I am new to OPNsense, and got totally stuck on this. There wasn't a lot of information online about this, so after I'd (finally) got it working, I wrote this step-by-step guide
1. Install WireGuard
Navigate to System --> Firmware --> Plug-ins, and select and install 'os-wireguard'.
Now you can refresh the page, and go to, go to VPN --> Wireguard
2. Create a Local Instance
Under VPN --> WireGuard --> Local, create a new instance which looks like this:
- Name: Mullvad
- Public Key: (Automatically Generated)
- Private Key: (Automatically Generated)
- Listen Port: 51820 (must be unique)
- DNS Server: 220.127.116.11 (this is Mullvad's privacy DNS service. If you are using a different VPN, use their DNS here instead)
- Tunnel Address: Leave blank for now, we'll come back to this
3. Get Your Account Tunnel IP
Once your local config is saved, click edit, and a private and public key should have been automatically generated. Make note of the public key.
SSH into your box, and run the following command, where account number is your 16-digit Mullvad key (without dashes), and public key is from your newly created local instance.
curl -sSL https://api.mullvad.net/wg/ -d account=[mullvad-account-number] --data-urlencode pubkey=[mullvad-public-key]
This will give you an output with 2 IP addresses, like:
It's linked to your account, so keep it safe.
4. Add Tunnel Address to Local Instance
Go back to your Local Instance, and under Tunnel Address, add both the IPs returned from the above curl command
5. Choose a Mullvad Server
Navigate to https://mullvad.net/en/servers/ and select a WireGuard server that meets your requirements. Make note of it's name/ proxy address, public key and port.
6. Create an Endpoint
Under VPN --> WireGuard --> Endpoints, and create a new instance, with the following data:
- Name: MullvadInstance
- Enabled: true
- Public Key: (public key from your chosen Mullvad instance)
- Shared Secret: [blank]
- Allowed IPs: 0.0.0.0/0
- Endpoint Port: (multihop port from your chosen Mullvad instance)
- Keepalive: 20
Your Endpoint should look something like this:
7. Assign Endpoint to Local Instance
Navigate back to VPN --> WireGuard --> Local, and click edit for your instance. Under Peers, select the name of your newly created endpoint
Your Local Instance should now look like this:
8. Add Outbound Rule
Under Firewall --> NAT --> Outbound, switch the Rule Generation mode to Hybrid (from automatic).
Next, create a new manual rule, with the following details:
- Interface: WireGuard
- Source Address: LAN net
- Translation / Target: Interface address
And all other fields can be left as default
9. Enable VPN
Finally, go back to VPN --> WireGuard --> General - and hit Enable WireGuard VPN - Done!
Under VPN --> WireGuard --> List Configuration, you should now see the connection details
To test your connection to Mullvad, navigate to https://mullvad.net/en/check/
Here you can also confirm that your IP is not blacklisted, and that there are no DNS or WebRTC leaks.
Mullvad also has a simple API, that you can call to, and confirm your connection. This is useful for automation.
$ curl https://am.i.mullvad.net/connected
$ curl https://am.i.mullvad.net/json
If you haven't yet configured automated backups, don't forget to export your working config, under System --> Configuration --> Backups
Primary sources I used:
- OPNsense Docs WireGuard MullvadVPN Road Warrior Setup
- OPNsense Forum Wireguard & Mullvad - I'm lost.....
- Jonny's Screenshot Guide, via Imgur
- Thomas Krenn's guide to OPNsense WireGuard Configuration
Thanks to the users over at the OPNsense forum, who were also a big help.