Routing selected hosts traffic trough Mullvad VPN setup issues.

cunfused_kiwi · April 13, 2026, 08:07:59 PM

Hi,

what I am currently struggling to set up:

I want the traffic of my Proxmox Backupservers and VE nodes as well as the VMs running on there to run through Mullvad VPN, and every other devices traffic in the same VLANs to go through the normal Internet, so not Mullvad.

The VMs and Proxmox Server are in different VLANs. The Version of OPNsense I am running is: 26.1.6-amd64.

What I have done so far:

1. I created a new WireGuard configuration in my Mullvad Account and exported the .conf file.
2. I created a new WireGuard Instance in there i put the Private Key and Tunnel address from the config files [Interface] section.
3. I created a new WireGuard Peer with the Public key, Allowed IPs, Endpoint address, Endpoint port form the config files [Peer] section.
4. I clicked "Enable WireGuard" and then under VPN > WireGuard > Status both listed points (iirc Interface and Peer) where green.
5. I assigned the new wg0 interface under Interfaces > Assignments and enabled it and checked "Prevent interface removal".
6. I added a new Gateway under System > Gateways > Configuration selected the Mullvad VPN Interface and checked "Far Gateway".
7. I added a new Alias under Firewall > Aliases, Type: Host(s) and added all the static ip addresses of all devices in the "Contents" Field.
8. I changed the NAT Outbound Mode to Hybrid.
9. I added a new Outbound NAT rule and selected the Mullvad VPN interface and the Alias I had created as the "Source Address".
10. I added 2 Firewall rules for one VLAN for testing (I planed to add these in each VLAN, also these rules are at the top):

<rule uuid="">
<enabled>1</enabled>
<statetype>keep</statetype>
<state-policy/>
<sequence>86</sequence>
<action>pass</action>
<quick>1</quick>
<interfacenot>0</interfacenot>
<interface>opt2</interface>
<direction>in</direction>
<ipprotocol>inet</ipprotocol>
<protocol>any</protocol>
<icmptype/>
<icmp6type/>
<source_net>Mullvad_VPN_Clients</source_net>
<source_not>0</source_not>
<source_port/>
<destination_net>any</destination_net>
<destination_not>0</destination_not>
<destination_port/>
<divert-to/>
<gateway>Mullvad_VPN_Gateway</gateway>
<replyto/>
<disablereplyto>0</disablereplyto>
<log>0</log>
<allowopts>0</allowopts>
<nosync>0</nosync>
<nopfsync>0</nopfsync>
<statetimeout/>
<udp-first/>
<udp-multiple/>
<udp-single/>
<max-src-nodes/>
<max-src-states/>
<max-src-conn/>
<max/>
<max-src-conn-rate/>
<max-src-conn-rates/>
<overload/>
<adaptivestart/>
<adaptiveend/>
<prio/>
<set-prio/>
<set-prio-low/>
<tag/>
<tagged/>
<tcpflags1/>
<tcpflags2/>
<tcpflags_any>0</tcpflags_any>
<categories/>
<sched/>
<tos/>
<shaper1/>
<shaper2/>
<description>Route selected hosts via Mullvad VLAN 100</description>
</rule>
<rule uuid="">
<enabled>1</enabled>
<statetype>keep</statetype>
<state-policy/>
<sequence>48</sequence>
<action>pass</action>
<quick>1</quick>
<interfacenot>0</interfacenot>
<interface>opt2</interface>
<direction>in</direction>
<ipprotocol>inet</ipprotocol>
<protocol>TCP/UDP</protocol>
<icmptype/>
<icmp6type/>
<source_net>Mullvad_VPN_Clients</source_net>
<source_not>0</source_not>
<source_port/>
<destination_net>any</destination_net>
<destination_not>0</destination_not>
<destination_port>53</destination_port>
<divert-to/>
<gateway>Mullvad_VPN_Gateway</gateway>
<replyto/>
<disablereplyto>0</disablereplyto>
<log>0</log>
<allowopts>0</allowopts>
<nosync>0</nosync>
<nopfsync>0</nopfsync>
<statetimeout/>
<udp-first/>
<udp-multiple/>
<udp-single/>
<max-src-nodes/>
<max-src-states/>
<max-src-conn/>
<max/>
<max-src-conn-rate/>
<max-src-conn-rates/>
<overload/>
<adaptivestart/>
<adaptiveend/>
<prio/>
<set-prio/>
<set-prio-low/>
<tag/>
<tagged/>
<tcpflags1/>
<tcpflags2/>
<tcpflags_any>0</tcpflags_any>
<categories/>
<sched/>
<tos/>
<shaper1/>
<shaper2/>
<description>DNS for Mullvad VPN clients</description>
</rule>

The i changed the DNS Server on one VM to the one from the config File and ran `curl ifconfig.me` which returned the correct Mullvad IP address.

The problems I am facing now are:

Having it like this it only internet on hosts that are in the Alias work and nothing else in every VLAN has internet access.

While troubleshooting I checked "Disable routes" in the WireGuard Instance and the Internet everywhere worked again, but DNS for the Hosts routed trough Mullvad didn't work anymore, also `curl ifconfig.me` didn't work anymore as expected, so i couldn't verify if the traffic still gets routed through Mullvad. Pining 1.1.1.1 and 8.8.8.8 still worked.

What did I do wrong and or don't understand?

Thx in advance!

OPNenthu · April 14, 2026, 09:42:43 AM

These are your rules reconstructed with AI as pseudo-pf from the XML, in sequence order. Just easier to read.

Code Select

pass in quick on opt2 inet proto { tcp udp } \
    from <Mullvad_VPN_Clients> to any port 53 \
    keep state \
    route-to (opt2 Mullvad_VPN_Gateway)

pass in quick on opt2 inet from <Mullvad_VPN_Clients> to any \
    keep state \
    route-to (opt2 Mullvad_VPN_Gateway)

Not pertinent to your issue, but worth mentioning-

The DNS rule is redundant. Your second rule anyway routes all IPv4 traffic from the VPN clients to the Mullvad gateway.

Quote from: cunfused_kiwi on April 13, 2026, 08:07:59 PMWhile troubleshooting I checked "Disable routes" in the WireGuard Instance and the Internet everywhere worked again, but DNS for the Hosts routed trough Mullvad didn't work anymore

This is just a guess...

Try leaving "Disable routes" unchecked (the default) but make sure that you have rules in place to allow (or route) the other clients to the normal WAN gateway. Without such a rule they will not have egress.

If that's the cause then I think you might also notice a lot of "Default deny / state violation rule" blocks in the firewall live log for the clients which are not in the alias.

Routing selected hosts traffic trough Mullvad VPN setup issues.

cunfused_kiwi

April 13, 2026, 08:07:59 PM

OPNenthu

April 14, 2026, 09:42:43 AM #1 Last Edit: April 14, 2026, 09:59:30 AM by OPNenthu