireGuard without post-quantum cryptography

DAITA (Defense against AI-guided Traffic Analysis)

DAITA provides additional protection against advanced traffic analysis:
  • Adds cover traffic to mask patterns
  • Helps defend against AI-powered traffic analysis
  • May slightly increase bandwidth usage

Allowed IPs

By default, WireGuard routes all traffic (0.0.0.0/0, ::/0) through the tunnel. Custom allowed IPs let you:
  • Route only specific networks through VPN
  • Implement split tunneling at IP level
  • Exclude certain destinations from VPN
Host bits must be zero in CIDR ranges (e.g., 10.0.0.0/24 valid, 10.0.0.1/24 invalid).
  • relay - Configure relay selection
  • connect - Connect with current tunnel settings
  • dns - Configure DNS servers
  • split-tunnel - Configure application split tunneling

Exit Status

CodeDescription
0Configuration updated successfully
1Invalid configuration or update failed

Notes

  • MTU affects packet size and can impact performance on some networks
  • Quantum resistance may slightly increase connection overhead
  • Key rotation happens automatically in the background
  • Custom allowed IPs require careful configuration to avoid connectivity issues
  • IPv6 setting affects both tunnel and relay selection

Source Reference

Implementation: mullvad-cli/src/cmds/tunnel.rs