Follow these steps to set up and connect pfSense 2.4 or later to Mullvad.
In this guide, we will connect to our Swedish servers.
As you follow this guide, always click on any Apply or Save button as you make changes in order to reload your new settings.
Get your ca.crt
- In a browser open our website: mullvad.net
- click on My account and log in with your Mullvad account number.
- Click on Download.
- Click on Linux
- Select Linux under Platform by using the drop-down menu.
- Select a Location.
- Click on Download and save it to your computer.
- Extract the zip file.
Add the Ca.crt to the Certificate Manager
- Log in to your pfSense device click on "System" -> "Cert. manager" -> "CAs" and then click on "+Add"
- Edit the descriptive name and name it Mullvad CA .
- Set the Method to Import an existing Certificate Authority
- Paste the certificates found in mullvad_ca.crt that was extracted earlier into the "Certificate data" field.
- Click on Save.
Add a VPN connection
This example will make use of se.mullvad.net. You can of course replace this server with any other country, region, or specific server that you wish to use. See our list of available servers.
Click on VPN -> OpenVPN -> Clients and then click on +Add
- Set Server Mode to: Peer to Peer (SSL/TLS)
- Set Protocol to: UDP on IPV4 only
- Set Device mode to: tun Layer 3 Tunnel Mode
- Set Interface to: WAN
- Set Server host to: se.mullvad.net
- Set Server port to: 1301
- Set Description to: Mullvad Sweden
- Set your mullvad account number as Username under User Authentication Settings (make sure it does not contain any spaces)
- set M as Password under User Authentication Settings
- Set TLS Configuration to: Unchecked
- Set Peer: Certificate Authority to: Mullvad CA
- Set Client Certificate to: None (Username or Password required)
- Set Encryption Algorithm to: AES-256-GCM
- Set Enable Negotiate Cryptographic Parameters to: Checked
- Add AES-256-GCM to the Allowed NCP Encryption Algorithms field.
- Set Auth digest Algorithm to: SHA384
- Set Compression to: No LZO Compression [Legacy style, comp-lzo no]
- In the Custom options field, paste: remote-cert-tls server
- Set UDP Fast I/O to : checked
- Set Send/Recieve buffer to 1.00 MiB
- Click Save.
Add an Interface
- Click on Interfaces -> Assignments
- Use the Drop-down menu for the Available network ports: and select ovpnc* and then click on +Add
- Click on the New interface name, it is usually named OPT1 or OPT2.
- Set Enable: Enable Interface to be checked
- Click on Save.
Add NAT rules
- Click on Firewall -> NAT -> Outbound and then select Mode: "Manual Outbound NAT rule Generation (AON) and then click on Save.
- Copy the entry that contains your local IP address (The one that does not contain port 500 nor 127.0.0.0 , In this example 172.17.1.0/24 is used, for you this will most like differ and will probably be 192.168.1.0/24) by clicking on the Copy icon found under Actions to the right of the NAT entry (Add a new mapping based on this one)
- Click on the Pen icon (Edit mapping) and change so that interface is the mullvad one and write a description.
- Make sure that both Disabled and do not NAT are unchecked
- Delete the other rules that contain your local IP that exists via WAN , (keep the 127.0.0.0) This will ensure that you can not reach the internet if the VPN tunnel is down from your clients behind the pfSense router.
- Click on Save.
- Click on Services
- Click on DHCP server
- Set DNS server 1 to: 188.8.131.52
- Set DNS server 2 to: 10.8.0.1
- Click on Save
After you have completed these steps, click on VPN -> OpenVPN -> Related status icon and then click on the Restart openvpn Service found under Service to reload it all. Then on your client computers, go to https://ifconfig.co to see that they are working as intended.
Easily check your online privacy with Am I Mullvad
While you're connected to Mullvad, your browser could still be leaking information and therefore jeopardizing your privacy. With our Am I Mullvad online tool, you can now get a quick overview of your connection status.
To add ports to be forwarded from the VPN server to your LAN client.
- Click on Firewall -> Nat -> Port Forward
- Click on Add
- Set Interface to be your VPN interface
- Set Protocol to be TCP/UDP
- Set To Port custom field to the port you were assigned
- Set the Redirect Target IP to the IP-address of your LAN client that you wish to have the forwarded port
- Set the Redirect Target Port custom field to the port you wish it to redirect it to on the LAN client
- Set Description to something so that you can identify it
- Click on Save
- Reconnect the OpenVPN client
In this example you will route 184.108.40.206 outside the VPN to the client 192.168.1.101
Adding a NAT rule
- Go to Firewall -> Outbound -> Add
- Set Interface to WAN
- Set Address Family to IPv4
- Set Protocol to any
- Set Source type to Network and 192.168.1.101 / 32 for the client you wish to go outside the VPN.
- Set Destination type to Network and 220.127.116.11 / 32 for the Destination network
- Click on Save and Apply Changes, and make sure the new rule is higher than the VPN nat rule.
Add a static rule
- Go to System -> Routing -> Static Routes
- Click on "+Add"
- Set Destination network to 18.104.22.168
- Set Gateway to WAN_DHCP (or WAN)
- Click on Save and Apply Changes
I am running an older version of pfSense (2.3.x) and some things are not available or renamed. Where do I configure them?
TLS authentication is now called TLS Configuration.
UDP Fast I/O is not available as a checkbox icon on pfSense 2.3.x.
Send / Receive Buffers dropdown menu is not available on pfSense 2.3.x.