Configuration
Canonical configuration concepts and input surfaces used by Mullgate.
This page summarizes the configuration model that appears throughout the usage and architecture documentation.
Major configuration areas
Account and credentials
Required non-interactive setup inputs include:
- Mullvad account number for the default
mullvad-wireguard-socksexit source - Tailscale tailnet, auth key, and pinned exit node for the
tailscale-exitexit source - proxy username
- proxy password for non-interactive setup
- one or more route locations
Interactive setup can save an empty proxy password. Non-interactive setup requires the password input to be supplied explicitly, and public inline-selector exposure with an empty password still requires the unsafe override.
Routing inventory
The architecture material references a canonical routed config in routing.locations[].
That route inventory is what drives:
- local entrypoint naming
- bind IP allocation
- rendered route-specific backends
- runtime status and manifests
Exposure configuration
Exposure and access settings define how routes are reachable and how clients choose them.
Key inputs include:
- exposure mode
- access mode
allowUnsafePublicEmptyPassword- base domain
- bind host
- per-route bind IPs
- listener ports for SOCKS5, HTTP, and HTTPS
HTTPS listener inputs
When HTTPS-capable proxy support is configured, the docs reference:
- HTTPS port
- HTTPS certificate path
- HTTPS key path
Mullvad endpoints
Optional setup inputs include:
- provisioning endpoint URL
- relay metadata endpoint URL
Non-interactive environment variables
The usage guide documents these variables:
MULLGATE_ACCOUNT_NUMBERMULLGATE_EXIT_SOURCEMULLGATE_TAILSCALE_TAILNETMULLGATE_TAILSCALE_AUTH_KEYMULLGATE_TAILSCALE_PINNED_EXIT_NODEMULLGATE_PROXY_USERNAMEMULLGATE_PROXY_PASSWORDMULLGATE_LOCATIONMULLGATE_LOCATIONSMULLGATE_DEVICE_NAMEMULLGATE_BIND_HOSTMULLGATE_ROUTE_BIND_IPSMULLGATE_EXPOSURE_MODEMULLGATE_EXPOSURE_BASE_DOMAINMULLGATE_SOCKS_PORTMULLGATE_HTTP_PORTMULLGATE_HTTPS_PORTMULLGATE_HTTPS_CERT_PATHMULLGATE_HTTPS_KEY_PATHMULLGATE_MULLVAD_WG_URLMULLGATE_MULLVAD_RELAYS_URL
Rules worth remembering
MULLGATE_EXIT_SOURCEdefaults tomullvad-wireguard-sockstailscale-exituses Tailscale credentials instead of a Mullvad account number- for
mullvad.tailscale.pinnedExitNode, prefer the Tailscale IP printed bytailscale exit-node list MULLGATE_LOCATIONis shorthand for route 1MULLGATE_LOCATIONSis ordered and comma-separatedMULLGATE_ROUTE_BIND_IPSis ordered and comma-separatedprivate-networkuses one shared trusted-network host IPpublic + published-routesrequires one explicit bind IP per routed location, and multi-route public exposure requires distinct bind IPsinline-selectoruses one shared host because route selection moves to the username- in
private-network, that shared host should be the real trusted-network IP clients can dial, such as the host's Tailscale100.xaddress, not0.0.0.0 - CLI commands are the preferred way to mutate configuration state
Operational guidance
Change configuration through Mullgate CLI commands where possible instead of editing generated JSON by hand.
For operators, the important validation loop is:
- inspect with
mullgate proxy access - review hostnames, direct-IP entrypoints, or selector examples in that same report
- refresh derived state with
mullgate proxy validate --refresh - confirm runtime with
mullgate proxy statusandmullgate proxy doctor
For selector syntax and supported selector families, see Inline Selector Reference.
For the Tailscale-backed exit source, see Tailscale Exit Source.