Mullvad

Mullvad is a commercial VPN service based in Sweden. The name "Mullvad" is the word for "mole" in the Swedish language. Mullvad operates using the WireGuard and OpenVPN protocols. It also supports Shadowsocks as a bridge protocol for censorship circumvention. Mullvad's VPN client software is publicly available under the GPLv3, a free and open-source software license.

History

Mullvad was launched in March 2009 by Amagicom AB, and it had begun by supporting connections via the OpenVPN protocol in 2009. Mullvad was an early adopter and supporter of the WireGuard protocol, announcing the availability of the new VPN protocol in March 2017 and making a "generous donation" supporting WireGuard development between July and December 2017.

In September 2018, the cybersecurity firm Cure53 performed a penetration test on Mullvad's macOS, Windows, and Linux applications. Seven issues were found which were addressed by Mullvad. Cure53 tested only the applications and supporting functions. No assessment was made on the Mullvad server-side and back end.

In October 2019, Mullvad partnered with Mozilla to utilize Mullvad's WireGuard servers for Mozilla VPN.

In April 2020, Mullvad partnered with Malwarebytes and provided WireGuard servers for their VPN service, Malwarebytes Privacy.

In May 2022, Mullvad started officially accepting Monero.

On 18 April 2023, Mullvad's head office in Gothenburg was visited by officers from the National Operations Department of the Swedish Police Authority who had a search warrant to seize computers being used by Mullvad containing customer data. Mullvad demonstrated that in accordance with their policies, no such data existed on their systems. After consulting with the prosecutor, the officers left without seizing any equipment or obtaining customer information. Mullvad had released a public statement in relation to this information in a blog post on their website two days later, also mentioning that it was their first time that their offices had been searched by authorities. In a letter sent to Mullvad nine days after the search, the Swedish Police Authority stated that they had conducted the search at the request of Germany for an ongoing investigation. The investigation involved a blackmail attack that targeted several institutions in the state of Mecklenburg-Western Pomerania which revealed IP addresses that were traced back to Mullvad's VPN service.

On 29 May 2023, Mullvad announced that they would be removing support for port forwarding, effective on 1 July 2023. This was done due to the use of port forwarding for illegal activities, with this causing interference by law enforcement, Mullvad IP addresses getting blacklisted, and hosting providers canceling their services.

Service

A TechRadar review noted in 2019 that "Mullvad's core service is powerful, up-to-date, and absolutely stuffed with high-end technologies". Complementing its use of the open-source OpenVPN and WireGuard protocols, Mullvad includes "industrial strength" encryption (employing AES-256 GCM methodology), 4096-bit RSA certificates with SHA-512 for server authentication, perfect forward secrecy, multiple layers of DNS leak protection, IPv6 leak-protection, and multiple "stealth options" to help bypass government or corporate VPN blocking.

Mullvad provides VPN client applications for computers running the Windows, macOS and Linux operating systems. , native iOS and Android Mullvad VPN clients using the WireGuard protocol are available. iOS and Android mobile operating system users can also configure and use built-in VPN clients or the OpenVPN or WireGuard apps to access Mullvad's service.

Privacy

Providing personal information used to identify users such as email addresses and phone numbers is not required during Mullvad's registration process. Instead, a unique 16-digit account number is anonymously generated for each newly registered user, and this account number is used to log in to the Mullvad on other devices.

For anonymity purposes, Mullvad accepts the anonymous payment methods of cash and Monero. Payment for the service can also be made via bank wire-transfer, credit card, Bitcoin, Bitcoin Cash, PayPal, Swish, EPS Transfer, Bancontact, iDEAL, Przelewy24, and vouchers sold by multiple resellers. Payments made via cryptocurrency have a 10% discount. In June 2022, the service announced that it will no longer offer new recurring subscriptions, as this further reduces the amount of personal information that will have to be stored.

Mullvad does not log VPN users' IP addresses, the VPN IP address used, browsing-activity, bandwidth, connections, session duration, timestamps, and DNS-requests.

Mullvad has many privacy-focused features built into their VPN. Instances include multi-hop, which routes all traffic through an additional Mullvad server before it arrives at its destination, the ability to add a quantum-resistant key exchange to the encryption process, making all data encrypted resistant to quantum computer related attacks, and Defense against AI-guided Traffic Analysis (DAITA), which ensures all packets are the same size and also inserts random network traffic (significantly increasing bandwidth usage), though this is only enabled on select servers.

Mullvad has been actively campaigning against the EU's Regulation to Prevent and Combat Child Sexual Abuse (a.k.a. Chat Control), which would require service providers to scan all users' online communications, even encrypted services, arguing that it would make all methods of online communication viewable and thus not private and not anonymous.

Reception

While Mullvad has been noted for "taking a strong approach to privacy and maintaining good connection speeds", the VPN client setup and interface has been noted as being more onerous and technical than most other VPN providers especially on some client platforms. However, a follow-up review by the same source in October 2018 notes, "Mullvad has a much improved, modern Windows client (and one for Mac, too)". A PC World review, also from October 2018, concludes, "With its commitment to privacy, anonymity (as close as you can realistically get online), and performance Mullvad remains our top recommendation for a VPN service".

In November 2018, TechRadar noted Mullvad VPN as one of five VPN providers to answer a set of questions for trustworthiness verification posed by the Center for Democracy and Technology. In March 2019, a ''TechRadar'' review noted slightly substandard speeds. However, a ''TechRadar'' review later that year, published on 11 June 2019, stated that Mullvad VPN "speeds are excellent". This is also supported by a 2024 CNET review that demonstrated 13.5% speed loss in March 2024 tests. While the latter review notes a shortcoming for mobile users in that Mullvad had not provided mobile VPN client apps, Mullvad apps for both Android and iOS are now available.

The non-profit Freedom of the Press Foundation, in their "Choosing a VPN" guide, lists Mullvad amongst the five VPNs that meet their recommended settings and features for VPN use as a tool for anonymizing online activity.

Other products

Browser

On 3 April 2023, Mullvad Browser was released, developed by the Tor Project team and distributed by Mullvad. It has similar privacy and security settings levels to Tor Browser, with an exception being that it operates independently of the Tor network and is meant to be used with a VPN service instead, either Mullvad VPN or another trusted provider. Mullvad Browser has been programmed to minimize the risk of users being tracked and fingerprinted. It attempts to achieve this through several measures:
* Private mode is enabled by default. This means that cookies are never saved between sessions, nor are visited pages, forms, or search-bar entries.
* It utilizes Firefox's "resist fingerprinting" feature.
* First-party isolation is in place, in which cookies are placed in separate cookie jars so that trackers cannot connect to each other to build a profile of its user.
* No collection of telemetry data.

Search engine

On 20 June 2023, Mullvad announced the Mullvad Leta search engine. Mullvad Leta uses the Google Search and Brave Search APIs as a proxy and caches each search for 30 days. When a user inputs a web query, the service checks if it has a cache of the search before making a call to the Google Search or Brave Search API. The service was initially only accessible to devices that had Mullvad VPN turned on, before being opened to the general public on 4 March 2025.

Public DNS

Mullvad also offers public DNS servers that offer DNS over HTTPS, DNS over TLS, and various content-blocking filters.

See also

*Comparison of virtual private network services

References

External links

*

Mullvad repositories
on GitHub

{{VPN

Free and open-source software
Internet privacy
Virtual private network services
Alternative Internet DNS services