Mullgate
Reference

Configuration

Canonical configuration concepts and input surfaces used by Mullgate.

This page summarizes the configuration model that appears throughout the usage and architecture documentation.

Major configuration areas

Account and credentials

Required non-interactive setup inputs include:

  • Mullvad account number
  • proxy username
  • one or more route locations

The proxy password is optional. If you omit it, Mullgate saves an empty password.

Routing inventory

The architecture material references a canonical routed config in routing.locations[].

That route inventory is what drives:

  • local entrypoint naming
  • bind IP allocation
  • rendered route-specific backends
  • runtime status and manifests

Exposure configuration

Exposure and access settings define how routes are reachable and how clients choose them.

Key inputs include:

  • exposure mode
  • access mode
  • allowUnsafePublicEmptyPassword
  • base domain
  • bind host
  • per-route bind IPs
  • listener ports for SOCKS5, HTTP, and HTTPS

HTTPS listener inputs

When HTTPS-capable proxy support is configured, the docs reference:

  • HTTPS port
  • HTTPS certificate path
  • HTTPS key path

Mullvad endpoints

Optional setup inputs include:

  • provisioning endpoint URL
  • relay metadata endpoint URL

Non-interactive environment variables

The usage guide documents these variables:

  • MULLGATE_ACCOUNT_NUMBER
  • MULLGATE_PROXY_USERNAME
  • MULLGATE_PROXY_PASSWORD
  • MULLGATE_LOCATION
  • MULLGATE_LOCATIONS
  • MULLGATE_DEVICE_NAME
  • MULLGATE_BIND_HOST
  • MULLGATE_ROUTE_BIND_IPS
  • MULLGATE_EXPOSURE_MODE
  • MULLGATE_EXPOSURE_BASE_DOMAIN
  • MULLGATE_SOCKS_PORT
  • MULLGATE_HTTP_PORT
  • MULLGATE_HTTPS_PORT
  • MULLGATE_HTTPS_CERT_PATH
  • MULLGATE_HTTPS_KEY_PATH
  • MULLGATE_MULLVAD_WG_URL
  • MULLGATE_MULLVAD_RELAYS_URL

Rules worth remembering

  • MULLGATE_LOCATION is shorthand for route 1
  • MULLGATE_LOCATIONS is ordered and comma-separated
  • MULLGATE_ROUTE_BIND_IPS is ordered and comma-separated
  • private-network uses one shared trusted-network host IP
  • public + published-routes requires one explicit bind IP per routed location, and multi-route public exposure requires distinct bind IPs
  • inline-selector uses one shared host because route selection moves to the username
  • in private-network, that shared host should be the real trusted-network IP clients can dial, such as the host's Tailscale 100.x address, not 0.0.0.0
  • CLI commands are the preferred way to mutate configuration state

Operational guidance

Change configuration through Mullgate CLI commands where possible instead of editing generated JSON by hand.

For operators, the important validation loop is:

  1. inspect with mullgate proxy access
  2. review hostnames or selector examples with mullgate proxy access
  3. refresh derived state with mullgate proxy validate --refresh
  4. confirm runtime with mullgate proxy status and mullgate proxy doctor

For selector syntax and supported selector families, see Inline Selector Reference.

Commands

Command surfaces referenced throughout the Mullgate documentation.

Platform Support

Truthful platform support posture for Mullgate CLI and runtime behavior.

On this page

Major configuration areasAccount and credentialsRouting inventoryExposure configurationHTTPS listener inputsMullvad endpointsNon-interactive environment variablesRules worth rememberingOperational guidance