Back to Guides

Using pfSense with Mullvad

Setting up pfSense.


Get your certificates

  1. In a browser open our website:
  2. Click on Download Client.
  3. Click on iOS, Android and other platforms.
  4. Click on Other Platforms.
  5. Enter your account number.
  6. Select a country.
  7. Click on Get Config and save it to your computer.
  8. Extract the file.


Add the Ca.crt to the Certificate Manager.

  1. Log in to your PfSense device click on "System" -> "Cert manager"  -> "CAs" and then click on "+Add"
  2. Edit the descriptive name and name it Mullvad CA .
  3. Paste the second certificate found in ca.crt that was extracted earlier into the "Certificate data" field.
  4. Click on Save.


Add your account certificates to the Certificate Manager.

  1. From the menu click on System -> Cert Manager -> Certificates -> Certificates and then on +Add .
  2. Set the Method to "Import an existing Certificate" .
  3. Set the Descriptive name to "Mullvad" .
  4. Certificate Data: Open the mullvad.crt file in a text editor. Copy the text string from and including "----- BEGIN CERTIFICATE" all the way through and including " END CERTIFICATE-----".  into this field.
  5. Private key data: Open the mullvad.key file in a text editor. Copy the entire contents and paste it into this field.
  6. Click on Save .

Add a VPN connection

Click on VPN -> OpenVPN -> Clients  and then click on +Add

  1. Set Server Mode to: Peer to Peer (SSL/TLS)
  2. Set Protocol to: UDP
  3. Set Device mode to: Tun
  4. Set Interface to: WAN
  5. Set Server host to:
  6. Set Server port to: 1300
  7. Set Server Hostname resolution to: Checked
  8. Set Description to: Mullvad Sweden
  9. Set TLS Authentication to: Unchecked
  10. Set Peer: Certificate Authority to: Mullvad
  11. Set Client Certificate to: Mullvad
  12. Set Encryption Algorithm to: AES-256-CBC
  13. Set Auth digest Algorithm to: SHA1
  14. Set Compression to: Enabled with adaptive
  15. Click on Save .


Add an Interface

Click on Interfaces -> (Assign) On the OPT1 select mullvad and then SAVE


Add NAT rules

  1. Click on Firewall -> NAT -> Outbound and then select Mode: "Manual Outbound NAT rule Generation (AON) and then click on Save.
  2. Copy the entry that contains your local IP address (not the 127.x and not the one with port 500) by clicking on the Copy icon found under Actions to the right of the NAT entry (Add a new mapping based on this rule) change so that interface is the mullvad one and write a description.
  3. Click on Save.