[HOW-TO] Mullvad VPN using WireGuard on OPNsense πŸ‘οΈβ€πŸ—¨οΈ

I am new to OPNsense, and got totally stuck on this. There wasn't a lot of information online about this, so after I'd (finally) got it working, I wrote this step-by-step guide

1. Install WireGuard

Navigate to System --> Firmware --> Plug-ins, and select and install 'os-wireguard'.
Now you can refresh the page, and go to, go to VPN --> Wireguard

2. Create a Local Instance

Under VPN --> WireGuard --> Local, create a new instance which looks like this:

  • Name: Mullvad
  • Public Key: (Automatically Generated)
  • Private Key: (Automatically Generated)
  • Listen Port: 51820 (must be unique)
  • DNS Server: (this is Mullvad's privacy DNS service. If you are using a different VPN, use their DNS here instead)
  • Tunnel Address: Leave blank for now, we'll come back to this

Hit save

3. Get Your Account Tunnel IP

Once your local config is saved, click edit, and a private and public key should have been automatically generated. Make note of the public key.

SSH into your box, and run the following command, where account number is your 16-digit Mullvad key (without dashes), and public key is from your newly created local instance.

curl -sSL https://api.mullvad.net/wg/ -d account=[mullvad-account-number] --data-urlencode pubkey=[mullvad-public-key]

This will give you an output with 2 IP addresses, like: 00.xx.xxx.xx/xx,fc00:bbbb:bbbb:bb00::0:0x00/128$

It's linked to your account, so keep it safe.

4. Add Tunnel Address to Local Instance

Go back to your Local Instance, and under Tunnel Address, add both the IPs returned from the above curl command

5. Choose a Mullvad Server

Navigate to https://mullvad.net/en/servers/ and select a WireGuard server that meets your requirements. Make note of it's name/ proxy address, public key and port.

6. Create an Endpoint

Under VPN --> WireGuard --> Endpoints, and create a new instance, with the following data:

  • Name: MullvadInstance
  • Enabled: true
  • Public Key: (public key from your chosen Mullvad instance)
  • Shared Secret: [blank]
  • Allowed IPs:
  • Endpoint Port: (multihop port from your chosen Mullvad instance)
  • Keepalive: 20

Your Endpoint should look something like this:
Endpoint Instance

7. Assign Endpoint to Local Instance

Navigate back to VPN --> WireGuard --> Local, and click edit for your instance. Under Peers, select the name of your newly created endpoint

Your Local Instance should now look like this:
Local Instance

8. Add Outbound Rule

Under Firewall --> NAT --> Outbound, switch the Rule Generation mode to Hybrid (from automatic).

Next, create a new manual rule, with the following details:

  • Interface: WireGuard
  • Source Address: LAN net
  • Translation / Target: Interface address

And all other fields can be left as default

Firewall NAT Outbound Rule

9. Enable VPN

Finally, go back to VPN --> WireGuard --> General - and hit Enable WireGuard VPN - Done!

Under VPN --> WireGuard --> List Configuration, you should now see the connection details

10. Test

To test your connection to Mullvad, navigate to https://mullvad.net/en/check/
Here you can also confirm that your IP is not blacklisted, and that there are no DNS or WebRTC leaks.

Mullvad Check

Mullvad also has a simple API, that you can call to, and confirm your connection. This is useful for automation.

$ curl https://am.i.mullvad.net/connected
$ curl https://am.i.mullvad.net/json

If you haven't yet configured automated backups, don't forget to export your working config, under System --> Configuration --> Backups

Primary sources I used:

Thanks to the users over at the OPNsense forum, who were also a big help.

You'll only receive email when Alicia's Notes πŸš€ publishes a new post

More fromΒ Alicia's Notes πŸš€