Mullvad VPN - Wireguard
First, we need to add a Wireguard interface in the Mikrotik router to auto-generate a key pair. We will copy the private key and import it into the Mullvad device configuration page. Mullvad will use the imported private key to generate a public key. Mullvad will use this public key to encrypt data packets back to the Mikrotik firewall.
interface/wireguard/add name=Mullvad
interface/wireguard/print
Flags: X - disabled; R - running
0 R name="Mullvad" mtu=1420 listen-port=26477 private-key="qG7LMj39vPGUAX+FtFBZu5DVJH2q3nH6CSDa4ociPGM="
public-key="Fea2vkJ2H2Tk0apEn7t2ivXx7ssTs+w23zkm3mOp+xo="
Once you have the private key from the Wireguard interface you'll need to login into Mullvad and browse to "My account" and then click on "Manage devices and ports". It should take you to a page that looks like the one shown below.
Next, you'll want to click on the "WireGuard configuration file" link. Your web page should look similar to the page below.
Next, you'll take the private key you saved from your Mikrotik configuration and import it. Once your key is imported it should look similar to the image below.
interface/wireguard/peers/add interface=Mullvad endpoint-address=68.235.43.82 endpoint-port=51820 allowed-address=0.0.0.0/0 public-k
ey="MRZsEblqO4wlq0WPnZgp5X9ex4Z2FHm9bljO/a/Mznk="
ip/address/add interface=Mullvad address=10.67.171.164/32
routing/table/add name=Mullvad fib
ip/route/add dst-address=0.0.0.0/0 gateway=Mullvad routing-table=Mullvad
ip/firewall/address-list/add list=Mullvad-VPN
withaddress=172.16.5.20Wireguard
ip/firewall/mangle/add action=mark-routing chain=prerouting new-routing-mark=Mullvad passthrough=yes src-address-list=Mullvad-VPN
ip/firewall/nat/add action=masquerade chain=srcnat src-address-list=Mullvad-VPN