Hi! I’m on Windows 10 and Windows 11.
I’ve got a Mullvad VPN subscription, a Mullvad client app and the generic WireGuard client.
I’ve also got a corporate VPN client to access private resources only, i. e. this VPN does not channel all my internet traffic. The client is called Pritunl and it uses OpenVPN under the hood.
Separately, these two VPNs work fine. But when I try to use them together, I run into three issues:
-
DNS routing works on Windows 11 but fails on Windows 10. When I connect both clients, DNS requests go through Mullvad/WireGuard and corporate resources are inaccessible.
I managed to fix this with these two PowerShell commands:
Get-NetIPInterface | Sort-Object Interfacemetric
Set-NetIPInterface -InterfaceIndex <id> -InterfaceMetric <metric>
The metric of the corporate VPN must be lower than that of Mullvad/WireGuard.
-
When I connect/disconnect Mullvad/WireGuard, it forces Pritunl to disconnect. Reconnecting it is extremely tedious because it requires typing in a password that it refuses to remember and a dynamic key.
-
When both VPNs are connected, resources inside the corporate VPN are inaccessible. When I run `nslookup corporate.hostname`, I can see that the correct corporate DNS server is picked, but it times out.
This happens both on Windows 10 and Windows 11.
The route table seems fine. Windows built-in firewall is fully disabled.
Mullvad support said that their client had strict firewall rules that intentionally blocked other VPNs for sercurity reasons, and those rules could not be disabled or changed. They suggested that I used the generic WireGuard client, but it made no difference.
Please help me resolve problems 2 and 3! 
They suggested that I used the generic WireGuard client, but it made no difference.
That suggestion isn’t the conclusion, it is the starting point. After switching to the generic Wireguard client, then you’ll probably have to do editing of your wireguard configurations, so that the routes for both the external, and interal networks used by your corporate VPN are not routed via the Multivad tunnel.
When I connect/disconnect Mullvad/WireGuard, it forces Pritunl to disconnect. Reconnecting it is extremely tedious because it requires typing in a password that it refuses to remember and a dynamic key.
This is probably because the other VPN is tunneled through the VPN, so it gets a connection error when your VPN configuration is killed, which means it has to reconnect.
Use something like WireGuard AllowedIPs Calculator | Pro Custodibus to generate the AllowedIPs for your config by adding your corporate VPN subnet in the Disallowed IPs field in that site and 0.0.0.0/0 in the Allowed IPs.
Oh, you forgot the punchline.
“Well”, says the man, “you don’t know where you are or where you’re going, but you expect me to be able to help. You’re in the same position you were before we met, but now it’s my fault.”
You stated a problem, but gave us no detail about your network, subnets, routing and so on… Not sure what else I can tell you other then it is probably a routing problem, and it needs to be fixed with a routing solution.
I think the easier solution would be to make it reconnect on its own. I don’t think you can stop it from dropping the connection, when it has to change the interface.
Well, I want it to stop changing the interface in the first place!
There must be something that determines the precedence of VPNs…
Ah okay.
Have you tried excluding the pritunl endpoint IP from the allowed IPs of wireguard? It’ll probably not be a nice config, since wireguard doesn’t have an “exclude range” feature, so you’ll have to puzzle the AllowedIP ranges around that.
My corporate VPN suddenly became inaccessible. My ISP and the corporate helpdesk claim there are no issues on their sides and blame each other.
In a wicked twist of fate, I now need the opposite: I need to channel a corporate VPN connection through the Mullvad VPN connection.
It in fact does work, but corporate intranet resources are inaccessible.
It took me two days of hair-pulling to figure out a solution. I have noted it down here for future generations:
Question, would following these steps to exclude IPs from wireguard disclose one’s location?
The excluded IPs will receive connections from your non-VPN IP address. But you only exclude the ones you trust.
Thank you for the swift reply!This is technically a solution then, but one that defeats the purpose of my double vpn setup. 
I ended up switching to openvpn and while not pretty in terms of download speed, it just ‘works’.
