diff --git a/srcpkgs/mullvadvpn/files/mullvad/run b/srcpkgs/mullvadvpn/files/mullvad/run
index a7bd8b3cffc..7246e20c905 100644
--- a/srcpkgs/mullvadvpn/files/mullvad/run
+++ b/srcpkgs/mullvadvpn/files/mullvad/run
@@ -8,19 +8,17 @@ export MULLVAD_RPC_SOCKET_PATH=/run/mullvad-vpn/mullvad
 export TALPID_NET_CLS_MOUNT_DIR=/run/mullvad-vpn/cgroup
 export MULLVAD_MANAGEMENT_SOCKET_GROUP=_mullvad
 
-# it needs write to /etc/resolv.conf{,.mullvadbackup}
-# as well as cap_net_raw for sockets
+# needs cap_dac_override to write /etc/resolv.conf{,.mullvadbackup}
+# and cap_net_raw for sockets
 
 _user=_mullvad
-# _caps=-all,+net_admin,+net_bind_service
+_caps=-all,+net_admin,+net_bind_service,+net_raw,+dac_override
 
 ! [ -d /run/mullvad-vpn ] && install -m 750 -g $_user -o $_user -d /run/mullvad-vpn
 
 exec 2>&1
-#exec setpriv --reuid $_user --regid $_user --clear-groups \
-#  --ambient-caps $_caps \
-#  --inh-caps $_caps \
-#  --bounding-set $_caps \
-#  --no-new-privs -- /usr/bin/mullvad-daemon -v --disable-stdout-timestamps
-
-exec /usr/bin/mullvad-daemon -v --disable-stdout-timestamps
+exec setpriv --reuid $_user --regid $_user --clear-groups \
+  --ambient-caps $_caps \
+  --inh-caps $_caps \
+  --bounding-set $_caps \
+  --no-new-privs -- /usr/bin/mullvad-daemon -v --disable-stdout-timestamps
diff --git a/srcpkgs/mullvadvpn/patches/5b62921a73d54fbc43908bce220601a6438993d7.patch b/srcpkgs/mullvadvpn/patches/5b62921a73d54fbc43908bce220601a6438993d7.patch
new file mode 100644
index 00000000000..3e99dc679c5
--- /dev/null
+++ b/srcpkgs/mullvadvpn/patches/5b62921a73d54fbc43908bce220601a6438993d7.patch
@@ -0,0 +1,65 @@
+From 5b62921a73d54fbc43908bce220601a6438993d7 Mon Sep 17 00:00:00 2001
+From: Markus Pettersson <markus.pettersson@mullvad.net>
+Date: Mon, 30 Jun 2025 22:23:26 +0200
+Subject: [PATCH] Fix type error for musl targets
+
+---
+ talpid-net/src/unix.rs | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/talpid-net/src/unix.rs b/talpid-net/src/unix.rs
+index 48d65c45f076..a6e11b196825 100644
+--- a/talpid-net/src/unix.rs
++++ b/talpid-net/src/unix.rs
+@@ -1,5 +1,7 @@
+ #![cfg(any(target_os = "linux", target_os = "macos"))]
+ 
++#[cfg(target_os = "linux")]
++use std::ffi::c_ulong;
+ use std::{ffi::c_uint, io, os::fd::AsRawFd};
+ 
+ use nix::{errno::Errno, net::if_::if_nametoindex};
+@@ -26,9 +28,9 @@ const SIOCSIFMTU: u64 = 0x80206934;
+ #[cfg(target_os = "macos")]
+ const SIOCGIFMTU: u64 = 0xc0206933;
+ #[cfg(target_os = "linux")]
+-const SIOCSIFMTU: u64 = libc::SIOCSIFMTU;
++const SIOCSIFMTU: c_ulong = libc::SIOCSIFMTU;
+ #[cfg(target_os = "linux")]
+-const SIOCGIFMTU: u64 = libc::SIOCSIFMTU;
++const SIOCGIFMTU: c_ulong = libc::SIOCSIFMTU;
+ 
+ pub fn set_mtu(interface_name: &str, mtu: u16) -> Result<(), io::Error> {
+     let sock = socket2::Socket::new(
+@@ -56,8 +58,14 @@ pub fn set_mtu(interface_name: &str, mtu: u16) -> Result<(), io::Error> {
+     };
+     ifr.ifr_ifru.ifru_mtu = mtu as i32;
+ 
++    // For some reason, libc crate defines ioctl to take a c_int (which is defined as i32), but the c_ulong type is defined as u64:
++    // https://docs.rs/libc/latest/x86_64-unknown-linux-musl/libc/fn.ioctl.html
++    // https://docs.rs/libc/latest/x86_64-unknown-linux-musl/libc/type.c_ulong.html
++    // https://docs.rs/libc/latest/x86_64-unknown-linux-musl/libc/constant.SIOCSIFMTU.html
++    #[allow(clippy::useless_conversion)]
++    let request = SIOCSIFMTU.try_into().unwrap();
+     // SAFETY: SIOCSIFMTU expects an ifreq with an MTU and interface set
+-    if unsafe { libc::ioctl(sock.as_raw_fd(), SIOCSIFMTU, &ifr) } < 0 {
++    if unsafe { libc::ioctl(sock.as_raw_fd(), request, &ifr) } < 0 {
+         let e = std::io::Error::last_os_error();
+         log::error!("{}", e.display_chain_with_msg("SIOCSIFMTU failed"));
+         return Err(e);
+@@ -90,8 +98,14 @@ pub fn get_mtu(interface_name: &str) -> Result<u16, io::Error> {
+         )
+     };
+ 
++    // For some reason, libc crate defines ioctl to take a c_int (which is defined as i32), but the c_ulong type is defined as u64:
++    // https://docs.rs/libc/latest/x86_64-unknown-linux-musl/libc/fn.ioctl.html
++    // https://docs.rs/libc/latest/x86_64-unknown-linux-musl/libc/type.c_ulong.html
++    // https://docs.rs/libc/latest/x86_64-unknown-linux-musl/libc/constant.SIOCGIFMTU.html
++    #[allow(clippy::useless_conversion)]
++    let request = SIOCGIFMTU.try_into().unwrap();
+     // SAFETY: SIOCGIFMTU expects an ifreq with an interface set
+-    if unsafe { libc::ioctl(sock.as_raw_fd(), SIOCGIFMTU, &ifr) } < 0 {
++    if unsafe { libc::ioctl(sock.as_raw_fd(), request, &ifr) } < 0 {
+         let e = std::io::Error::last_os_error();
+         log::error!("{}", e.display_chain_with_msg("SIOCGIFMTU failed"));
+         return Err(e);
diff --git a/srcpkgs/mullvadvpn/patches/ecd6066dabb3ff321bedc2b025ad76bb99622836.patch b/srcpkgs/mullvadvpn/patches/ecd6066dabb3ff321bedc2b025ad76bb99622836.patch
new file mode 100644
index 00000000000..be44f4d82ed
--- /dev/null
+++ b/srcpkgs/mullvadvpn/patches/ecd6066dabb3ff321bedc2b025ad76bb99622836.patch
@@ -0,0 +1,63 @@
+From ecd6066dabb3ff321bedc2b025ad76bb99622836 Mon Sep 17 00:00:00 2001
+From: Markus Pettersson <markus.pettersson@mullvad.net>
+Date: Fri, 4 Jul 2025 21:12:51 +0200
+Subject: [PATCH] Add musl as a target ABI for wireguard-go-rs
+
+Do not assume target ABI to be glibc. The current solution is not
+directly extensible by the user, but it easily could be if we really
+wanted to. At least we don't break cross-compilation to musl targets
+though.
+---
+ wireguard-go-rs/build.rs | 25 ++++++++++++++++++++++---
+ 1 file changed, 22 insertions(+), 3 deletions(-)
+
+diff --git a/wireguard-go-rs/build.rs b/wireguard-go-rs/build.rs
+index a544e4e161e1..8978bef7b5b3 100644
+--- a/wireguard-go-rs/build.rs
++++ b/wireguard-go-rs/build.rs
+@@ -53,6 +53,14 @@ enum AndroidTarget {
+     I686,    // "i686"
+ }
+ 
++#[derive(PartialEq, Eq, Clone, Copy)]
++enum Libc {
++    /// glibc
++    Gnu,
++    /// musl libc
++    Musl,
++}
++
+ impl AndroidTarget {
+     fn from_str(input: &str) -> anyhow::Result<Self> {
+         use AndroidTarget::*;
+@@ -113,6 +121,16 @@ fn target_arch() -> anyhow::Result<Arch> {
+     }
+ }
+ 
++// https://doc.rust-lang.org/reference/conditional-compilation.html#target_env
++fn target_libc() -> anyhow::Result<Libc> {
++    let target_arch = env::var("CARGO_CFG_TARGET_ENV").context("Missing 'CARGO_CFG_TARGET_ENV")?;
++    match target_arch.as_str() {
++        "gnu" => Ok(Libc::Gnu),
++        "musl" => Ok(Libc::Musl),
++        _ => bail!("Unsupported target ABI/libc: {target_arch}"),
++    }
++}
++
+ /// Compile libwg and maybenot and place them in the target dir relative to `OUT_DIR`.
+ fn build_windows_dynamic_lib(out_dir: &str) -> anyhow::Result<()> {
+     let target_dir = Path::new(out_dir)
+@@ -179,9 +197,10 @@ fn build_linux_static_lib(out_dir: &str) -> anyhow::Result<()> {
+     };
+ 
+     if is_cross_compiling()? {
+-        match target_arch {
+-            Arch::Arm64 => go_build.env("CC", "aarch64-linux-gnu-gcc"),
+-            Arch::Amd64 => bail!("cross-compiling to linux x86_64 is not implemented"),
++        match (target_arch, target_libc()?) {
++            (Arch::Arm64, Libc::Gnu) => go_build.env("CC", "aarch64-linux-gnu-gcc"),
++            (Arch::Arm64, Libc::Musl) => go_build.env("CC", "aarch64-linux-musl-gcc"),
++            (Arch::Amd64, _) => bail!("cross-compiling to linux x86_64 is not implemented"),
+         };
+     }
+ 
diff --git a/srcpkgs/mullvadvpn/template b/srcpkgs/mullvadvpn/template
index 253dc1a34fd..a995b04bbd6 100644
--- a/srcpkgs/mullvadvpn/template
+++ b/srcpkgs/mullvadvpn/template
@@ -22,23 +22,17 @@ short_desc="Mullvad VPN client app (cli only)"
 maintainer="dkwo <npiazza@disroot.org>"
 license="GPL-3.0-or-later"
 homepage="https://mullvad.net/"
+changelog="https://raw.githubusercontent.com/mullvad/mullvadvpn-app/refs/heads/main/CHANGELOG.md"
 distfiles="https://github.com/mullvad/mullvadvpn-app/archive/refs/tags/${version}.tar.gz
  https://github.com/mullvad/wireguard-go/archive/refs/tags/${_wggover}.tar.gz"
 checksum="0231665feed54636fe088c18fdff08d2381cbbcb8f6c0ea97990b3b9d9438500
  fd9fa45155098223a17ea934eaa6eb44ee990cd2a7ab638bce482f62fd8502e8"
 skip_extraction="${_wggover}.tar.gz"
 system_accounts="_mullvad"
-# make_dirs="
-# /var/cache/mullvad-vpn 0750 _mullvad _mullvad
-# /var/log/mullvad-vpn 0750 _mullvad _mullvad
-# /etc/mullvad-vpn 0750 _mullvad _mullvad"
-
-case "${XBPS_TARGET_MACHINE}" in
-	*musl)
-		broken="https://github.com/mullvad/mullvadvpn-app/issues/8390"
-		;;
-esac
-# cross to musl fails since wireguard-go-rs exports CC="aarch64-linux-gnu-gcc"
+make_dirs="
+ /var/cache/mullvad-vpn 0750 _mullvad _mullvad
+ /var/log/mullvad-vpn 0750 _mullvad _mullvad
+ /etc/mullvad-vpn 0750 _mullvad _mullvad"
 
 post_extract() {
 	vsrcextract -C wireguard-go-rs/libwg/wireguard-go "${_wggover}.tar.gz"
@@ -55,13 +49,12 @@ do_install() {
 
 	vinstall target/${RUST_TARGET}/release/libtalpid_openvpn_plugin.so 644 usr/lib
 	vinstall dist-assets/relays.json 644 usr/share/mullvad
-}
 
-post_install() {
 	compdir=$(mktemp -d)
-	for shell in bash zsh fish; do
-		vtargetrun ${DESTDIR}/usr/bin/mullvad shell-completions ${shell} ${compdir}
+	for _shell in bash zsh fish; do
+		vtargetrun ${DESTDIR}/usr/bin/mullvad shell-completions ${_shell} ${compdir}
 	done
+
 	vcompletion ${compdir}/mullvad.bash bash mullvad
 	vcompletion ${compdir}/_mullvad zsh mullvad
 	vcompletion ${compdir}/mullvad.fish fish mullvad