October 4, 2020•864 words
I am new to OPNsense, and got totally stuck on this. There wasn't a lot of information online about this, so after I'd (finally) got it working, I wrote this step-by-step guide
1. Install WireGuard
Navigate to System --> Firmware --> Plug-ins, and select and install 'os-wireguard'.
Now you can refresh the page, and go to, go to VPN --> Wireguard
2. Create a Local Instance
Under VPN --> WireGuard --> Local, create a new instance which looks like this:
- Name: Mullvad
- Public Key: (Automatically Generated)
- Private Key: (Automatically Generated)
- Listen Port: 51820 (must be unique)
- DNS Server: 220.127.116.11 (this is Mullvad's privacy DNS service. If you are using a different VPN, use their DNS here instead)
- Tunnel Address: Leave blank for now, we'll come back to this
3. Get Your Account Tunnel IP
Once your local config is saved, click edit, and a private and public key should have been automatically generated. Make note of the public key.
SSH into your box, and run the following command, where account number is your 16-digit Mullvad key (without dashes), and public key is from your newly created local instance.
curl -sSL https://api.mullvad.net/wg/ -d account=[mullvad-account-number] --data-urlencode pubkey=[mullvad-public-key]
This will give you an output with 2 IP addresses, like:
It's linked to your account, so keep it safe.
4. Add Tunnel Address to Local Instance
Go back to your Local Instance, and under Tunnel Address, add both the IPs returned from the above curl command
5. Choose a Mullvad Server
Navigate to https://mullvad.net/en/servers/ and select a WireGuard server that meets your requirements. Make note of it's name/ proxy address, public key and port.
6. Create an Endpoint
Under VPN --> WireGuard --> Endpoints, and create a new instance, with the following data:
- Name: MullvadInstance
- Enabled: true
- Public Key: (public key from your chosen Mullvad instance)
- Shared Secret: [blank]
- Allowed IPs: 0.0.0.0/0
- Endpoint Port: (multihop port from your chosen Mullvad instance)
- Keepalive: 20
Your Endpoint should look something like this:
7. Assign Endpoint to Local Instance
Navigate back to VPN --> WireGuard --> Local, and click edit for your instance. Under Peers, select the name of your newly created endpoint
Your Local Instance should now look like this:
8. Add Outbound Rule
Under Firewall --> NAT --> Outbound, switch the Rule Generation mode to Hybrid (from automatic).
Next, create a new manual rule, with the following details:
- Interface: WireGuard
- Source Address: LAN net
- Translation / Target: Interface address
And all other fields can be left as default
9. Enable VPN
Finally, go back to VPN --> WireGuard --> General - and hit Enable WireGuard VPN - Done!
Under VPN --> WireGuard --> List Configuration, you should now see the connection details
To test your connection to Mullvad, navigate to https://mullvad.net/en/check/
Here you can also confirm that your IP is not blacklisted, and that there are no DNS or WebRTC leaks.
Mullvad also has a simple API, that you can call to, and confirm your connection. This is useful for automation.
$ curl https://am.i.mullvad.net/connected
$ curl https://am.i.mullvad.net/json
Now that everything's up and working, it's worth noting that if you haven't yet configured automated backups, don't forget to export your working config, under System --> Configuration --> Backups :)
Disabling and re-enabling WireGuard from the General tab does not refresh updated data from the Local or Endpoints tab. For that, you need to disable, re-enable and save changes in these pages accordingly. This is useful to know for if your troubleshooting and unsure why your changes are not taking effect!
Optionally, you can use SOCKS5 on client devices or browsers, for additional protection, and improved performance. It's also possible to use the SOCKS5 proxies to multihop, enabling the client to exit from a server that is different from the one you connected to. Mullvad's WireGuard proxy can be found at 10.64.0.1 port 1080.
- For more detailed info, see the SOCKS5 Proxy Guide on Mullvad's Docs.
If you need to expose a service to the internet from behind Mullvad, then you need to individually assign the ports in your Mullvad account. Log into your Mullvad account, and navigate to mullvad.net/account/ports. From here you'll see a list of your public keys, simply press the "Add New" icon under the Ports section of your desired instance, and specify the port your internal service is running on.
- For more detailed info, see the Port Forwarding Guide on Mullvad's Docs.
Primary sources I used:
- OPNsense Docs WireGuard MullvadVPN Road Warrior Setup
- OPNsense Forum Wireguard & Mullvad - I'm lost.....
- Jonny's Screenshot Guide, via Imgur
- Thomas Krenn's guide to OPNsense WireGuard Configuration
Thanks to the users over at the OPNsense forum, who were also a big help.