Connecting to Mullvad VPN using WireGuard and a ThinkPenguin mini router

Warning: These directions have not been updated to include how to protect yourself against the TunnelVision / DHCP option 121 attack like our instructions for our Penguin VPN 2.0 Wireguard instructions have. If you have any questions about it please contact support and if needed let us know that you'd like updated directions that include how to protect yourself from TunnelVision / DHCP Option 121 attacks for the Mullvad VPN Wireguard instructions for libreCMC.

These directions have been thoroughly tested on a TPE-R1200 mini wireless router and a TPE-R1400 mini router running libreCMC v1.5.13 OEM images and Mullvad VPN with a WireGuard configuration. WireGuard is similar to OpenVPN, but newer and faster. Mullvad VPN is a privacy friendly VPN service that aims to protect your privacy and has support for WireGuard.

1. Turn off wifi on your computer
2. Plug in an ethernet cable to the LAN port on your mini router and the other end into a computer where you will be configuring your router from
3. Plug the power (micro USB or USB-C cable) cable in on the mini router and wait for the computer to show it's connected/activated/has an IP address

Note: If you don't see an IPv4 address or the next step fails to bring up the router configuration page unplug the power from the router and plug it back in. Then disconnect and reconnect to the network using your network applet.

4. Open a browser (Firefox) and go to https://192.168.10.1/
5. You will see a warning message "Warning: Potential Security Risk Ahead" (Firefox) click the "Advanced..." button, and then click "Accept the Risk and Continue" button. This may display differently in different browsers or versions by the idea is the same. Accept the warning to continue.

6. Click Login button (initially no password is set so no password needs be entered to login)
7. Go to System > Administration and set a password, click Save button, click Dismiss button, click Logout button, then log back in with new password
8. Go to Network > Interfaces
9. Click Edit button next to LAN
10. Set IPv4 address box to 192.168.3.1
11. Click Save & Apply button
12. Wait for the Configuration has been rolled back! error message to appear and then click the Apply anyway button
13. Wait for the Device unreachable! message to appear and then disconnect and reconnect your ethernet connection on your computer followed by going to the new address for the router in your web browser https://192.168.3.1 and when you see a warning message "Warning: Potential Security Risk Ahead" (Firefox) click on the "Advanced..." button and then click "Accept the Risk and Continue" button
14. Enter your previously chosen password and click the Login button

If you have libreCMC 1.5.13+ of the OEM version (the 'OEM version' is a modified version of the librecmc.org version that includes WireGuard already) you can skip steps 15-22

Note: If you don't have a recent OEM version or none exists any more you will also need to flash the latest release of libreCMC in order to install the software from the repository as directed in steps 15-22. Directions for flashing the TPE-R1400 can be found at https://www.thinkpenguin.com/gnu-linux/documentation-writing-librecmc-im... and for the TPE-R1100, TPE-R1200, TPE-R1300 they can be found at https://www.thinkpenguin.com/gnu-linux/vpn-mini-wireless-router-firmware...

15. Go to System > Software
16. Plug in ethernet cable from WAN on the router to a modem or other upstream router with an internet connection
Click Update lists.. button
17. When updates done click Dismiss button
18. Go to the Filter box and search for luci-proto-wireguard
19. Click the Install... button next to luci-proto-wireguard (under where it says Package name)
20. Click Install button to proceed
21. Click Dismiss button
22. Repeat steps 18-21, but replace luci-proto-wireguard with wireguard and then do it again with luci-app-wireguard

23. Go to Network > Interfaces
24. Click Add new interface button..
25. In Name of new interface box enter WireGuard
26. In Protocol of the new interface drop down select WireGuard VPN
27. Click the Submit button
28 Go to VPN provider: https://mullvad.net/

Note: You will need to temporarily connect to the internet again via another means, like over wifi, and then revert back to the ethernet connection between the LAN port on the router to the computer. This is so you can generate a Mullvad VPN account.

29. Scroll to the Create account button and click it start the new account creation process, then click the Generate account button
30. Add time to your account as instructed on the site (aka via making a payment)
31. Continue once the payment is processed and the account active
32. Look under the Downloads section
33. Click Wireguard configuration
34. Choose Linux as the platform
35. Click Generate key button
36. Select a country, state/region, and server for your exit location
37. Click Download file under Generate and download configuration section
38. Save the file somewhere and make a note of its location, or open the .conf file
39. You may need to open your file manager and find the .conf file to open it in a text editor

Dissconnect from your internet/wifi connection and return to using the PC to mini router ethernet connection

40. Go back to your router configuration tab with the new interface and WireGuard VPN configuration screen and enter the PrivateKey from the .conf file into the Private Key box.
41. In the IP Addresses box enter the Address from the conf file (example: 10.67.153.173/32) and then click the + button to add the IP
42. Click the Add button under the Peers section and do the same for the Public Key in the Peers section
43. In the Peers section do the same for Allowed IPs
44. In peers section make sure you have checked the Route Allowed IPs box
45. Copy the Endpoint = ip address (example: 185.216.33.114) into the Endpoint Host box
46. Copy the Endpoint = port into the Endpoint Port box (everything that comes after the : on the Endpoint = line)
47. Enter 25 into the Persistent Keep Alive box
48. Click Save & Apply button
49. Go to System > Reboot and click Perform reboot button
50. After the router reboots (you'll be shown the login page) log back in and Go to Network > Firewall
51. Click Add button at bottom
52. In the Name box enter VPN
53. In the Input, Output, and Forward box select Accept
54. Check the boxes that say Masquerading and MSS clamping
55. Under Covered networks select WireGuard:
56. Under Allow forward from source zones: select lan: lan:
57. Click Save & Apply button
58. Go to Network > Interfaces and Click the Edit button next to WIREGUARD
59. Make sure the box that says Bring up on boot is checked
60. Click Save & Apply
61. Go to Network > Firewall
62. Under Zones click Edit button next to lan > wan VPN
63. Remove wan: wan: wan6 from Allowed forward to destination zones: drop down
64. Click Save & Apply button
65. For security lets clean up: go to Network > Interfaces and remove the WAN that has Protocol: DHCPv6 client next to it.
66. Click Delete button to remove
67. Click Save & Apply button
68. Go to Network > Interfaces and next to LAN click the Edit button
69. Copy the DNS from the .conf file and paste it into the Use custom DNS servers box and click the + arrow to add
70. Under IPv6 assignment length select disabled
71. Under the DHCP Sever section go to the IPv6 Settings and select disabled in the drop down for Router Advertisement-Service and DHCPv6-Service
72. Click Save & Apply button

73. Go to Network > Interfaces
74. Click Edit button next to WAN
75. Click the Advanced Settings tab
76. Uncheck the box that says "Use DNS servers advertised by peer"
77. Enter 8.8.8.8 or some other DNS server of your preference, click the plus button to add it
78. Click Save & Apply button

Note: Connect an ethernet cable from the WAN port to your modem or other upstream routing device that has an internet connection attached

79. Go to System > Reboot and click the Perform reboot button

After the router has rebooted you can now go to infosniper.net and it should appear that you are coming from a location other than the city/state/country where you actually are connecting from.

80. Now if you have a wireless model you probably want to setup wireless so go to Network > Wireless and click the Edit button next to where it says SSID: libreCMC
81. Scroll down to the Interface Configuration section and enter a ESSID into the ESSID box like libreCMC-VPN
82. Go to the Wireless Security tab and under Encryption select WPA2-PSK
83. In the Key box enter a password (this is the password you will utilize to access the VPN through your new libreCMC-VPN wireless access point)
84. Click Save & Apply button
85. On the computer disconnect your wired connection and select the new libreCMC-VPN access point that appears

You should now be able to visit infosniper.net again and see that others think you are located or coming from somewhere that you are not