Using Mullvad WireGuard VPN with UniFi for Selective Domain Routing
Route only OSA-listed domains through a Mullvad WireGuard tunnel on UniFi. Pick any exit location—the example below uses Ireland.
1. Generate a Mullvad WireGuard configuration
- Visit the Mullvad WireGuard config generator and sign in.
- Set Operating system to Linux, then click Generate key.
- Choose an exit location that suits your needs (e.g. Ireland →
ie-dub-wg-101). - Under Tunnel traffic, select IPv4 only.
- Download the configuration file (for example
mullvad-wg.conf) and store it safely.
2. Create a VPN client in UniFi
- Open the UniFi Network Controller.
- Navigate to Settings → VPN → VPN Client → Create VPN Client.
- Give the profile a descriptive name (for example OSA Bypass).
- Import the Mullvad configuration file you downloaded.
- Continue to the content configuration step—no additional changes are required here.
3. Add domain-based routing
- Within the VPN client wizard, choose Content Wizard → Domain.
- Select Add Multiple.
- Download the current OSA list in semicolon format (ideal for UniFi ingestion):
https://osatracker.co.uk/domains/export?format=semicolon
- Save the file locally (e.g.
osa_domains.txt) and import it into the wizard.
Tip: you can narrow the download by adding &verdict=Censored or a specific category—see the Downloads page for query examples.
4. Apply and test
- Click Apply Changes to save the VPN client.
- Wait for UniFi to connect—confirm under Settings → VPN → VPN Client.
- Test a few domains from the list. They should now exit via the Mullvad tunnel, while everything else uses the normal WAN path.
5. Ongoing maintenance
- The OSA list changes over time—re-download and re-import when you need refreshed data.
- You can switch country at any time; just generate a new Mullvad config and re-import it.
- Future work: automatic UniFi updates driven by the export API.