Mullvad VPN audit: low number of vulnerabilities found and fixed, lots of praise

[Gandalf_The_Grey]

Mullvad VPN is a popular privacy-focused VPN service. The service is using a disk-less infrastructure and has recently started to run encrypted DNS servers in RAM as well. You may also buy Mullvad codes on Amazon or through other ways that keep you anonymous.

In late 2024, Mullvad asked Germany-based X41 D-Sec to conduct an audit of the service, making it the fourth external security audit since 2018.

Company engineers were tasked with auditing the source code of Mullvad's VPN apps on all platforms and performing penetration testing. This happend between October and November 2024.

Not all issues can be fixed by Mullvad

One issue, rated medium, for instance, which may leak the virtual IP address of tunnel devices to network adjacent participants, affects Linux and Android only. On Linux, Mullvad solved the issue by changing a kernel parameter.

On Android, Mullvad's app has no control over that parameter. The company did report the issue to Google, hoping that Google will change the default behavior on Android to address this.

It should be noted that the issue affects other apps on Android as well. Mullvad says that it does not consider the leak high severity. It may however leak the tunnel IP to observers. IPs get changed monthly, but signing out of the app and back in again gives the client a new tunnel IP address as well.

Mullvad VPN audit: low number of vulnerabilities found and fixed, lots of praise - gHacks Tech News

A 2024 audit of Mullvad VPN discovered a low number of potential security issues. Here is how Mullvad reacted.

www.ghacks.net

 

[bazang]

Vuln audit is good, but getting problems fixed still remains a huge problem. Mullvad support always defaults to "If you have AV installed remove it." Mullvad support has stated developers will not make the effort to fix problems with third party security or ad blocking software. Plus, Mullvad has no dedicated QA\QC team.

 

[Zero Knowledge]

I'm not sure what you expect from a small team of developers. I think they do a great job. They are not Microsoft or Apple with 100's of programmers, testers or Q&A. For €5 a month it's a pretty good service.

 

[Jonny Quest]

I'm not sure what you expect from a small team of developers. I think they do a great job. They are not Microsoft or Apple with 100's of programmers, testers or Q&A. For €5 a month it's a pretty good service.

Agree, let alone Mullvad is the one who initiated the audit. At least they were concerned enough want to know where they could improve, or any issues that might be found. The 4th audit since 2018, how many other vendors have done that?

 

[bazang]

I'm not sure what you expect from a small team of developers. I think they do a great job. They are not Microsoft or Apple with 100's of programmers, testers or Q&A. For €5 a month it's a pretty good service.

Mullvad is not a 5 person team. It has 30+ employees and it has a lot of money. It is very well funded through seed capital and it has a large revenue stream. That is more than sufficient to provide better support of its product.

The problem with Mullvad is that it has spread its developers far too thin - apps for Windows, Linux (never-ending issues across all the distros), iOS and Android. Then there is the Mullvad browser. The end result of this is predictable.

Very little QA\QC of the Mullvad products is done. On the Mullvad Github, one of the developers publicly stated "We only occasionally perform QA\QC testing. That means once every quarter or six months. And then it is only very limited software testing."

Mullvad makes a lot of money from that 5 Euros per month because it has millions of subscribers. The problem is not a lack of money to hire and build-out the required resources. The reason that Mullvad takes the stance that it does is that it does not want to be responsible for diagnosing and fixing all the problems encountered on the different platforms. Well, that is Mullvad's fault for having so many product versions and not performing proper QA\QC hygiene. Plus, their support is not focused on the customer. They always respond in a way to shut-down tickets. They should not even have support. You should see their responses which are ridiculous. It is obvious that they do not want to be bothered by their subscribers' encountered issues. I talked to one of the principal developers and they even commented that they did not know the purpose of the "Report Issue" functionality in the Mullvad client.

Agree, let alone Mullvad is the one who initiated the audit. At least they were concerned enough want to know where they could improve, or any issues that might be found. The 4th audit since 2018, how many other vendors have done that?

There is no issue with Mullvad doing the audit or being the initiator thereof. The problem with Mullvad is that they refuse to fully support their product. Just try to report problems and the first question asked is "Do you have antivirus installed? If yes, then we do not support Mullvad on a system with third-party security software installed. Uninstall the security software."

VPN audits are common place. Mullvad is not doing anything that makes it unique.

 

[simmerskool]

I've started using mullvad DNS full-time too.

 

[Jonny Quest]

There is no issue with Mullvad doing the audit or being the initiator thereof. The problem with Mullvad is that they refuse to fully support their product. Just try to report problems and the first question asked is "Do you have antivirus installed? If yes, then we do not support Mullvad on a system with third-party security software installed. Uninstall the security software."

VPN audits are common place. Mullvad is not doing anything that makes it unique.

I've never had to get a hold of support, so I wasn't aware of that canned response. I've used Mullvad on 3 PCs with 3 different AV's, so far no problems. The VPN's that have a greater chance IMO (and from one experience) are the heavier install desktop apps like Nord, Mullvad has such a small, light footprint and I would also assume doing less mucking around with the Windows settings?

 

[bazang]

I've used Mullvad on 3 PCs with 3 different AV's, so far no problems.

The third-party security software is never the problem. That is just Mullvad's response. They do it as a way to just not service their subscribers and properly support their product.

The only conflict I ever observed between Mullvad and another software was AdGuard. The two different DNS conflicted no matter if both were excluded from each other. It was really the AdGuard service which had to be either stopped and the system rebooted or AdGuard uninstalled.

At least AdGuard makes an effort to fix the problem.

Also understand that most of the people at Mullvad are Linux/FOSS ideological types. When I asked if they QA/QC'd their client on Windows the response was "Rarely." Go look on the Mullvad Github. Bugs or problems on Linux get addressed very quickly while Windows problems are slowly addressed - if at all. It is not unusual for it to take 6 to 12 months for Mullvad to fix a reported issue on Windows.

With an enterprise deployment I routinely report issues to Mullvad. It has always been a disappointing experience because you can quickly see that the Mullvad support provides obvious "fixes" (which usually do not work) such as "Try the latest beta." Read the latest beta release notes and it comes nowhere close to fixing the issue.

 

[Jonny Quest]

The third-party security software is never the problem. That is just Mullvad's response. They do it as a way to just not service their subscribers and properly support their product.

The only conflict I ever observed between Mullvad and another software was AdGuard. The two different DNS conflicted no matter if both were excluded from each other. It was really the AdGuard service which had to be either stopped and the system rebooted or AdGuard uninstalled.

At least AdGuard makes an effort to fix the problem.

Also understand that most of the people at Mullvad are Linux/FOSS ideological types. When I asked if they QA/QC'd their client on Windows the response was "Rarely." Go look on the Mullvad Github. Bugs or problems on Linux get addressed very quickly while Windows problems are slowly addressed - if at all. It is not unusual for it to take 6 to 12 months for Mullvad to fix a reported issue on Windows.

With an enterprise deployment I routinely report issues to Mullvad. It has always been a disappointing experience because you can quickly see that the Mullvad support provides obvious "fixes" (which usually do not work) such as "Try the latest beta." Read the latest beta release notes and it comes nowhere close to fixing the issue.

I wish there was an Informative emoji I could give you (I had requested it), as in both of your posts you brought up points that I didn't know about, especially as far as reading anything on Github.

 

[Marko :)]

I've started using mullvad DNS full-time too.

I wanted to test it, but lost the will after seeing this. The routing here is the madness, so I'm sticking with Cloudflare DoH (in the browser), AdGuard Public DNS on machine.

 

[Sorrento]

I've had issues with Mullvad & although its probably one of the better VPN's so I wont bother paying for any more months after expiry which is soon (not actually running it at present which probably says a lot) Running AdGuard VPN.

 

[simmerskool]

Also understand that most of the people at Mullvad are Linux/FOSS ideological types. When I asked if they QA/QC'd their client on Windows the response was "Rarely."

yah but... for me mullvad vpn works on win10(vm) with various AV and also works easily on linux too. mullvad is often my default vpn lately. Now using their DNS too when not running vpn