Tailscale is a wonderful, modern mesh VPN solution. Generally speaking, you don’t need another VPN when using Tailscale. Even for tasks like bypassing geo-blocking, you can use their Exit Node feature, as long as you have a node in the country that you want to pretend to be in. But you may not always have that option. Which means for such use-cases, you may need to use generic VPN service, but you probably still want to continue to use Tailscale, so you will have to be able to combine them in a peaceful way. Since both are a VPN solution, it may not be a trivial or possible task.

In this post, we explain how to make a popular VPN service Mullvad work with Tailscale.

Unfortunately, you actually cannot use native Mullvad client with Tailscale (confirmed by Mullvad support as of August, 2022). Instead, you need to use Wireguard app and then disallow and IPv6 from the Mullvad VPN. Since Wireguard app’s settings currently have no support for a list of disallowed IPs and ranges, you need to retrofit it into allowed list setting, instead. You can calculate allowed list, based on what you want to disallow, using something like Wireguard AllowedIPs calculator tool. If you disallow local IPs and `’ you will end up with something like:

AllowedIPs =,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, ::/0

Wireguard Configuration

P.S. Despite many years in Internet technologies, my brain still cannot deal with CIDR syntax, without too much effort, so if I know a range and need CIDR, I use: ARIN’s awesome CIDR calculator. In case you were wondering, and would also like to use it…