WireGuard MullvadVPN Road Warrior Setup

Introduction

MullvadVPN is a cloud-based VPN provider, offering secure tunneling in respect to privacy. To set up a WireGuard VPN to MullvadVPN we assume you are familiar with the concepts of WireGuard you that you have read the basic howto WireGuard Road Warrior Setup.

Step 1 - Setup WireGuard Instance

Go to tab Instances and create a new instance. Give it a Name and set a desired Listen Port. If you have more than one server instance be aware that you can use the Listen Port only once. In the field Tunnel Address insert an unsused private IP address and subnet mask. We don’t need it in the first step, but as it is required we can’t go on without it. Every other field can be left blank.

Hit Save and open your instance again to write down your public key. You need it to get the rest of the configuration from the Mullvad API servers.

Now change to your OPNsense CLI via SSH or Console and execute either of the curl strings below. Please replace YOURACCOUNTNUMBER with your own ID you got from MullvadVPN and YOURPUBLICKEY with the one in your Instances

The command below is for Mullvad’s standard API. DNS requests through a tunnel that uses tunnel IPs generated via this API are “hijacked”, so that Mullvad’s DNS servers are used to avoid leaks:

curl -sSL https://api.mullvad.net/wg/ -d account=YOURACCOUNTNUMBER --data-urlencode pubkey=YOURPUBLICKEY

The alternative command below is for Mullvad’s other API. DNS requests through the tunnel are not hijacked when using tunnel IPs generated via this API:

curl -sSL https://api.mullvad.net/app/v1/wireguard-keys -H "Content-Type: application/json" -H "Authorization: Token YOURACCOUNTNUMBER" -d '{"pubkey":"YOURPUBLICKEY"}'

What you receive is what WireGuard calls Allowed IP for your WireGuard Instance. Edit your instance again and remove the value of Tunnel Address you used when setting it up and change it to the one you got.

On Peers tab create a new Peer, give it a Name, set 0.0.0.0/0 in Allowed IPs.

Now go to the WireGuard server list and choose the one you like to use as your breakout. Write down it’s public key and set it as Public Key.

Also do not forget Endpoint Address and Endpoint Port. The Endpoint Port is 51820. The Endpoint Address will depend on which Mullvad server you wish to use. For example, if you want to use the “nl1-wireguard” server, the Endpoint Address will be nl1-wireguard.mullvad.net.

Go back to tab Instances, open the instance and choose the newly created peer in Peers.

Now we can Enable the VPN in tab General and continue with the setup.

Step 2 - Assignments and Routing

To let you internal clients go through the tunnel you have to add a NAT entry. Go to Firewall ‣ NAT ‣ Outbound and add a rule. Check that rule generation is set to manual or hybrid. Add a rule and select Wireguard as Interface. Source should be your LAN network and set Translation / target to interface address.

When assigning interfaces we can also add gateways to them. This would offer you the chance to balance traffic via different VPN providers or do more complex routing scenarios.

See the how-to on selective routing for further information WireGuard Selective Routing to External VPN Endpoint