Mullgate
Reference

Configuration

Canonical configuration concepts and input surfaces used by Mullgate.

This page summarizes the configuration model that appears throughout the usage and architecture documentation.

Major configuration areas

Account and credentials

Required non-interactive setup inputs include:

  • Mullvad account number for the default mullvad-wireguard-socks exit source
  • Tailscale tailnet, auth key, and pinned exit node for the tailscale-exit exit source
  • proxy username
  • proxy password for non-interactive setup
  • one or more route locations

Interactive setup can save an empty proxy password. Non-interactive setup requires the password input to be supplied explicitly, and public inline-selector exposure with an empty password still requires the unsafe override.

Routing inventory

The architecture material references a canonical routed config in routing.locations[].

That route inventory is what drives:

  • local entrypoint naming
  • bind IP allocation
  • rendered route-specific backends
  • runtime status and manifests

Exposure configuration

Exposure and access settings define how routes are reachable and how clients choose them.

Key inputs include:

  • exposure mode
  • access mode
  • allowUnsafePublicEmptyPassword
  • base domain
  • bind host
  • per-route bind IPs
  • listener ports for SOCKS5, HTTP, and HTTPS

HTTPS listener inputs

When HTTPS-capable proxy support is configured, the docs reference:

  • HTTPS port
  • HTTPS certificate path
  • HTTPS key path

Mullvad endpoints

Optional setup inputs include:

  • provisioning endpoint URL
  • relay metadata endpoint URL

Non-interactive environment variables

The usage guide documents these variables:

  • MULLGATE_ACCOUNT_NUMBER
  • MULLGATE_EXIT_SOURCE
  • MULLGATE_TAILSCALE_TAILNET
  • MULLGATE_TAILSCALE_AUTH_KEY
  • MULLGATE_TAILSCALE_PINNED_EXIT_NODE
  • MULLGATE_PROXY_USERNAME
  • MULLGATE_PROXY_PASSWORD
  • MULLGATE_LOCATION
  • MULLGATE_LOCATIONS
  • MULLGATE_DEVICE_NAME
  • MULLGATE_BIND_HOST
  • MULLGATE_ROUTE_BIND_IPS
  • MULLGATE_EXPOSURE_MODE
  • MULLGATE_EXPOSURE_BASE_DOMAIN
  • MULLGATE_SOCKS_PORT
  • MULLGATE_HTTP_PORT
  • MULLGATE_HTTPS_PORT
  • MULLGATE_HTTPS_CERT_PATH
  • MULLGATE_HTTPS_KEY_PATH
  • MULLGATE_MULLVAD_WG_URL
  • MULLGATE_MULLVAD_RELAYS_URL

Rules worth remembering

  • MULLGATE_EXIT_SOURCE defaults to mullvad-wireguard-socks
  • tailscale-exit uses Tailscale credentials instead of a Mullvad account number
  • for mullvad.tailscale.pinnedExitNode, prefer the Tailscale IP printed by tailscale exit-node list
  • MULLGATE_LOCATION is shorthand for route 1
  • MULLGATE_LOCATIONS is ordered and comma-separated
  • MULLGATE_ROUTE_BIND_IPS is ordered and comma-separated
  • private-network uses one shared trusted-network host IP
  • public + published-routes requires one explicit bind IP per routed location, and multi-route public exposure requires distinct bind IPs
  • inline-selector uses one shared host because route selection moves to the username
  • in private-network, that shared host should be the real trusted-network IP clients can dial, such as the host's Tailscale 100.x address, not 0.0.0.0
  • CLI commands are the preferred way to mutate configuration state

Operational guidance

Change configuration through Mullgate CLI commands where possible instead of editing generated JSON by hand.

For operators, the important validation loop is:

  1. inspect with mullgate proxy access
  2. review hostnames, direct-IP entrypoints, or selector examples in that same report
  3. refresh derived state with mullgate proxy validate --refresh
  4. confirm runtime with mullgate proxy status and mullgate proxy doctor

For selector syntax and supported selector families, see Inline Selector Reference.

For the Tailscale-backed exit source, see Tailscale Exit Source.

On this page