Mulvad apparently uses Wireguard. Is there an Android Wireguard client that supports multiple VPNs and toggling each independently?
this post was submitted on 27 Sep 2025
68 points (98.6% liked)
Selfhosted
51807 readers
592 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Privoxy on your always on VPN.
Tailscale home, proxy out VPN.
Check out RethinkDNS. It lets you setup multiple wireguard tunnels, and assign what apps are affected by what tunnel
You would maybe need to configure separate virtual interfaces for each VPN. And do some routing or a local redirecting proxy (tinyproxy is easy) to ensure things go where you want.
On android there are things that allow you to send traffic to different vpns or proxies by setting listening ports. Something like sagernet or proxychainNG or nekobox.
I’m a bit confused on this comment here:
Additionally, I'd prefer not to not do something like: Computer -> Home VPN -> Mullvad server -> destination, as my upload speed is pretty bad and this would throttle every non-local connection
Because you also mention this:
Computer -> Mullvad server -> Home VPN -> Home server
Which would be the same thing, no? You’re just making a connection to the Mullvad server first then your home network?
I’ll share my experience but it looks like it’s not the solution you’re looking for, I opted to use my Asus WRT Router w/ Merlin Firmware to host my VPN server, the Merlin Firmware lets me connect to 5 different VPN clients at a time, in my case 4 different Proton clients and a buddies server, I use the “VPN Director” feature to route my VPN Server through one of the 5 different clients effectively creating the multi-hop.
I personally haven’t noticed much degradation in regard to connection speeds but at the same time I don’t constantly hop VPN clients or have the same internet speeds as you, I typically stick with the server closest to me.
Edit: To help visualize what i mean:
"WG Tunnel" on f-droid lets you define a config/native for either mobile or wifi, whichever you want.
two configs on both? It does that. A config on one and nothing on the other? It does that. It swaps whenever your phone moves from mobile to wifi or vice versa.
if neither is selected, it considers it "both".
If it turns on with mobile data automatically, that turns off my Mullvad VPN.
The tailscale method, bake it yourself. It's all routing-based.
If you have a remote VPS and a home wireguard server and both are connected, then you have a remote connection outside of your home network. Make it a transit router. Then you'll have your mesh and your VPN all in one, even if it's still just all you.
Go a step further and connect mullvad to the vps and do a little routing work.
As for what routing work specifically, I couldn't begin to tell you. Ai and some search-engine-fu might be necessary.
Here's a (similar) example, even if he's doing it backwards to my suggestion:
https://superuser.com/questions/1776851/routing-wireguard-peers-traffic-via-another-peer
I use WG tunnel, but the "turn on under X condition" doesn't work for me.
tailscale has Mullvad add-on, but it's a paid add-on, you can self-host tailscale with headscale
I tried self-hosting tailscale with headscale, but you cannot have a wireguard only exit node with headscale--and so I can't have mullvad as my exit node.
Don't need to self host headscale, the mullvad addon has the exact same price of mullvad standalone, so just stop paying mullvad and pay It via tailscale, choosing the servers via exit nodes. This is the solution you want. Access to your local network + choosing any mullvad server as exit node
Why don't you just use Shelter to create a work profile on your phone? The work profile can have a second vpn connection. I do this with my homeserver. The apps that connect to the home server are installed in the work profile so they have permanent access to the homeseraer while the normal profile is on my external vpn.
This is so close to what I need. Unfortunately I have a self hosted bitwarden, and when the app is installed it doesn't auto fill passwords in apps to the other account
Okay so... what about using tailscale? You set as exit node your server, which is configured with gluetun to connect to a VPN (or ideally, it's online through a router that has itself a VPN for all the connections). Then you connect through tailscale to your homeserver and exit the internet through it (which is already under a VPN).
Why not just pay for Bitwarden.
Uh. You know you're responding in a self hosting community right? Should I explain why we're all here?
I do, and the point still stands. If this is something vital to you, why not let someone else be responsible for security/hosting/issues/etc.
Alright, I'll entertain this a little. Besides the one issue that I just brought up, there are no other issues. I host a dozen other things, and the VM I have it on is sandboxed besides the wireguard tunnel, so security isn't a problem.
The better question, is why not self host?
Because something that’s critical to my environment (passwords) should be hosted by a company that can provide updates, patching, and remote access more securely than I can.
Everyone thinks that they can self host critical infrastructure better than a paid service, and that may be true for a while. But life has a way of interrupting the best laid plans. Suddenly, one day, you’re several versions out of date and a different vulnerability is used to get in your network. Now you’re like that LastPass employee that was compromised via an out of date plex server.
I have the space and the know how to host my on bitwarden/vaultwarden. But I don’t. Because that’s critical infrastructure and I’ll gladly pay for someone else to host it / patch it / etc.
I kinda get what you're saying, but it's not like I'm writing the password manager myself. The updates are automatic, and when it's not updating the VM it's hosted on has network restricted to everything but wireguard and for the bitwarden service. For me to get hacked, there would have to be a zero day exploits for my hypervisor, wireguard, and bitwarden all on the same day.
I understand what you're getting at, but it's not a publicly hosted service. It's literally just for myself.
Even if using their servers, it still can't access apps inside a work profile
I have something like this with tail scale. My homeserver has a tail scale docker as well as a docker tail scale. The docker tailscale advertises itself as an exit node. The tailscale docker is gluetunned to an extern wireguard server (your mullvad for example) Now I can connect to my home net with tailscale and toggle the exit node on and off. By adding a different tailscale container with a different wire guard exit you could just toggle the exit node like that.
Seeing as you are using mullvad you could also just pay the monthly sub to tailscale and they connect your tailnet directly to mullvad
I’m pretty sure Tailscale would be a perfect solution here.
You could use the Mullvad given configuration and then also make a peer to your home network, but you're given a specific LAN IP address from Mullvad.