Mullvad VPN audit: low number of vulnerabilities found and fixed, lots of praise

[Gandalf_The_Grey]

Mullvad VPN is a popular privacy-focused VPN service. The service is using a disk-less infrastructure and has recently started to run encrypted DNS servers in RAM as well. You may also buy Mullvad codes on Amazon or through other ways that keep you anonymous.

In late 2024, Mullvad asked Germany-based X41 D-Sec to conduct an audit of the service, making it the fourth external security audit since 2018.

Company engineers were tasked with auditing the source code of Mullvad's VPN apps on all platforms and performing penetration testing. This happend between October and November 2024.

Not all issues can be fixed by Mullvad

One issue, rated medium, for instance, which may leak the virtual IP address of tunnel devices to network adjacent participants, affects Linux and Android only. On Linux, Mullvad solved the issue by changing a kernel parameter.

On Android, Mullvad's app has no control over that parameter. The company did report the issue to Google, hoping that Google will change the default behavior on Android to address this.

It should be noted that the issue affects other apps on Android as well. Mullvad says that it does not consider the leak high severity. It may however leak the tunnel IP to observers. IPs get changed monthly, but signing out of the app and back in again gives the client a new tunnel IP address as well.

Mullvad VPN audit: low number of vulnerabilities found and fixed, lots of praise - gHacks Tech News

A 2024 audit of Mullvad VPN discovered a low number of potential security issues. Here is how Mullvad reacted.

www.ghacks.net

 

[bazang]

Vuln audit is good, but getting problems fixed still remains a huge problem. Mullvad support always defaults to "If you have AV installed remove it." Mullvad support has stated developers will not make the effort to fix problems with third party security or ad blocking software. Plus, Mullvad has no dedicated QA\QC team.

 

[Zero Knowledge]

I'm not sure what you expect from a small team of developers. I think they do a great job. They are not Microsoft or Apple with 100's of programmers, testers or Q&A. For €5 a month it's a pretty good service.

 

[Jonny Quest]

I'm not sure what you expect from a small team of developers. I think they do a great job. They are not Microsoft or Apple with 100's of programmers, testers or Q&A. For €5 a month it's a pretty good service.

Agree, let alone Mullvad is the one who initiated the audit. At least they were concerned enough want to know where they could improve, or any issues that might be found. The 4th audit since 2018, how many other vendors have done that?

 

[bazang]

I'm not sure what you expect from a small team of developers. I think they do a great job. They are not Microsoft or Apple with 100's of programmers, testers or Q&A. For €5 a month it's a pretty good service.

Mullvad is not a 5 person team. It has 30+ employees and it has a lot of money. It is very well funded through seed capital and it has a large revenue stream. That is more than sufficient to provide better support of its product.

The problem with Mullvad is that it has spread its developers far too thin - apps for Windows, Linux (never-ending issues across all the distros), iOS and Android. Then there is the Mullvad browser. The end result of this is predictable.

Very little QA\QC of the Mullvad products is done. On the Mullvad Github, one of the developers publicly stated "We only occasionally perform QA\QC testing. That means once every quarter or six months. And then it is only very limited software testing."

Mullvad makes a lot of money from that 5 Euros per month because it has millions of subscribers. The problem is not a lack of money to hire and build-out the required resources. The reason that Mullvad takes the stance that it does is that it does not want to be responsible for diagnosing and fixing all the problems encountered on the different platforms. Well, that is Mullvad's fault for having so many product versions and not performing proper QA\QC hygiene. Plus, their support is not focused on the customer. They always respond in a way to shut-down tickets. They should not even have support. You should see their responses which are ridiculous. It is obvious that they do not want to be bothered by their subscribers' encountered issues. I talked to one of the principal developers and they even commented that they did not know the purpose of the "Report Issue" functionality in the Mullvad client.

Agree, let alone Mullvad is the one who initiated the audit. At least they were concerned enough want to know where they could improve, or any issues that might be found. The 4th audit since 2018, how many other vendors have done that?

There is no issue with Mullvad doing the audit or being the initiator thereof. The problem with Mullvad is that they refuse to fully support their product. Just try to report problems and the first question asked is "Do you have antivirus installed? If yes, then we do not support Mullvad on a system with third-party security software installed. Uninstall the security software."

VPN audits are common place. Mullvad is not doing anything that makes it unique.

 

[simmerskool]

I've started using mullvad DNS full-time too.

 

[Jonny Quest]

There is no issue with Mullvad doing the audit or being the initiator thereof. The problem with Mullvad is that they refuse to fully support their product. Just try to report problems and the first question asked is "Do you have antivirus installed? If yes, then we do not support Mullvad on a system with third-party security software installed. Uninstall the security software."

VPN audits are common place. Mullvad is not doing anything that makes it unique.

I've never had to get a hold of support, so I wasn't aware of that canned response. I've used Mullvad on 3 PCs with 3 different AV's, so far no problems. The VPN's that have a greater chance IMO (and from one experience) are the heavier install desktop apps like Nord, Mullvad has such a small, light footprint and I would also assume doing less mucking around with the Windows settings?

 

[bazang]

I've used Mullvad on 3 PCs with 3 different AV's, so far no problems.

The third-party security software is never the problem. That is just Mullvad's response. They do it as a way to just not service their subscribers and properly support their product.

The only conflict I ever observed between Mullvad and another software was AdGuard. The two different DNS conflicted no matter if both were excluded from each other. It was really the AdGuard service which had to be either stopped and the system rebooted or AdGuard uninstalled.

At least AdGuard makes an effort to fix the problem.

Also understand that most of the people at Mullvad are Linux/FOSS ideological types. When I asked if they QA/QC'd their client on Windows the response was "Rarely." Go look on the Mullvad Github. Bugs or problems on Linux get addressed very quickly while Windows problems are slowly addressed - if at all. It is not unusual for it to take 6 to 12 months for Mullvad to fix a reported issue on Windows.

With an enterprise deployment I routinely report issues to Mullvad. It has always been a disappointing experience because you can quickly see that the Mullvad support provides obvious "fixes" (which usually do not work) such as "Try the latest beta." Read the latest beta release notes and it comes nowhere close to fixing the issue.

 

[Jonny Quest]

The third-party security software is never the problem. That is just Mullvad's response. They do it as a way to just not service their subscribers and properly support their product.

The only conflict I ever observed between Mullvad and another software was AdGuard. The two different DNS conflicted no matter if both were excluded from each other. It was really the AdGuard service which had to be either stopped and the system rebooted or AdGuard uninstalled.

At least AdGuard makes an effort to fix the problem.

Also understand that most of the people at Mullvad are Linux/FOSS ideological types. When I asked if they QA/QC'd their client on Windows the response was "Rarely." Go look on the Mullvad Github. Bugs or problems on Linux get addressed very quickly while Windows problems are slowly addressed - if at all. It is not unusual for it to take 6 to 12 months for Mullvad to fix a reported issue on Windows.

With an enterprise deployment I routinely report issues to Mullvad. It has always been a disappointing experience because you can quickly see that the Mullvad support provides obvious "fixes" (which usually do not work) such as "Try the latest beta." Read the latest beta release notes and it comes nowhere close to fixing the issue.

I wish there was an Informative emoji I could give you (I had requested it), as in both of your posts you brought up points that I didn't know about, especially as far as reading anything on Github.

 

[Marko :)]

I've started using mullvad DNS full-time too.

I wanted to test it, but lost the will after seeing this. The routing here is the madness, so I'm sticking with Cloudflare DoH (in the browser), AdGuard Public DNS on machine.

 

[Sorrento]

I've had issues with Mullvad & although its probably one of the better VPN's so I wont bother paying for any more months after expiry which is soon (not actually running it at present which probably says a lot) Running AdGuard VPN.

 

[simmerskool]

Also understand that most of the people at Mullvad are Linux/FOSS ideological types. When I asked if they QA/QC'd their client on Windows the response was "Rarely."

yah but... for me mullvad vpn works on win10(vm) with various AV and also works easily on linux too. mullvad is often my default vpn lately. Now using their DNS too when not running vpn

 

[bazang]

I've had issues with Mullvad & although its probably one of the better VPN's so I wont bother paying for any more months after expiry which is soon (not actually running it at present which probably says a lot) Running AdGuard VPN.

Mullvad is probably the best overall VPN in terms of features and servers, but its customer support is terrible. Plus, the developers are Linux\FOSS so Linux fixes are greatly favored whereas Windows problems are always poo-poo'd and the reporter discouraged to just go away...

Sometimes Mullvad will be trouble free for a long while, but then the next years' worth of updates are just one problem after another.

I have been using Mullvad since Day 1. Over 15 years. I shall not be using it any more. It is just too difficult to get them to fix problems. They do not even have a dedicated QA/QC team. They only "spot" test and that is only done on an irregular basis. Like WTF?

Mullvad became too popular. Waaaayyyyy too many subscribers. This alone has killed Mullvad's usefulness, quality and support. Lots of websites block Mullvad's IP addresses.

Mullvad is a perfect example of what happens to a great product when too many people buy it. The product's quality goes down.

 

[Zero Knowledge]

Mullvad became too popular. Waaaayyyyy too many subscribers. This alone has killed Mullvad's usefulness, quality and support. Lots of websites block Mullvad's IP addresses.

Mullvad is a perfect example of what happens to a great product when too many people buy it. The product's quality goes down.

This I sadly agree with. It's usefulness has gone down hill lately because as you say it has too many subscribers and users, sites have blacklisted Mullvad and they don't cycle IP's. I've had lot's of captchas, fraud blocks on orders, and other annoying things pop up lately. Problem is it's better than everything else except for AirVpn and Ivpn. And even with all the problems it's still probably the best Vpn out there. Just don't use the Windows app if you have issues with it. But I'm not sure there is a Vpn on earth that is now trouble free, we do not live in 2008 when Vpn's were for tech savvy paranoid users and kinda underground, they even have ExpressVpn adds on Joe Rogan podcast now so you know it's mainstream.

 

[BulletKnowledge]

Mullvad userbase have grow way faster than the company growth can sustain without affecting it's quality.

I use their vpn in the past but move because of issues

 

[bazang]

sites have blacklisted Mullvad and they don't cycle IP's

This

Problem is it's better than everything else except for AirVpn and Ivpn.

I have had just as many issues with IVPN, if not more. It's client has bugs. IVPN is a tiny team. It only has a single part-time developer and no dedicated QA/QC. Reported issues never get fixed and the part-time developer gets attitude.

And even with all the problems it's still probably the best Vpn out there.

It probably is the best out there.

Just don't use the Windows app if you have issues with it.

Mullvad's (and IVPN's) Windows desktop app is the cause of most issues. The problems are fixed by using the WireGuard or OpenVPN app. However, all the features - such as killswitch - do not work on Windows for the WireGuard or OpenVPN apps. Plus all the other features do not work in those apps - so by using those apps you are not using the features that you paid for.

Plus one thing people do not understand is that most niche VPN such as Mullvad and IVPN are FOSS/Linux-centric. They give priority to Linux and Windows is always relegated to second citizen status.

For every developer there should be at least 2 full-time software QA/QC engineers. But VPN companies are notorious for zero QA/QC.

But I'm not sure there is a Vpn on earth that is now trouble free, we do not live in 2008 when Vpn's were for tech savvy paranoid users and kinda underground, they even have ExpressVpn adds on Joe Rogan podcast now so you know it's mainstream.

VPN support has always been terrible. It was good when VPNs were tiny operations with a tiny user base - as in only a few hundred. Now Mullvad and IVPN have hundreds of thousands of users - all experiencing problems - and neither Mullvad nor IVPN want to properly support those users. They'll take users' money though and then it is "Sorry about your luck" when it comes to fixing user problems other than account problems.

 

[Zero Knowledge]

VPN support has always been terrible. It was good when VPNs were tiny operations with a tiny user base - as in only a few hundred. Now Mullvad and IVPN have hundreds of thousands of users - all experiencing problems - and neither Mullvad nor IVPN want to properly support those users. They'll take users' money though and then it is "Sorry about your luck" when it comes to fixing user problems other than account problems.

What do you expect for 5€ a month? You not going to get nation state encryption capabilities or protection or Apple/Amazon style support and updates. To be honest I'm surprised their service and others like them are even is usable with the amount of traffic/users they have now. We do not live in 2008 anymore, Vpn's are no longer niche they are must have mainstream utilities for every citizen not just paranoid freaks.

The only Vpn's that seem to fly under the radar are AirVpn and Perfect Privacy, I never see them mentioned in mainstream news or media. And I know AirVpn is a problem for 'them' because every time I download their client 'they' try to rate limit the download speed and cut the connection. PP I haven't tried in ages, but it's got a good reputation for a reason in the underground.

 

[Sorrento]

I gave up with AirVPN years ago mainly due to rubbish speeds, though their website still says: - 'Minimum allocated granted bandwidth: 4 Mbit/s download + 4 Mbit/s upload'
This isn't 1995 & I'm no longer on DialUp - It's a while since I used Perfect Privacy also.

If Mullvad choose to charge 5 Euro a month that is their choice, but I feel if you cant make a decent product for the amount you charge either give up or adjust your prices, whinging is not the answer.

 

[FALLEN]

I also used Mullvad for a couple of months. Overall, it's a decent VPN for privacy, but IVPN and Proton VPN just worked better for me. I found that I've gotten fewer blocks on Proton VPN compared to Mullvad. I guess Mullvad's servers (IP addresses) are more likely to be blacklisted.

 

[Jonny Quest]

I also used Mullvad for a couple of months. Overall, it's a decent VPN for privacy, but IVPN and Proton VPN just worked better for me. I found that I've gotten fewer blocks on Proton VPN compared to Mullvad. I guess Mullvad's servers (IP addresses) are more likely to be blacklisted.

Same here, I've had less site issues using Proton than Mullvad.