mullvad-wireguard-configuration.md

Mullvad wireguard in Mikrotik

In this case, I will use "Address list"(Specific IP addresses) and Mark Routing to use vpn for specific ip address. That means specific device-ip will route through vpn but some are not.(For example, my local ip address for my phone is 10.1.1.3, all connections from my phone will route through vpn) .

If you want to use vpn for specific website but not for device-ip base, try changing "Src. Address List with Dst. Address List".(For example, ip address of google is 8.8.8.8, when I connect to google, that connection will route through vpn, just for that connection)

Add wireguard interface

/interface wireguard
add listen-port=51820 mtu=1420 name=mullvad-wg

Add wireguard private key

• This process cannot be done from terminal
• You have to add wireguard private key manually at "Wireguard > mullvad-wg > General > Private Key"

Add wiregurad peer

/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=mullvad-peer1 endpoint-address=<replace_with_wireguard_endpoint_ip> \
    endpoint-port=51820 interface=mullvad-wg persistent-keepalive=25s \
    public-key="<replace_with_wireguard_public_key>"

Add wireguard internal IP

/ip address
add address=<replace_with_wireguard_address> interface=mullvad-wg network=<replace_with_wireguard_address>

Wireguard's part is done here

---

Add masquerade nat for IP translation

/ip firewall nat
add action=masquerade chain=srcnat out-interface=mullvad-wg

Add Routing mark and Address List

Add routing mark with mangle

/ip firewall mangle
add action=mark-routing chain=prerouting comment="Device based VPN" \
    new-routing-mark=wg-vpn passthrough=yes src-address-list=device-based-vpn

Add Address List

/ip firewall address-list
add address=10.1.1.2-10.1.1.254 list=device-based-vpn

Add route

/ip route
add check-gateway=none comment="wg-vpn mark" disabled=no distance=10 \
    dst-address=0.0.0.0/0 gateway=mullvad-wg pref-src="" routing-table=wg-vpn \
    scope=30 suppress-hw-offload=no target-scope=10

---

Extra : Config mullvad dns for dns-leak

Mullvad's public dns server address is listed here. But the server is located far away from you, you can use mullvads's internal IP "10.64.0.1" for dns.

Since this is internal private IP you need to add one route

/ip route
add check-gateway=none comment="DNS to mullvad-wg" disabled=no distance=10 \
    dst-address=10.64.0.1/32 gateway=mullvad-wg pref-src="" routing-table=\
    main scope=255 suppress-hw-offload=yes target-scope=10

Now if you use dns ip as "10.64.0.1" your dns will route through mullvad's

Sometimes, some apps or device do not use configured dns ip address, which can leak your dns.

Add this command for route through all dns request to mullvad's ip(10.64.0.1)

/ip firewall nat
add action=dst-nat chain=dstnat comment="DNS redirect" disabled=yes dst-port=\
    53 protocol=udp to-addresses=10.64.0.1 to-ports=53

What this redirect all port 53/udp traffic which dns requests use, to "10.64.0.1"

Do you have any other firewall rules ? I have this same setup on a CCR2004 and I can't seem to get traffic to route correctly. I see data is being sent out of the wireguard interface, but it doesn't appear to be making it back to the source, and I can't for the life of me figure out where its being dropped.

Could you show me the exact config?(Or you can mail me [email protected]). I think the problem is routing mark mangle part or add route part.

Hey, thanks for the config!
While it worked for me, the speeds i got were really slow (~30 Mbit on a 300Mbit Line)
What fixed it for me was editing the 'Fasttrack' Firewall Filter Rule, which was added by the setup wizard ("defconf: fasttrack").
There, i added mullvad-wg for the in-interface and out-interface with the exclusion (!) mark, so nothing from the mullvad-wg interface will be fasttracked.