Using pfSense with Mullvad
Follow these steps to set up and connect pfSense 2.4 or later to Mullvad.
In this guide, we will connect to our Swedish servers.
As you follow this guide, always click on any Apply or Save button as you make changes in order to reload your new settings.
Get your ca.crt
- In a browser open our website: www.mullvad.net
- Click on Download Client.
- Click on iOS, Android and other platforms.
- Select Linux under Platform by using the drop-down menu.
- Enter your account number.
- Select a region.
- Click on Download and save it to your computer.
- Extract the file.
Add the Ca.crt to the Certificate Manager
- Log in to your pfSense device click on "System" -> "Cert. manager" -> "CAs" and then click on "+Add"
- Edit the descriptive name and name it Mullvad CA .
- Set the Method to Import an existing Certificate Authority
- Paste the certificates found in mullvad_ca.crt that was extracted earlier into the "Certificate data" field.
- Click on Save.
Add a VPN connection
This example will make use of se.mullvad.net. You can of course replace this server with any other country, region, or specific server that you wish to use. See our list of available servers.
Click on VPN -> OpenVPN -> Clients and then click on +Add
- Set Server Mode to: Peer to Peer (SSL/TLS)
- Set Protocol to: UDP on IPV4 only
- Set Device mode to: tun Layer 3 Tunnel Mode
- Set Interface to: WAN
- Set Server host to: se.mullvad.net
- Set Server port to: 1301
- Set Description to: Mullvad Sweden
- Set your mullvad account number as Username under User Authentication Settings
- set M as Password under User Authentication Settings
- Set TLS Configuration to: Unchecked
- Set Peer: Certificate Authority to: Mullvad CA
- Set Client Certificate to: None (Username or Password required)
- Set Encryption Algorithm to: AES-256-GCM
- Set Enable Negotiate Cryptographic Parameters to: Checked
- Set Auth digest Algorithm to: SHA384
- Set Compression to: No LZO Compression [Legacy style, comp-lzo no]
- In the Custom options field, paste: remote-cert-tls server
- Set UDP Fast I/O to : checked
- Set Send/Recieve buffer to 1.00 MiB
- Click Save.
Add an Interface
- Click on Interfaces -> Assignments
- Use the Drop-down menu for the Available network ports: and select ovpnc* and then click on +Add
- Click on the New interface name, it is usually named OPT1 or OPT2.
- Set Enable: Enable Interface to be checked
- Click on Save.
Add NAT rules
- Click on Firewall -> NAT -> Outbound and then select Mode: "Manual Outbound NAT rule Generation (AON) and then click on Save.
- Copy the entry that contains your local IP address (The one that does not contain port 500 nor 127.0.0.0 , In this example 172.17.1.0/24 is used, for you this will most like differ and will probably be 192.168.1.0/24) by clicking on the Copy icon found under Actions to the right of the NAT entry (Add a new mapping based on this one)
- Click on the Pen icon (Edit mapping) and change so that interface is the mullvad one and write a description.
- Make sure that both Disabled and do not NAT are unchecked
- Delete the other rules that contain your local IP that exists via WAN , (keep the 127.0.0.0) This will ensure that you can not reach the internet if the VPN tunnel is down from your clients behind the pfSense router.
- Click on Save.
- Click on Services
- Click on DHCP server
- Set DNS server 1 to: 18.104.22.168
- Set DNS server 2 to: 10.8.0.1
- Click on Save
After you have completed these steps, click on VPN -> OpenVPN -> Related status icon and then click on the Restart openvpn Service found under Service to reload it all. Then on your client computers, go to https://ifconfig.co to see that they are working as intended.
Easily check your online privacy with Am I Mullvad
While you're connected to Mullvad, your browser could still be leaking information and therefore jeopardizing your privacy. With our Am I Mullvad online tool, you can now get a quick overview of your connection status.
I am running an older version of pfSense (2.3.x) and some things are not available or renamed. Where do I configure them?
TLS authentication is now called TLS Configuration.
UDP Fast I/O is not available as a checkbox icon on pfSense 2.3.x.
Send / Receive Buffers dropdown menu is not available on pfSense 2.3.x.