Using pfSense with Mullvad
Setting up pfSense to connect to Mullvad, in this guide we will connect to the Swedish servers.
When there is an apply icon always click it in this guide so that you reload the new settings.
Keep in mind that this guide is written for pfSense 2.4 or later.
Get your ca.crt
- In a browser open our website: www.mullvad.net
- Click on Download Client.
- Click on iOS, Android and other platforms.
- Select Linux under Platform by using the drop-down menu.
- Enter your account number.
- Select a region.
- Click on Download and save it to your computer.
- Extract the file.
Add the Ca.crt to the Certificate Manager.
- Log in to your PfSense device click on "System" -> "Cert manager" -> "CAs" and then click on "+Add"
- Edit the descriptive name and name it Mullvad CA .
- Paste the second certificate found in mullvad_ca.crt that was extracted earlier into the "Certificate data" field.
- Click on Save.
Add a VPN connection
This example will make use of se.mullvad.net, you can of course replace se.mullvad.net with any other country / region or even server that you wish to use. For a list of available servers visit our VPN serverlist
Click on VPN -> OpenVPN -> Clients and then click on +Add
- Set Server Mode to: Peer to Peer (SSL/TLS)
- Set Protocol to: UDP
- Set Device mode to: tun Layer 3 Tunnel Mode
- Set Interface to: WAN
- Set Server host to: se.mullvad.net
- Set Server port to: 1301
- Set Description to: Mullvad Sweden
- Set your mullvad account number as Username under User Authentication Settings
- set M as Password under User Authentication Settings
- Set TLS Configuration to: Unchecked
- Set Peer: Certificate Authority to: Mullvad CA
- Set Client Certificate to: None (Username or Password required)
- Set Encryption Algorithm to: AES-256-CBC
- Set Enable Negotiate Cryptographic Parameters to: Checked
- Set Auth digest Algorithm to: SHA1
- Set Compression to: LZO Compression [Legacy style, comp-lzo yes]
- Set UDP Fast I/O to : checked
- Set Send/Recieve buffer to 512KiB
- Click on Save .
Add an Interface
- Click on Interfaces -> Interface assignments
- Use the Drop-down menu for the Available network ports: and select ovpnc* (Mullvad - Sweden) and then click on +Add
- Click on the New interface name, it is usually named OPT1 or OPT2.
- Set Enable: Enable Interface to be checked
- Click on Save.
Add NAT rules
- Click on Firewall -> NAT -> Outbound and then select Mode: "Manual Outbound NAT rule Generation (AON) and then click on Save.
- Copy the entry that contains your local IP address (The one that does not contain port 500 nor 127.0.0.0 , In this example 172.17.1.0/24 is used, for you this will most like differ and will probably be 192.168.1.0/24) by clicking on the Copy icon found under Actions to the right of the NAT entry (Add a new mapping based on this one)
- Click on the Pen icon (Edit mapping) and change so that interface is the mullvad one and write a description.
- Make sure that both Disabled and do not NAT are unchecked
- Delete the other rules that contain your local IP that exists via WAN , (keep the 127.0.0.0) This will ensure that you can not reach the internet if the VPN tunnel is down from your clients behind the pfSense router.
- Click on Save.
- Click on Services
- Click on DHCP server
- Set DNS server 1 to: 18.104.22.168
- Set DNS server 2 to: 10.8.0.1
- Click on Save
After you have completed these steps, click on VPN -> OpenVPN -> Related status icon and then click on the Restart openvpn Service found under Service to reload it all. Then on your client computers, go to https://ifconfig.co to see that they are working as intended.
Test your IP address
Use https://am.i.mullvad.net/ to see which IP adress you are using. It should be one of Mullvad's and not your own.
Q: I am running an older version of pfSense (2.3.x) and some things are not available or renamed, where do I configure them?
- TLS authentication is now called TLS Configuration
- UDP Fast I/O is not available as a checkbox icon pfSense 2.3.x
- Send / Receive Buffers dropdown menu is not available on pfSense 2.3.x