2

[Guide] NextDNS + Mullvad (WireGuard) + DOH3 on iOS / iPadOS / macOS

Introduction

How to make NextDNS and Mullvad (WireGuard) work together, perfectly, is a question that has been asked hundreds of times and across many different forums. Today, the magic to make that happen comes together—with the added bonus of support for DoH3.

This guide has a difficulty level of Medium; and is bifurcated into two major sections, each with several steps. If you are unfamiliar with any of the steps below, please ask for help in the comments and someone will assist.


NextDNS steps:

  1. Visit: https://apple.nextdns.io

  2. Enter your "Configuration ID."

  3. Enter your "Device Name."

  4. Enter your "Device Model."

  5. Do not "Trust NextDNS Root CA." (Unless you know what you are doing and are completely crazy.)

  6. Do not enable "Bootstrap IPs." (Unless you know what you are doing and enjoy slow DNS resolution.)

  7. Do not enable "Sign Configuration Profile." (As we will be editing it in a moment.)

  8. "Download" your shiny new Configuration Profile, which will be in your Downloads folder, as a file ending with .mobileconfig.

  9. Inside that file, there will be one occurrence of the string apple.dns.nextdns.io. Replace that string with doh3.dns.nextdns.io

  10. Install the edited Configuration Profile.

The above steps will make it such that your iOS, iPadOS or macOS device will use NextDNS's Device Identification for Analytics and Logs; in addition to Apple's system-wide Encrypted DNS, specifically, DNS-over-HTTP/3. (This works for both iOS/iPadOS 15/16 & macOS 12/13.)


Mullvad (WireGuard) steps:

  1. Visit: https://mullvad.net/en/account/#/wireguard-config/

  2. Generate and download a WireGuard Configuration File.

  3. Edit the WireGuard Configuration File.

    1. For "DNS servers," specify: 0.0.0.0/32, ::/128

    2. For "Allowed IPs," specify: 0.0.0.1/32, 0.0.0.2/31, 0.0.0.4/30, 0.0.0.8/29, 0.0.0.16/28, 0.0.0.32/27, 0.0.0.64/26, 0.0.0.128/25, 0.0.1.0/24, 0.0.2.0/23, 0.0.4.0/22, 0.0.8.0/21, 0.0.16.0/20, 0.0.32.0/19, 0.0.64.0/18, 0.0.128.0/17, 0.1.0.0/16, 0.2.0.0/15, 0.4.0.0/14, 0.8.0.0/13, 0.16.0.0/12, 0.32.0.0/11, 0.64.0.0/10, 0.128.0.0/9, 1.0.0.0/8, 2.0.0.0/7, 4.0.0.0/6, 8.0.0.0/5, 16.0.0.0/4, 32.0.0.0/3, 64.0.0.0/2, 128.0.0.0/1, ::1/128, ::2/127, ::4/126, ::8/125, ::10/124, ::20/123, ::40/122, ::80/121, ::100/120, ::200/119, ::400/118, ::800/117, ::1000/116, ::2000/115, ::4000/114, ::8000/113, ::1:0/112, ::2:0/111, ::4:0/110, ::8:0/109, ::10:0/108, ::20:0/107, ::40:0/106, ::80:0/105, ::100:0/104, ::200:0/103, ::400:0/102, ::800:0/101, ::1000:0/100, ::2000:0/99, ::4000:0/98, ::8000:0/97, ::1:0:0/96, ::2:0:0/95, ::4:0:0/94, ::8:0:0/93, ::10:0:0/92, ::20:0:0/91, ::40:0:0/90, ::80:0:0/89, ::100:0:0/88, ::200:0:0/87, ::400:0:0/86, ::800:0:0/85, ::1000:0:0/84, ::2000:0:0/83, ::4000:0:0/82, ::8000:0:0/81, ::1:0:0:0/80, ::2:0:0:0/79, ::4:0:0:0/78, ::8:0:0:0/77, ::10:0:0:0/76, ::20:0:0:0/75, ::40:0:0:0/74, ::80:0:0:0/73, ::100:0:0:0/72, ::200:0:0:0/71, ::400:0:0:0/70, ::800:0:0:0/69, ::1000:0:0:0/68, ::2000:0:0:0/67, ::4000:0:0:0/66, ::8000:0:0:0/65, 0:0:0:1::/64, 0:0:0:2::/63, 0:0:0:4::/62, 0:0:0:8::/61, 0:0:0:10::/60, 0:0:0:20::/59, 0:0:0:40::/58, 0:0:0:80::/57, 0:0:0:100::/56, 0:0:0:200::/55, 0:0:0:400::/54, 0:0:0:800::/53, 0:0:0:1000::/52, 0:0:0:2000::/51, 0:0:0:4000::/50, 0:0:0:8000::/49, 0:0:1::/48, 0:0:2::/47, 0:0:4::/46, 0:0:8::/45, 0:0:10::/44, 0:0:20::/43, 0:0:40::/42, 0:0:80::/41, 0:0:100::/40, 0:0:200::/39, 0:0:400::/38, 0:0:800::/37, 0:0:1000::/36, 0:0:2000::/35, 0:0:4000::/34, 0:0:8000::/33, 0:1::/32, 0:2::/31, 0:4::/30, 0:8::/29, 0:10::/28, 0:20::/27, 0:40::/26, 0:80::/25, 0:100::/24, 0:200::/23, 0:400::/22, 0:800::/21, 0:1000::/20, 0:2000::/19, 0:4000::/18, 0:8000::/17, 1::/16, 2::/15, 4::/14, 8::/13, 10::/12, 20::/11, 40::/10, 80::/9, 100::/8, 200::/7, 400::/6, 800::/5, 1000::/4, 2000::/3, 4000::/2, 8000::/1

  4. In the WireGuard app, create a new WireGuard tunnel from your WireGuard Configuration File.

  5. Enable On-Demand (Wi-Fi or cellular; Any SSID) and activate your new WireGuard tunnel.

  6. Restart your device.

  7. Visit: https://test.nextdns.io

    1. status should be: ok

    2. protocol should be: DOH3

The above steps will make it such that your new WireGuard tunnel uses the NextDNS Configuration Profile that you installed. It achieves this by explicitly setting the DNS servers to 0.0.0.0/32 (which is not the same as 127.0.0.1/32) for IPv4, and to ::/128 for IPv6. Then, we allow the entire IPv4 and IPv6 address spaces to transit the tunnel, except for the two aforementioned device-local IPs.

Congratulations on your leak-free, kill-switched, system-wide, NextDNS DoH3, Mullvad (WireGuard) VPN!

Note: This guide has been cross-posted to r/nextdns and r/mullvad.

5 replies

null
    • Chris.6
    • 1 yr ago
    • Reported - view

    Thanks for sharing.

    I was using Mullvad VPN (Wireguard) with NextDNS for a few months without issues because Mullvad has a custom DNS option, which works with the NextDNS IPv6 endpoints. So, no linking of IP was necessary and it all worked great. But your solution would obviously elevate the DNS to DoH instead of UDP.

    • DN9TP3
    • 1 yr ago
    • Reported - view
      • Pro Subscriber ✅
      • Jorgen_A
      • 1 yr ago
      • Reported - view

      DN9TP3 Thanks for the guide. Works great!! :-)

      Personally I removed everything IPv6-related to make it cleaner since none of my Internet-providers support it and not showing a bunch of irrelevant IPv6 servers when testing ping.nextdns.io.

      I also noticed that it jumps between DoH and DoH3 (mostly showing >90% DoH) as you mentioned in the guide, so let's hope the NextDNS team works hard to make DoH3 the default protocol in the near future. Already using DoQ on my home network and it works great!! :-))

      • DN9TP3
      • 1 yr ago
      • Reported - view

      Jörgen My pleasure, glad to hear it! :-)

    • Pierre_Cartier
    • 1 yr ago
    • Reported - view

    I tried QUIC protocol but it seems it not work. I can't even install the configuration file.

    quic://macOS-NextDNSID.dns.nextdns.io:853

    Does it mean it will work only with DoH?

Content aside

  • 2 Likes
  • 1 yr agoLast active
  • 5Replies
  • 4631Views
  • 4 Following