Is Mullvad VPN + DoT possible?

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.


Senior Member
The documentation for configuring Mullvad in Merlin is quite clear, and works well, but it requires IPv6 to be configured as Native, and it doesn't seem like DoT DNS configuration settings will work. When IPv6 is disabled, the VPN tunnel does not connect, regardless of any DoT settings, IPv6 or otherwise. I have tinkered with this for several days to no profit, and could not find what I am looking for by searching around.

The documentation requires a particular set of DNS servers be configured in LAN / DHCP, however this is obviously for the client's resolution needs, and can be circumvented by manually configuring these on clients and disabling IPv6 on the clients. Without this manual configuration, the entire LAN must use Mullvad's IPv4 DNS servers and your ISP's IPv6 DNS, and doing this causes a failed DNS leak test.

The documentation as posted by Mullvad:

Does anyone have DoT + Mullvad configured in such a way as to pass leak tests? Some configuration of DNS Filter or selective routing, perhaps?

Thanks for any thoughts, hope everyone is having a productive new year so far.


Regular Contributor
Disable dns from vpn config and and set dnsfilter global to router, and restart router


Senior Member
Thank you. I don't know what you mean by "disable dns from vpn config" though. I am not using the Mullvad Merlin config instructions for DNS as it is, and I have tried using DNSFilter globally to router. I can't get love from that setup, the VPN Client setup in Merlin won't connect when I do that.


Regular Contributor
I have Mullvad VPN and ran into a problem using Mullvad's instructions since I do not use IPV6. I added some lines to the config file to ignore the IPV6 and then I was able to use the VPN.

Take a look at my Mullvad VPN setup maybe it can help you out.

1.jpg 2.jpg 3.jpg 4.jpg


Senior Member
You, sir, are my HotD, my Hero of the Day. I owe you a beer. The VPN now connects without IPv6 being enabled as Native, and no DNS in LAN or WAN (other than DoT and Router).

To pass leak tests, I simply added the systems routing through the VPN to the DNS Filter using a custom DNS set to Mullvad's I am adding some filter exclusions for phones to allow for private DoT ("Private DNS" in Android Pie) because I prefer a particular adblocking DoT server.

Now to figure out how to best route one of my IoT Guest WiFi through a separate VPN, and set up site-to-site between here and the other house, for security cameras. Cameras there are wired, so a simple VLAN is all that is necessary. Merlin is wonderful - most things a user could ever want to do is possible. Guest WiFi through AImesh and Wireguard would be great, but those aren't Merlin issues, they are Asus.

Anyway, thanks again mate, this helped enormously. For posterity, some pics are attached.


  • DHCP_Fixed.png
    215 KB · Views: 189
  • filter.png
    375.1 KB · Views: 174
  • ipv6.png
    272.5 KB · Views: 184
  • vpn2.png
    353.4 KB · Views: 192
  • wan_fixed.png
    349.4 KB · Views: 171

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!