How to Configure Mullvad VPN on OPNsense Using WireGuard

In this guide, we’ll walk through how to connect Mullvad VPN to OPNsense using WireGuard, then route only specific devices through the VPN using policy-based routing. This setup is ideal if you want certain hosts to use the VPN while the rest of your network uses your normal WAN connection.

This tutorial was created in response to a viewer request and is not sponsored by Mullvad.

---

What We’re Going to Do

We’ll complete the following steps:

1. Create a WireGuard instance in OPNsense
2. Import the key into Mullvad and generate a config
3. Configure the WireGuard peer
4. Assign a VPN interface
5. Create a Mullvad gateway
6. Configure outbound NAT (hybrid mode)
7. Create host aliases for VPN routing
8. Apply firewall rules for policy-based routing
9. Add a WAN kill switch for VPN hosts
10. Test connectivity and fail-safe behavior

Watch the video below for a step-by-step guide to setting up Mullvad VPN on OPNsense with WireGuard.

---

Step 1 — Create the WireGuard Instance in OPNsense

Go to: VPN → WireGuard → Instances

Click Add (+) and configure:

• Name: Mullvad
• Generate Key Pair: Click the key icon to generate public/private keys
• Copy the private key

Now log into your Mullvad account:

• Go to WireGuard configuration
• Choose Import key
• Paste the private key from OPNsense

• Select:

  • Country
  • City
  • Server

Save and download the configuration.

Back in OPNsense, continue configuring the instance:

• Listen Port: 51820 (or change if needed)
• Tunnel Address: Copy from Mullvad config
• Disable Routes: ✅ Enabled (important — we will control routing manually)

Save and apply.

---

Step 2 — Configure the WireGuard Peer

Go to: VPN → WireGuard → Peers

Click Add (+) and configure:

• Name: Mullvad
• Public Key: From Mullvad config
• Allowed IPs: 0.0.0.0/0
• Endpoint Address: From Mullvad config
• Endpoint Port: Usually 51820
• Instance: Select your Mullvad instance
• Keep Alive: Optional (e.g., 60 seconds)

Save and apply.

Verify Connection

Go to VPN → WireGuard → Status:

• Status should be green
• Handshake age should show seconds, not “never”
• Data should show bytes sent/received

If not, the tunnel is not working yet.

---

Step 3 — Assign the WireGuard Interface

Go to: Interfaces → Assignments

Add the WireGuard interface and name it:

• Mullvad VPN

Click save, then click the new interface:

• Enable Interface: ✅
• Leave other options default
• Save and apply

---

Step 4 — Create the Mullvad Gateway

Go to: System → Gateways → Configuration

Click Add:

• Name: Mullvad_Gateway
• Interface: Mullvad VPN
• Gateway IP: Use DNS server IP from Mullvad config

Save and apply.

---

Step 5 — Set Outbound NAT to Hybrid Mode

Go to: Firewall → NAT → Outbound

Change mode to:

• ✅ Hybrid Outbound NAT

Apply changes.

This allows us to add manual NAT rules while keeping automatic rules.

---

Step 6 — Create Host Alias for VPN Devices

Go to: Firewall → Aliases

Add new alias:

• Name: Mullvad_Hosts
• Type: Host(s)

• Content: Add IPs of devices that should use VPN

  • Example: 192.168.168.100

Save.

You can add multiple hosts later as needed.

---

Step 7 — Create Outbound NAT Rule for Mullvad Hosts

Go to: Firewall → NAT → Outbound

Add rule:

• Interface: Mullvad VPN
• Protocol: Any
• Source: Mullvad_Hosts (alias)
• Translation Target: Interface Address
• Description: Hosts to go out via Mullvad

Save and apply.

This ensures only selected hosts are NAT’d through the VPN.

---

Step 8 — Policy-Based Routing Rule (Floating Rule)

Go to: Firewall → Rules → Floating

Add rule:

• Action: Pass
• Interfaces: (leave unselected to apply globally)
• Direction: In
• Protocol: IPv4
• Source: Mullvad_Hosts
• Gateway: Mullvad_Gateway
• Description: Route Mullvad hosts via Mullvad gateway

Save and apply.

This forces selected devices to use the VPN gateway.

---

Step 9 — WAN Kill Switch for VPN Hosts

To ensure no traffic leaks if VPN drops:

Go to: Firewall → Rules → WAN

Add rule at the top:

• Action: Block
• Direction: Out
• Source: Mullvad_Hosts
• Description: Block Mullvad hosts from using WAN

Save and apply.

Now if the VPN tunnel goes down, those devices lose internet instead of leaking traffic via WAN.

---

Step 10 — Testing the Setup

Verify VPN Usage

From a VPN-routed host:

• Check IP address location

• Confirm:

  • No DNS leaks
  • No WebRTC leaks

Test Kill Switch

Disable WireGuard temporarily:

• VPN → WireGuard → Instances → Disable

Internet access for Mullvad hosts should immediately stop.

Re-enable WireGuard and verify traffic resumes.

---

Final Thoughts

This setup allows you to selectively route traffic through Mullvad VPN while keeping the rest of your network on your normal WAN connection — ideal for servers, test machines, or privacy-sensitive devices.

This guide was created in response to a community request. If you’d like to see more firewall and networking tutorials, consider subscribing to the channel and enabling notifications for future videos.