diff --git a/system/vpn.nix b/system/vpn.nix
index 3250356..ea30b10 100644
--- a/system/vpn.nix
+++ b/system/vpn.nix
@@ -7,4 +7,17 @@
   networking.firewall.checkReversePath = "loose";
 
   services.mullvad-vpn.enable = true;
+
+  # set some options after every daemon start
+  # to avoid accidentally leaving unsafe settings
+  systemd.services."mullvad-daemon".postStart = ''
+    while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done
+    ${pkgs.mullvad}/bin/mullvad always-require-vpn set on
+    ${pkgs.mullvad}/bin/mullvad dns set default \
+      --block-ads --block-trackers --block-malware
+    ${pkgs.mullvad}/bin/mullvad lan set allow
+    ${pkgs.mullvad}/bin/mullvad tunnel ipv6 set on
+    ${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard
+    ${pkgs.mullvad}/bin/mullvad relay set location de dus
+  '';
 }