README.md
Welcome to the Mullvad VPN client app source code repository. This is the VPN client software for the Mullvad VPN service. For more information about the service, please visit our website, mullvad.net (Also accessible via Tor on our onion service).
This repository contains all the source code for the
desktop and mobile versions of the app. For desktop this includes the system service/daemon
(mullvad-daemon), a graphical user interface (GUI) and a command
line interface (CLI). The Android app uses the same backing system service for the
tunnel and security but has a dedicated frontend in android/. iOS consists of a
completely standalone implementation that resides in ios/.
There are built and signed releases for macOS, Windows, Linux and Android available on our website and on GitHub. The Android app is also available on Google Play and F-Droid and the iOS version on App Store.
You can find our code signing keys as well as instructions for how to cryptographically verify your download on Mullvad's Open Source page.
These are the operating systems and their versions that the app officially supports. It might work on many more versions, but we don't test for those and can't guarantee the quality or security.
| OS/Platform | Supported versions |
|---|---|
| Windows | 10 and 11 |
| macOS | The three latest major releases |
| Linux (Ubuntu) | The two latest LTS releases and the latest non-LTS releases |
| Linux (Fedora) | The versions that are not yet EOL |
| Linux (Debian) | 12 and newer |
| Android | 8 and newer |
| iOS | 17.0 and newer |
On Linux we test using the Gnome desktop environment. The app should, and probably does work in other DEs, but we don't regularly test those.
Here is a table containing the features of the app across platforms. This is intended to reflect the current state of the latest code in git, not necessarily any existing release.
| Windows | Linux | macOS | Android | iOS | |
|---|---|---|---|---|---|
| WireGuard | ✓ | ✓ | ✓ | ✓ | ✓ |
| Quantum-resistant tunnels | ✓ | ✓ | ✓ | ✓ | ✓ |
| DAITA | ✓ | ✓ | ✓ | ✓ | ✓ |
| WireGuard multihop | ✓ | ✓ | ✓ | ✓ | ✓ |
| WireGuard over TCP | ✓ | ✓ | ✓ | ✓ | ✓ |
| WireGuard over Shadowsocks | ✓ | ✓ | ✓ | ✓ | ✓ |
| WireGuard over QUIC | ✓ | ✓ | ✓ | ✓ | ✓ |
| Lightweight WireGuard Obfuscation (LWO) | ✓ | ✓ | ✓ | ✓ | |
| Split tunneling | ✓ | ✓ | ✓ | ✓ | |
| Custom DNS server | ✓ | ✓ | ✓ | ✓ | ✓ |
| Content blockers (Ads etc) | ✓ | ✓ | ✓ | ✓ | ✓ |
| Optional local network access | ✓ | ✓ | ✓ | ✓ | ✓* |
| Externally audited | ✓ | ✓ | ✓ | ✓ | ✓ |
* The local network is always accessible on iOS with the current implementation
This app is a privacy preserving VPN client. As such it goes to great lengths to stop traffic leaks. And basically all settings default to the more secure/private option. The user has to explicitly allow more loose rules if desired. See the dedicated security document for details on what the app blocks and allows, as well as how it does it.
Since the security of the users of the app is a top priority, by extension the security of the development and release process also becomes a top priority. This is something we work actively on.
All merge commits to the main branch must be PGP (gpg) signed in git. This signs off the entire feature branch. The individual commits in the feature branch do not need to be signed, unless they change one or more of the files deemed extra important.
The list of files requiring signatures to every commit that change them is defined in the
verify-locked-down-signatures
workflow.
This app is audited by external security experts and penetration testers every second year. We also carry out feature specific audits for certain security critical features and changes.
The results of these audits are always made public in their unredacted original form, for full transparency towards the users. See the audits readme for this.
Moreover, we welcome any individual to review the security of this app and submit any found issue to us. See SECURITY.md for more.
This repository contains submodules needed for building the app. However, some of those submodules also have further submodules that are quite large and not needed to build the app. So unless you want the source code for all submodules you should avoid a recursive clone of the repository. Instead clone the repository normally and then get one level of submodules:
git clone https://github.com/mullvad/mullvadvpn-app.git
cd mullvadvpn-app
git submodule update --init
On Android, Windows, Linux and macOS you also want to checkout the wireguard-go submodule:
git submodule update --init wireguard-go-rs/libwg/wireguard-go
Further details on why this is necessary can be found in the wireguard-go-rs crate.
We sign every merge commit to the main branch as well as our release tags.
If you would like to verify your checkout, you can find our developer keys on
Mullvad's Open Source page.
This repository has a git submodule at dist-assets/binaries. This submodule contains binaries and
build scripts for third party code we need to bundle with the app, such as Wintun.
This submodule conforms to the same integrity/security standards as this repository. Every merge commit should be signed. And this main repository should only ever point to a signed merge commit of the binaries submodule.
See the binaries submodule's README for more details about that repository.
See the build instructions for help building the app on desktop platforms.
For building the Android app, see the instructions for Android.
For building the iOS app, see the instructions for iOS.
See this for instructions on how to make a new release.
TALPID_FIREWALL_DEBUG - Helps debugging the firewall. Does different things depending on
platform:
"1" to add packet counters to all firewall rules.pflog0 interface.
"all" to add logging to all rules."pass" to add logging to rules allowing packets."drop" to add logging to rules blocking packets.TALPID_FIREWALL_DONT_SET_SRC_VALID_MARK - Set this variable to 1 to stop the daemon from
setting the net.ipv4.conf.all.src_valid_mark kernel parameter to 1 on Linux when a tunnel
is established.
The kernel config parameter is set by default, because otherwise strict reverse path filtering
may prevent relay traffic from reaching the daemon. If rp_filter is set to 1 on the interface
that will be receiving relay traffic, and src_valid_mark is not set to 1, the daemon will
not be able to receive relay traffic.
TALPID_FIREWALL_DONT_SET_ARP_IGNORE - Set this variable to 1 to stop the daemon from
setting the net.ipv4.conf.all.arp_ignore kernel parameter to 2 on Linux when a tunnel
is established.
The kernel config parameter is set by default, because otherwise an attacker who can send ARP
requests to the device running Mullvad can figure out the in-tunnel IP.
TALPID_DNS_MODULE - Allows changing the method that will be used for DNS configuration.
By default this is automatically detected, but you can set it to one of the options below to
choose a specific method.
Linux
"static-file": change the /etc/resolv.conf file directly"resolvconf": use the resolvconf program"systemd": use systemd's resolved service through DBus"network-manager": use NetworkManager service through DBusWindows
iphlpapi: use the IP helper APInetsh: use the netsh programtcpip: set TCP/IP parameters in the registryTALPID_DISABLE_LOCAL_DNS_RESOLVER - Set this variable to 1 to disable the local DNS resolver
(macOS only).
TALPID_NEVER_FILTER_AAAA_QUERIES - Set this variable to 1 to never ignore DNS AAAA queries
(macOS only).
TALPID_FORCE_USERSPACE_WIREGUARD - Forces the daemon to use the userspace implementation of
WireGuard.
TALPID_DISABLE_OFFLINE_MONITOR - Forces the daemon to always assume the host is online.
TALPID_CGROUP2_FS - On Linux, forces the daemon to look for the cgroup2 filesystem at the
specified path, instead of /sys/fs/cgroup. The cgroup2 used for split tunneling will be created
in this directory.
TALPID_NET_CLS_MOUNT_DIR - On Linux, forces the daemon to mount the net_cls controller in the
specified directory if it isn't mounted already. This will only have an effect on older systems
where cgroup v1 is used for split tunneling.
MULLVAD_MANAGEMENT_SOCKET_GROUP - On Linux and macOS, this restricts access to the management
interface UDS socket to users in the specified group. This means that only users in that group can
use the CLI and GUI. By default, everyone has access to the socket.
MULLVAD_BACKTRACE_ON_FAULT - When enabled, if the daemon encounters a fault (e.g. SIGSEGV),
it will log a backtrace to stdout, and to daemon.log. By default, this is disabled in
release-builds and enabled in debug-builds. Set variable to 1 or 0 to explicitly enable or
disable this feature. Logging the backtrace causes heap allocation. Allocation is not signal safe,
but here it runs in the signal handler. This is technically undefined behavior and therefore
disabled by default. This usually works, but enable at your own risk.
MULLVAD_API_HOST - Set the hostname to use in API requests. E.g. api.mullvad.net.
MULLVAD_API_ADDR - Set the IP address and port to use in API requests. E.g. 10.10.1.2:443.
MULLVAD_API_DISABLE_TLS - Use plain HTTP for API requests.
MULLVAD_CONNCHECK_HOST - Set the hostname to use in connection check requests. E.g. am.i.mullvad.net.
MULLVAD_ENABLE_DEV_UPDATES - Enable version checks in development builds.
Use setx from an elevated shell:
setx TALPID_DISABLE_OFFLINE 1 /m
For the change to take effect, restart the daemon:
sc.exe stop mullvadvpn
sc.exe start mullvadvpn
Edit the systemd unit file via systemctl edit mullvad-daemon.service:
[Service]
Environment="TALPID_DISABLE_OFFLINE_MONITOR=1"
For the change to take effect, restart the daemon:
sudo systemctl restart mullvad-daemon
Use plutil:
sudo plutil -replace EnvironmentVariables -json '{"TALPID_DISABLE_OFFLINE_MONITOR": "1"}' /Library/LaunchDaemons/net.mullvad.daemon.plist
For the change to take effect, restart the daemon:
launchctl unload -w /Library/LaunchDaemons/net.mullvad.daemon.plist
launchctl load -w /Library/LaunchDaemons/net.mullvad.daemon.plist
MULLVAD_PATH - Allows changing the path to the folder with the mullvad-problem-report tool
when running in development mode. Defaults to: <repo>/target/debug/.MULLVAD_DISABLE_UPDATE_NOTIFICATION - If set to 1, notification will be disabled when
an update is available.$ npm run develop - develop app with live-reload enabled$ npm run lint - lint code$ npm run pack:<OS> - prepare app for distribution for your platform. Where <OS> can be
linux, mac or win$ npm test - run testsThe requirements for displaying a tray icon vary between different desktop environments. If the tray icon does not appear, try one of the following methods:
If you're using GNOME, you might have to install additional GNOME shell extensions to display the tray icon properly.
We recommend AppIndicator and KStatusNotifierItem Support. It can be installed via GNOME's extension website:
https://extensions.gnome.org/extension/615/appindicator-support/
Try installing one of these packages using the system's package manager:
libappindicator3-1libappindicator1libappindicatorelectron-builderThe daemon is implemented in Rust and is implemented in several crates. The main, or top level,
crate that builds the final daemon binary is mullvad-daemon which then depend on the others.
In general one can look at the daemon as split into two parts, the crates starting with talpid
and the crates starting with mullvad. The talpid crates are supposed to be completely unrelated
to Mullvad specific things. A talpid crate is not allowed to know anything about the API through
which the daemon fetch Mullvad account details or download VPN server lists for example. The
talpid components should be viewed as a generic VPN client with extra privacy and anonymity
preserving features. The crates having mullvad in their name on the other hand make use of the
talpid components to build a secure and Mullvad specific VPN client.
Explanations for some common words used in the documentation and code in this repository.
mullvad-daemon Rust program. This headless program exposes a
management interface that can be used to control the daemonmullvad that is a terminal based frontend for the Mullvad
VPN app.A list of file paths written to and read from by the various components of the Mullvad VPN app
On Windows, when a process runs as a system service the variable %LOCALAPPDATA% expands to
C:\Windows\system32\config\systemprofile\AppData\Local.
All directory paths are defined in, and fetched from, the mullvad-paths crate.
The settings directory can be changed by setting the MULLVAD_SETTINGS_DIR environment variable.
| Platform | Path |
|---|---|
| Linux | /etc/mullvad-vpn/ |
| macOS | /etc/mullvad-vpn/ |
| Windows | %LOCALAPPDATA%\Mullvad VPN\ |
| Android | getFilesDir() |
The log directory can be changed by setting the MULLVAD_LOG_DIR environment variable.
| Platform | Path |
|---|---|
| Linux | /var/log/mullvad-vpn/ + systemd |
| macOS | /var/log/mullvad-vpn/ |
| Windows | C:\ProgramData\Mullvad VPN\ |
| Android | getFilesDir() |
The cache directory can be changed by setting the MULLVAD_CACHE_DIR environment variable.
| Platform | Path |
|---|---|
| Linux | /var/cache/mullvad-vpn/ |
| macOS | /Library/Caches/mullvad-vpn/ |
| Windows | C:\ProgramData\Mullvad VPN\cache |
| Android | getCacheDir() |
The full path to the RPC address file can be changed by setting the MULLVAD_RPC_SOCKET_PATH
environment variable.
| Platform | Path |
|---|---|
| Linux | /var/run/mullvad-vpn |
| macOS | /var/run/mullvad-vpn |
| Windows | //./pipe/Mullvad VPN |
| Android | getNoBackupFilesDir() |
The desktop Electron app has a specific settings file that is configured for each user. The path is
set in the desktop/packages/mullvad-vpn/src/main/gui-settings.ts file.
| Platform | Path |
|---|---|
| Linux | $XDG_CONFIG_HOME/Mullvad VPN/gui_settings.json |
| macOS | ~/Library/Application Support/Mullvad VPN/gui_settings.json |
| Windows | %LOCALAPPDATA%\Mullvad VPN\gui_settings.json |
| Android | Present in Android's logcat |
See graphics README for information about icons.
Instructions for how to handle locales and translations are found here.
For instructions specific to the Android app, see here.
For instructions specific to the iOS app, see here.
Copyright (C) 2026 Mullvad VPN AB
This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
For the full license agreement, see the LICENSE.md file
The source code for the iOS app is GPL-3 licensed like everything else in this repository. But the distributed app on the Apple App Store is not GPL licensed, it falls under the Apple App Store EULA.