diff --git a/install.sh b/install.sh
index 17422e7..025dcef 100644
--- a/install.sh
+++ b/install.sh
@@ -607,12 +607,12 @@ EOF
     
     # Enable and (optionally) start killswitch
     systemctl daemon-reload
-    systemctl enable vpn-killswitch.service || true
     if [ "$SHOULD_START_KILLSWITCH" = "yes" ]; then
+        systemctl enable vpn-killswitch.service || true
         systemctl start vpn-killswitch.service || true
         log "Killswitch installed and activated"
     else
-        log "Killswitch installed but not started (per user choice)"
+        log "Killswitch installed but not enabled/started (per user choice)"
     fi
 }
 
@@ -851,16 +851,20 @@ EOFMON
     # Reload and start services
     systemctl daemon-reload
 
-    # Enable services conditionally (killswitch may be skipped earlier)
+    # Enable services conditionally (respect user choice for killswitch)
     if [ -f /etc/systemd/system/vpn-killswitch.service ]; then
-        systemctl enable vpn-killswitch || true
+        if [ "$SHOULD_START_KILLSWITCH" = "yes" ]; then
+            systemctl enable vpn-killswitch || true
+        else
+            warning "Killswitch present but not enabled (per user choice)"
+        fi
     else
-        warning "Killswitch service not installed or was skipped; skipping enable"
+        warning "Killswitch service not installed; skipping enable"
     fi
     systemctl enable vpn-webui vpn-security-monitor || true
 
-    # Start services conditionally
-    if [ -f /etc/systemd/system/vpn-killswitch.service ]; then
+    # Start services conditionally (respect user choice for killswitch)
+    if [ -f /etc/systemd/system/vpn-killswitch.service ] && [ "$SHOULD_START_KILLSWITCH" = "yes" ]; then
         systemctl start vpn-killswitch || true
     fi
     systemctl start vpn-webui vpn-security-monitor || true
@@ -893,6 +897,78 @@ EOF
     log "Nginx configured"
 }
 
+# Auto-connect to Mullvad (Albania) without prompts
+auto_connect_mullvad_albania() {
+    if [ "$VPN_PROVIDER" != "mullvad" ]; then
+        return
+    fi
+
+    log "Auto-connecting to Mullvad (Albania)..."
+
+    # Fetch Mullvad relays and pick first active WireGuard in Albania
+    local api="https://api.mullvad.net/www/relays/all/"
+    local endpoint_ip
+    endpoint_ip=$(curl -fsSL "$api" | jq -r '.[] | select(.type=="wireguard" and .active==true and .country_name=="Albania") | .ipv4_addr_in' | head -n1)
+    if [ -z "$endpoint_ip" ] || [ "$endpoint_ip" = "null" ]; then
+        warning "No Albania Mullvad server found; skipping auto-connect"
+        return
+    fi
+
+    # Ensure WireGuard key exists
+    if [ ! -f /etc/wireguard/mullvad_private.key ]; then
+        wg genkey | tee /etc/wireguard/mullvad_private.key | wg pubkey > /etc/wireguard/mullvad_public.key
+        chmod 600 /etc/wireguard/mullvad_private.key
+    fi
+
+    local private_key
+    private_key=$(cat /etc/wireguard/mullvad_private.key)
+
+    # Same public key used by backend placeholder
+    local mullvad_pubkey="g+9JNZp3SvLPvBb+PzXHyOPHhqNiUdATrz1YdNEPvWo="
+
+    cat > /etc/wireguard/wg0.conf << EOFWG
+# Mullvad WireGuard Configuration (Auto)
+# Country: Albania
+
+[Interface]
+PrivateKey = $private_key
+Address = 10.64.0.2/32,fc00:bbbb:bbbb:bb01::2/128
+DNS = 100.64.0.1
+
+# Killswitch rules
+PreUp = iptables -F OUTPUT
+PreUp = iptables -F FORWARD
+PostUp = iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+PostUp = iptables -I FORWARD -i __LAN_IF__ -o %i -j ACCEPT
+PostUp = iptables -t nat -A POSTROUTING -o %i -j MASQUERADE
+PreDown = iptables -D OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
+PostDown = iptables -t nat -D POSTROUTING -o %i -j MASQUERADE
+
+[Peer]
+PublicKey = $mullvad_pubkey
+AllowedIPs = 0.0.0.0/0,::/0
+Endpoint = $endpoint_ip:51820
+PersistentKeepalive = 25
+EOFWG
+
+    chmod 600 /etc/wireguard/wg0.conf
+
+    # Allow reaching the endpoint through the killswitch
+    iptables -I OUTPUT 1 -p udp --dport 51820 -d "$endpoint_ip" -j ACCEPT || true
+
+    # Replace placeholder with actual LAN interface
+    sed -i "s|__LAN_IF__|$LAN_INTERFACE|g" /etc/wireguard/wg0.conf
+
+    # Connect
+    wg-quick down wg0 >/dev/null 2>&1 || true
+    if wg-quick up wg0 >/dev/null 2>&1; then
+        log "Connected to Mullvad (Albania)"
+        systemctl enable wg-quick@wg0 >/dev/null 2>&1 || true
+    else
+        warning "Failed to bring up wg0; you can connect later via WebUI or manually"
+    fi
+}
+
 # Final setup
 finalize_installation() {
     log "Finalizing installation..."
@@ -998,6 +1074,7 @@ main() {
     install_webui
     setup_services
     setup_nginx
+    auto_connect_mullvad_albania
     finalize_installation
     
     show_summary