If I install Mullvad VPN on my router, how do I change the the exit server? I regularly change it manually to get around blocks and such, but I assume it’s not quite as convenient on the router as using the desktop GUI.
What happens if I have the VPN installed on the computer while also having it on the router? Would it create a second VPN tunnel (for which I can manually select the exit server) going “through” the router’s tunnel? (Not sure if this makes sense.) Or would the setup simply not work?
You would normally set this up so that only specific networks are routed into the VPN, from your LAN side, not the whole LAN.
The reason for this is there may be cases where you don’t want a VPN eg, gaming where you might want low latency, or connecting to your banking website etc.
I have been meaning to show a guide on how I have this set up on opnsense. There is this older guide https://www.youtube.com/watch?v=ulRgecz0UsQ which is for pfsense (very similar to opnsense), so the whole logic of the ip policy routing is the same. You can do it with wireguard as well instead of openvpn.
I usually then have a directory of configs on my desktop, I simply login to opnsense and change the IP & public key, and restart wireguard and it’s good to go.
Using VPN client applications on macOS, iOS and Windows cannot route the whole traffic to the VPN tunnel. Kill switch functions also fail to prevent whole traffic leaks as expected. You can check this link. As far as I understand, these security vulnerabilities seem to be less prevalent on other OSs. Frankly, if I were an iPhone user, I would carry a portable Wi-Fi router with me.
I don’t think there will be a problem with this. At most, you might encounter issues related to the MTU size, but if the MTU size is set to automatic in the Mullvad application settings, I don’t think you will encounter any issues. In fact, I think this method seems like a more private solution than the multi-hop setup recommended by Mullvad. Because Mullvad’s website clearly shows each server’s unique and static multi-hop port number. Anyone spying on the network can easily identify the user’s exit server. The adversary spying on the network doesn’t even need extra technical knowledge.