diff --git a/srcpkgs/mullvadvpn/files/mullvad/run b/srcpkgs/mullvadvpn/files/mullvad/run
new file mode 100644
index 00000000000..49ffecc7735
--- /dev/null
+++ b/srcpkgs/mullvadvpn/files/mullvad/run
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+export MULLVAD_RESOURCE_DIR=/usr/share/mullvad
+export MULLVAD_LOG_DIR=/var/log/mullvad-vpn
+export MULLVAD_SETTINGS_DIR=/etc/mullvad-vpn
+export MULLVAD_CACHE_DIR=/var/cache/mullvad-vpn
+export MULLVAD_RPC_SOCKET_PATH=/run/mullvad-vpn/mullvad
+export MULLVAD_MANAGEMENT_SOCKET_GROUP=_mullvad
+
+# needs cap_dac_override to write /etc/resolv.conf{,.mullvadbackup}
+# and cap_net_raw for sockets
+
+_user=_mullvad
+_caps=-all,+net_admin,+net_bind_service,+net_raw,+dac_override
+
+! [ -d /run/mullvad-vpn ] && install -m 750 -g $_user -o $_user -d /run/mullvad-vpn
+
+exec 2>&1
+exec setpriv --reuid $_user --regid $_user --clear-groups \
+  --ambient-caps $_caps \
+  --inh-caps $_caps \
+  --bounding-set $_caps \
+  --no-new-privs -- /usr/bin/mullvad-daemon -v --disable-stdout-timestamps
diff --git a/srcpkgs/mullvadvpn/template b/srcpkgs/mullvadvpn/template
new file mode 100644
index 00000000000..7fc7dd4d88b
--- /dev/null
+++ b/srcpkgs/mullvadvpn/template
@@ -0,0 +1,63 @@
+# Template file for 'mullvadvpn'
+pkgname=mullvadvpn
+version=2025.8
+revision=1
+_wggover=0.0.20230223-mullvad-0.1.6
+# archs set by upstream
+archs="x86_64* aarch64*"
+build_style=cargo
+build_helper=qemu
+make_build_args="
+ -p mullvad-daemon --bin mullvad-daemon
+ -p mullvad-cli --bin mullvad
+ -p mullvad-setup --bin mullvad-setup
+ -p mullvad-problem-report --bin mullvad-problem-report
+ -p talpid-openvpn-plugin --lib
+ -p mullvad-exclude --bin mullvad-exclude
+ -p mullvad-api --bin relay_list"
+make_check_args="-- --skip version"
+hostmakedepends="pkg-config go git protobuf protobuf-devel"
+makedepends="dbus-devel libnftnl-devel"
+short_desc="Mullvad VPN client app (cli only)"
+maintainer="dkwo <npiazza@disroot.org>"
+license="GPL-3.0-or-later"
+homepage="https://mullvad.net/"
+changelog="https://raw.githubusercontent.com/mullvad/mullvadvpn-app/refs/heads/main/CHANGELOG.md"
+distfiles="https://github.com/mullvad/mullvadvpn-app/archive/refs/tags/${version}-beta1.tar.gz
+ https://github.com/mullvad/wireguard-go/archive/refs/tags/${_wggover}.tar.gz"
+checksum="f2ef1d7d47b988c7b5803a23a29d75b94b943cc85185f0133e05685ec5eff71d
+ fd9fa45155098223a17ea934eaa6eb44ee990cd2a7ab638bce482f62fd8502e8"
+skip_extraction="${_wggover}.tar.gz"
+system_accounts="_mullvad"
+make_dirs="
+ /var/cache/mullvad-vpn 0750 _mullvad _mullvad
+ /var/log/mullvad-vpn 0750 _mullvad _mullvad
+ /etc/mullvad-vpn 0750 _mullvad _mullvad"
+
+post_extract() {
+	vsrcextract -C wireguard-go-rs/libwg/wireguard-go "${_wggover}.tar.gz"
+}
+
+post_build() {
+	vtargetrun target/${RUST_TARGET}/release/relay_list > dist-assets/relays.json
+}
+
+do_install() {
+	for _bin in mullvad-daemon mullvad mullvad-problem-report mullvad-setup mullvad-exclude; do
+		vbin target/${RUST_TARGET}/release/${_bin}
+	done
+
+	vinstall target/${RUST_TARGET}/release/libtalpid_openvpn_plugin.so 644 usr/lib
+	vinstall dist-assets/relays.json 644 usr/share/mullvad
+
+	compdir=$(mktemp -d)
+	for _shell in bash zsh fish; do
+		vtargetrun ${DESTDIR}/usr/bin/mullvad shell-completions ${_shell} ${compdir}
+	done
+
+	vcompletion ${compdir}/mullvad.bash bash mullvad
+	vcompletion ${compdir}/_mullvad zsh mullvad
+	vcompletion ${compdir}/mullvad.fish fish mullvad
+
+	vsv mullvad
+}