Update Mullvad how-to to reflect unencrypted public DNS being shutdown

[sburris0]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [x] I have read the contributing guide lines at https://github.com/opnsense/docs/blob/master/CONTRIBUTING.md
• [x] I have searched the existing issues and I am convinced that mine is new.

Describe the issue

The Mullvad how-to instructs users to use 193.138.218.74. This was Mullvad's unencrypted public DNS, and has since been shutdown: https://mullvad.net/en/blog/shutting-down-our-unencrypted-public-dns-service

Suggestions

Update the docs so that this IP is no longer reference and whatever replaces it (DNS over TLS?) is used.

Version affected docs n/a

[midwesternrodent]

Agreed. There are also a couple of other quirks with the Mullvad Road Warrior VPN docs since there have been a few updates to OPNSense since those were written. The Wireguard selective routing section is still pretty good though and I was able to fill in the blanks with the help of the following resources:

schnerring.net's document disabling DNS hijacking via an API call

I was able to use the API calls documented here on my Debian 12 computer, but they need modified for FreeBSD if we're going to put them in the official docs. Mullvad has also changed functionality since this was written and you cannot just change the tunnel address anymore, Mullvad seems to lock the public key to the IP they assign to you now so you need to use what is provided to you by them in the API call.

I also believe some additional sections should be added so that user's can easily get a preshared key working with Mullvad since apparently this is also supported. But I haven't dug too deeply into this and the best answer I found was from 2019.

These are some other useful docs I perused but didn't explicitly use while getting this working on my machine today: Mullvad's OpenWRT documentation Mullvad's App API Documentation on github

I've got some rough documents typed up in markdown that I've attached here. I'm gonna work on getting them proofread, formatted, expanded, and start a pull request. Just have to review the contribution guidelines before I get started and wanted to post something before I forget about it.

Best way to view this would be to put it in an obsidian vault since that's what I wrote it in.

Mullvad VPN Outbound Configuration without DNS Hijacking.md

Mullvad Connection Checker.png Mullvad Initial Instance.png Mullvad Peer Configuration.png Mullvad Peer Status.png Mullvad Server List.png

Edit: oof, I'm tired and just realized this is NOT what this issue is about. Nowadays it looks like Mullvad is hijacking all DNS connection on the interface through their system to prevent leaks so configuring a DNS server in a standard setup is probably not even necessary anymore. If someone doesn't want to use their DNS though, then these steps should be added to the document.