I need to run a PostUp command when my Mullvad WG interface comes up (to implement quantum resistant tunnelling: https://mullvad.net/en/help/quantum-resistant-tunnels-with-wireguard#modify-config).
I've successfully built the Mullvad utility for FreeBSD, and it works fine on the command line to establish ephemeral peers over the established tunnel to negotiate a PSK.
However, this needs to be run each time the tunnel is established.
There isn't any PostUp (or PostDown, PreUp or PreDown) option in the WG UI in OPNsense to easily add this. I know OPNsense doesn't directly use wg-quick, but there is also no equivalent option.
Is there another good way to do so? Or do I need to look at implementing changes to the OPNsense code to add advanced options in the UI to facilitate this?
Update: https://github.com/opnsense/core/pull/9825
PR closed due to OPNsense's security posture, implemented via devd instead. [Edit: logging added]
cat /usr/local/etc/devd/wg1-postup.conf
notify 100 {
match "system" "IFNET";
match "subsystem" "wg1";
match "type" "LINK_UP";
action "subsystem=$subsystem; if /usr/local/sbin/mullvad-upgrade-tunnel -wg-interface ${subsystem}; \
then logger -t ${subsystem}-postup mullvad-upgrade-tunnel completed; \
else rc=$?; logger -t ${subsystem}-postup mullvad-upgrade-tunnel failed, rc=${rc}; \
fi";
};
In case you aren't aware: psk-exchange (https://github.com/mullvad/mullvadvpn-app/tree/main/talpid-tunnel-config-client) can be used to obtain a PSK that you can simply put in the WG config, like you would with a "normal" WG server, no mullvad-upgrade-tunnel needed. You need to compile it yourself though, since this isn't really officially supported, but it works.
I had been using that already, but the tunnel would stop working after several weeks.
Mullvad support also told me that they wouldn't support psk-exchange anymore.
Quote from: Greelan on February 20, 2026, 12:45:53 AMMullvad support also told me that they wouldn't support psk-exchange anymore.
Makes sense. I haven't tried it myself, but it seems like it could be (ab)used to get around the five-device limit, since you get both a PSK and a primary key that isn't visible in the account settings.