diff --git a/mullvad/configure.sls b/mullvad/configure.sls
new file mode 100644
index 0000000..195ede1
--- /dev/null
+++ b/mullvad/configure.sls
@@ -0,0 +1,37 @@
+/rw/config/rc.local:
+  file.append:
+    - text: wg-quick up /rw/config/wireguard.conf
+
+/rw/config/qubes-firewall-user-script:
+  file.append:
+    - text:
+      - nft insert rule filter FORWARD tcp flags syn tcp option maxseg size set rt mtu
+      - nft insert rule filter FORWARD oifname eth0 drop
+      - nft insert rule filter FORWARD iifname eth0 drop
+
+/rw/config/network-hooks.d/flush.sh:
+  file.managed:
+    - source:
+      - salt://mullvad/flush.sh
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+/rw/config/network-hooks.d/flush:
+  file.managed:
+    - source:
+      - salt://mullvad/flush
+    - user: root
+    - group: root
+    - makedirs: True
+    - mode: 755
+
+/home/user/install.sh:
+  file.managed:
+    - source:
+      - salt://mullvad/install.sh
+    - user: root
+    - mode: '0755'
+    - replace: True
+
diff --git a/mullvad/flush b/mullvad/flush
new file mode 100644
index 0000000..21ebba2
--- /dev/null
+++ b/mullvad/flush
@@ -0,0 +1,5 @@
+#!/usr/sbin/nft -f
+define vpndns1 = 10.64.0.1
+flush chain nat PR-QBS
+insert rule nat PR-QBS tcp dport 53 dnat to $vpndns1
+insert rule nat PR-QBS udp dport 53 dnat to $vpndns1
diff --git a/mullvad/flush.sh b/mullvad/flush.sh
new file mode 100644
index 0000000..d6de5e8
--- /dev/null
+++ b/mullvad/flush.sh
@@ -0,0 +1,2 @@
+#!/bin/sh
+nft -f /rw/config/network-hooks.d/flush
diff --git a/mullvad/install.sls b/mullvad/install.sls
new file mode 100644
index 0000000..d9498b2
--- /dev/null
+++ b/mullvad/install.sls
@@ -0,0 +1,37 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+#
+#
+#
+
+{% if grains['nodename'] != 'dom0' %}
+{% if salt['qvm.exists']('cacher') %}
+
+/etc/apt/sources.list:
+  file.replace:
+    - names:
+      - /etc/apt/sources.list
+      - /etc/apt/sources.list.d/qubes-r4.list
+    - pattern: 'https:'
+    - repl: 'http://HTTPS/'
+    - flags: [ 'IGNORECASE', 'MULTILINE' ]
+{% endif %}
+
+mullvad:
+  pkg.uptodate:
+    - refresh: True
+
+installed:
+  pkg.installed:
+    - pkgs:
+      - qubes-core-agent-networking
+      - qubes-core-agent-passwordless-root
+      - iproute2
+      - libnotify-bin
+      - mate-notification-daemon
+      - resolvconf
+      - unzip
+      - wireguard
+      - wireguard-tools
+      - zenity
+
+{% endif %}
diff --git a/mullvad/install.top b/mullvad/install.top
new file mode 100644
index 0000000..86b3aff
--- /dev/null
+++ b/mullvad/install.top
@@ -0,0 +1,5 @@
+# vim: set syntax=yaml ts=2 sw=2 sts=2 et :
+
+base:
+  '*':
+    - mullvad.install