[HOW-TO] Mullvad VPN using WireGuard on OPNsense 👁️‍🗨️

I am new to OPNsense, and got totally stuck on this. There wasn't a lot of information online about this, so after I'd (finally) got it working, I wrote this step-by-step guide

1. Install WireGuard

Navigate to System --> Firmware --> Plug-ins, and select and install 'os-wireguard'.
Now you can refresh the page, and go to, go to VPN --> Wireguard

2. Create a Local Instance

Under VPN --> WireGuard --> Local, create a new instance which looks like this:

  • Name: Mullvad
  • Public Key: (Automatically Generated)
  • Private Key: (Automatically Generated)
  • Listen Port: 51820 (must be unique)
  • DNS Server: (this is Mullvad's privacy DNS service. If you are using a different VPN, use their DNS here instead)
  • Tunnel Address: Leave blank for now, we'll come back to this

Hit save

3. Get Your Account Tunnel IP

Once your local config is saved, click edit, and a private and public key should have been automatically generated. Make note of the public key.

SSH into your box, and run the following command, where account number is your 16-digit Mullvad key (without dashes), and public key is from your newly created local instance.

curl -sSL https://api.mullvad.net/wg/ -d account=[mullvad-account-number] --data-urlencode pubkey=[mullvad-public-key]

This will give you an output with 2 IP addresses, like: 00.xx.xxx.xx/xx,fc00:bbbb:bbbb:bb00::0:0x00/128$

It's linked to your account, so keep it safe.

4. Add Tunnel Address to Local Instance

Go back to your Local Instance, and under Tunnel Address, add both the IPs returned from the above curl command

5. Choose a Mullvad Server

Navigate to https://mullvad.net/en/servers/ and select a WireGuard server that meets your requirements. Make note of it's name/ proxy address, public key and port.

6. Create an Endpoint

Under VPN --> WireGuard --> Endpoints, and create a new instance, with the following data:

  • Name: MullvadInstance
  • Enabled: true
  • Public Key: (public key from your chosen Mullvad instance)
  • Shared Secret: [blank]
  • Allowed IPs:
  • Endpoint Port: (multihop port from your chosen Mullvad instance)
  • Keepalive: 20

Your Endpoint should look something like this:
Endpoint Instance

7. Assign Endpoint to Local Instance

Navigate back to VPN --> WireGuard --> Local, and click edit for your instance. Under Peers, select the name of your newly created endpoint

Your Local Instance should now look like this:
Local Instance

8. Add Outbound Rule

Under Firewall --> NAT --> Outbound, switch the Rule Generation mode to Hybrid (from automatic).

Next, create a new manual rule, with the following details:

  • Interface: WireGuard
  • Source Address: LAN net
  • Translation / Target: Interface address

And all other fields can be left as default

Firewall NAT Outbound Rule

9. Enable VPN

Finally, go back to VPN --> WireGuard --> General - and hit Enable WireGuard VPN - Done!

Under VPN --> WireGuard --> List Configuration, you should now see the connection details

10. Test

To test your connection to Mullvad, navigate to https://mullvad.net/en/check/
Here you can also confirm that your IP is not blacklisted, and that there are no DNS or WebRTC leaks.

Mullvad Check

Mullvad also has a simple API, that you can call to, and confirm your connection. This is useful for automation.

$ curl https://am.i.mullvad.net/connected
$ curl https://am.i.mullvad.net/json

Now that everything's up and working, it's worth noting that if you haven't yet configured automated backups, don't forget to export your working config, under System --> Configuration --> Backups :)

Additional Notes

Disabling and re-enabling WireGuard from the General tab does not refresh updated data from the Local or Endpoints tab. For that, you need to disable, re-enable and save changes in these pages accordingly. This is useful to know for if your troubleshooting and unsure why your changes are not taking effect!

SOCKS5 Proxy

Optionally, you can use SOCKS5 on client devices or browsers, for additional protection, and improved performance. It's also possible to use the SOCKS5 proxies to multihop, enabling the client to exit from a server that is different from the one you connected to. Mullvad's WireGuard proxy can be found at port 1080.

Port Forwarding

If you need to expose a service to the internet from behind Mullvad, then you need to individually assign the ports in your Mullvad account. Log into your Mullvad account, and navigate to mullvad.net/account/ports. From here you'll see a list of your public keys, simply press the "Add New" icon under the Ports section of your desired instance, and specify the port your internal service is running on.

Primary sources I used:

Thanks to the users over at the OPNsense forum, who were also a big help.

You'll only receive email when they publish something new.

More from Alicia's Notes 🚀
All posts