diff --git a/secrets/mullvad.age b/secrets/mullvad.age
new file mode 100644
index 0000000..f708b62
--- /dev/null
+++ b/secrets/mullvad.age
@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA UZtvPNQ0lEoJrvn0I9jtTqtK04YJijd0KHbFJN/RQ2o
+Uy7I/8efCDFDiQi6BanjCVV7lbKVkY+kjYoq1O44o3k
+-> ssh-ed25519 lJaKnA skWMUNL4GGcMzgFIq3jocTEILh1AyKgFDng0MIY2ZzU
+7J/i94LAZv177Jw73nm3Xm7OZUFqUvHkRO2TvLkVcVw
+-> ssh-ed25519 72ij7w p5ly/JaKY1Z5Lw+UjQAQDvMBa4lHkk1Osy9r6+eSmS8
+G5g/EHvEM5gLNfMZkrB8hVf6yy/aGv4NePaNE+6kC+s
+-> b=`0o-grease R_rtaq7e {$@
+Ls+2eHvMRvNGBE0Tq8C4yonu71ZS7046O7S3haU6KB3GhrvBsI8JzGSE9kEf1LHs
+O+uwx20bGLKzd+rUFhszbk2oxH1zioyAy/JxYueIuN9v4DkNEb7eXI/gujxZLqJN
+oX8A
+--- 7WzUR59dqccce/oIN5yTEa63r6SjoHKFoJKbh1s3MVw
+£â"S6ûr(êÐgÚ”a6D}æ±DÂêðˆ5˜Ž´¨Ï-rþBT›¸P%.3Ë¾>³
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 4b37642..1c34c5a 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -11,6 +11,7 @@ let
     "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILO+OLPr8zdOMYyKtm98AFJai7zbaxw7JhVWgOwu7K3C";
   systems = [ home-pc home-server ];
 in {
+  "mullvad.age".publicKeys = [ felschr home-pc home-server ];
   "restic/b2.age".publicKeys = [ felschr home-pc home-server ];
   "restic/password.age".publicKeys = [ felschr home-pc home-server ];
   "smtp.age".publicKeys = [ felschr home-pc home-server ];
diff --git a/system/vpn.nix b/system/vpn.nix
index 049292f..65d536c 100644
--- a/system/vpn.nix
+++ b/system/vpn.nix
@@ -1,20 +1,33 @@
 { config, pkgs, ... }:
 
 {
+  age.secrets.mullvad.file = ../secrets/mullvad.age;
+
   networking.wireguard.enable = true;
 
   services.mullvad-vpn.enable = true;
 
   # set some options after every daemon start
   # to avoid accidentally leaving unsafe settings
-  systemd.services."mullvad-daemon".postStart = ''
-    while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done
-    ${pkgs.mullvad}/bin/mullvad always-require-vpn set on
-    ${pkgs.mullvad}/bin/mullvad dns set default \
-      --block-ads --block-trackers --block-malware
-    ${pkgs.mullvad}/bin/mullvad lan set allow
-    ${pkgs.mullvad}/bin/mullvad tunnel ipv6 set on
-    ${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard
-    ${pkgs.mullvad}/bin/mullvad relay set location de dus
-  '';
+  systemd.services."mullvad-daemon" = {
+    serviceConfig.LoadCredential =
+      [ "account:${config.age.secrets.mullvad.path}" ];
+    postStart = ''
+      while ! ${pkgs.mullvad}/bin/mullvad status >/dev/null; do sleep 1; done
+
+      account="$(<"$CREDENTIALS_DIRECTORY/account")"
+      current_account="$(${pkgs.mullvad}/bin/mullvad account get | grep "account:" | sed 's/.* //')"
+      if [[ "$current_account" != "$account" ]]; then
+        ${pkgs.mullvad}/bin/mullvad account login "$account"
+      fi
+
+      ${pkgs.mullvad}/bin/mullvad always-require-vpn set on
+      ${pkgs.mullvad}/bin/mullvad dns set default \
+        --block-ads --block-trackers --block-malware
+      ${pkgs.mullvad}/bin/mullvad lan set allow
+      ${pkgs.mullvad}/bin/mullvad tunnel ipv6 set on
+      ${pkgs.mullvad}/bin/mullvad relay set tunnel-protocol wireguard
+      ${pkgs.mullvad}/bin/mullvad relay set location de dus
+    '';
+  };
 }