The original post: /r/mullvadvpn by /u/not_a_nazi_actually on 2025-03-28 04:46:03.

haven't been able to open imgur.com links for over a week now.

a google search says the site isn't down and hasn't had problems.

what's going on?

The original post: /r/mullvadvpn by /u/EmperorHenry on 2025-03-28 03:03:39.

How often are the IP addresses of your proxies rotated?

Would it help evade detection from blocklists used by websites if they were rotated more often?

The original post: /r/mullvadvpn by /u/EmperorHenry on 2025-03-28 03:00:09.

I've seen some people over the years that I've been using mullvad complain that their accounts got compromised.

And since Mullvad is in the business of operating without collecting any data on their users, there's no way to stop someone from mooching off your account once they know your number.

I'm suggesting that every mullvad account should have the option to have a password on the account as well as the account number. No email addresses, just the account number and a password. Pretty much every mullvad user is also using a password manager of some sort. So adding that extra security option I think would be greatly appricated by your users.

You would need to update the website log in functions and you'd need to update the way users log in to the VPN app as well, but again, your users would be happy to have this option if they want it.

You already have to keep track of how much time each account number has left of it, it wouldn't be much more to keep the password too.

The original post: /r/mullvadvpn by /u/LaiserLarrs on 2025-03-27 17:55:47.

I use Firefox with Mullvad Vpn and sometimes I can not open websites anymore. Most don't load (about:blank) and youtube loads, but then shows the no connection screen, other pages work without problems. I then turned off my Wi-Fi, closed Firefox, turned Mullvad off and on again, Wi-Fi turned on again, started Firefox. Now it's back to normal. But it only works if I do it exactly like that. Does anyone have the same problem?

The original post: /r/mullvadvpn by /u/Intelligent-Stone on 2025-03-27 16:58:07.

So from what I understand in DAITA, it adds an extra useless data into the packets sent to/from VPN servers. So it's uploading and downloading more data, but is it possible to be noticeable by other users on the network that doesn't use Mullvad and instead connect to internet directly from ISP?

The original post: /r/mullvadvpn by /u/MullvadNew on 2025-03-27 14:36:29.

Link: https[://]mullvad[.]net/en/blog/successful-security-assessment-of-our-android-app

Our Android app (version 2024.9) has successfully passed MASA, a standardized security assessment, conducted by NCC Group.

The assessment called Mobile Application Security Assessment (MASA) is part of App Defense Alliance, originally launched by Google but now part of the Linux Foundation.

It is different from our typical app audits (2018 (https[://]mullvad[.]net/blog/2018/9/24/read-results-security-audit-mullvad-app/), 2020 (https[://]mullvad[.]net/blog/2020/6/25/results-available-audit-mullvad-app/), 2022 (https[://]mullvad[.]net/blog/security-audit-report-for-our-app-available) and 2024 (https[://]mullvad[.]net/blog/the-report-for-the-2024-security-audit-of-the-app-is-now-available)) where we define a threat model and have an audit firm look at our code, binaries and app running on various devices.

Instead, MASA is a standardized black-box assessment against a set of industry recognized security and testing criteria. This means that no code was reviewed during this assessment. It has two assessment levels: Assessment Level 1 (AL1) and Assessment Level 2 (AL2). Both require an authorized independent test lab, but AL2 is bit more in-depth and include a manual assessment in comparison to AL1. In our case we conducted an AL2 assessment using NCC Group as our test lab.

The testing criteria is based on the work of OWASP which continuously develop and publish the following two standards:

• Mobile Application Security Verification Standard (MASVS)
• Mobile Application Security Testing Guide (MASTG)

To summarize the result of the assessment, the Android app passed all controls without the need for any fixes or modifications. You can check out the result in terms of the App Defense Alliance Directory entry here or directly download the certificate here. As another result of the assessment, our app has now been marked with a Verified badge (also shown as Independently verified and Independent security review) in the Google Play Store.

The original post: /r/mullvadvpn by /u/TheGovernorsRightEye on 2025-03-27 12:39:45.

I know, silly question. But I just recently tried to install the latest update and my PC rejected it. Saying something along the lines of "Can not be installed on PC" (similar message). Will staying on my current version of Mullvad VPN put me at a security risk?

Thanks

The original post: /r/mullvadvpn by /u/defaultroute on 2025-03-27 11:05:48.

The original post: /r/mullvadvpn by /u/alchito on 2025-03-27 07:20:25.

I’m currently in China and got a Mullvad subscription for the first time.

On Iphone, it tries to connect forever, regardless of the server I choose, but never does. On PC, it takes a solid 2-3 minutes to connect to a server, and even then everything is soooo slow to load.

Has anyone experienced this or has recommendations?

The original post: /r/mullvadvpn by /u/deathcomestooslow on 2025-03-27 05:33:19.

This is with Mullvad running. It stops having IPv6 but the IPv4 remains. This is different to how my old computer acts, where it would turn both off. Mullvad support says this isn't a problem but it sure sounds like a security risk if something other than Mullvad can use the net directly. Thanks for the help. I pass the few DNS leak online tests I tried but they all seem very short and not really testing all circumstances.

The original post: /r/mullvadvpn by /u/EmeraldGhostie on 2025-03-27 03:55:38.

any solutions?

The original post: /r/mullvadvpn by /u/LightningProd12 on 2025-03-27 03:16:05.

About 50% of the time, the connection check page says "Failed to check for DNS leaks" and the proxy extension (in the browser) says "Could not determine DNS servers". The other half of the time it says there are no leaks.

I've never had this happen before, is it okay or is there a risk of a leak?

The original post: /r/mullvadvpn by /u/beefjerky9 on 2025-03-27 02:56:47.

Are the Houston servers absolutely, ridiculously slow for anyone else this evening? The Dallas servers are fine it seems.

The original post: /r/mullvadvpn by /u/dresoccer4 on 2025-03-26 21:20:16.

I'm using the Mullvad app on my Raspberry Pi Plex server and it has a split tunneling feature, however even when selecting the Plex server program in the Mullvad app the plex server loses its remote access function after a few seconds, which means it's not actually routing the plex server (through port 50000) outside the VPN. Just fyi i'm pretty green when it comes to this stuff.

Anyone gotten this to work, or know of a workaround so my Plex server does not go through the Mullvad wireguard VPN (while everything else does)?

Appreciate any help here.

https://preview.redd.it/mc23itk4p3re1.png?width=391&format=png&auto=webp&s=3e49eacfa69fe5442839b7d517a3d64ce48c5550

The original post: /r/mullvadvpn by /u/justarandomstanley on 2025-03-26 13:54:11.

Apologies in advance if I'm missing something, I'm new to the VPN game.

Greece recently introduced a law that goes after torrenting. It's still unclear if this concerns individuals, but I'm not willing to find out.

I installed Mullvad, and for 2 weeks it was fine; but suddenly, my speed got affected and connection is super unstable. I didn't really change anything and I tried MULTIPLE servers, but connection remains unstable. I used to download at 25/30 Mbp/s, and now it's at 4-5 for 30 seconds, and then it's down to almost 0. I can't even stream spotify during these lows.

Maybe it's something with the settings? Any tips?

Speeds are super stable when it's off.

The original post: /r/mullvadvpn by /u/MullvadNew on 2025-03-26 10:31:51.

Link: https[://]mullvad[.]net/en/blog/why-we-still-dont-use-includeallnetworks

Our users often ask why we do not use the includeAllNetworks to fix all possible leaks on iOS. This blog post aims to explain why this currently is not possible.

As per Apple's documentation and several vulnerability reports (e.g. TunnelCrack) , setting includeAllNetworks to true (and possibly excludeLocalNetworks too) will prevent traffic from leaking from the tunnel. These flags tell iOS that the VPN app expects all traffic to be routed through it. On other platforms, this would normally be achieved by using the system firewall and, to improve UX, by changing the routing table - superficially setting just one flag seems like a great improvement to the developer experience. The documentation for this flag explains what type of traffic will and will not be excluded, but lacks any further detail.

The reason as to why have we not set this flag in our iOS app is because it does not quite work. It breaks various behaviors the app was relying upon - for some things we have found workarounds, but there is an especially bad one that we cannot work around. 

What follows is a deeply technical walkthrough of our challenges with the includeAllNetworks flag. If you care not for the technical details, the short answer is - if we were to enable the flag today, the app would work fine until it would be updated via the AppStore, at which point the system would lose all network connectivity. The most intuitive way of fixing this is to restart the device. As far as we know, there is no way for our app to detect and in any way help work around this behavior.

The beginnings of includeAllNetworks

Our iOS app, much like all of our other VPN client applications, uses ICMP packets to establish whether a given tunnel configuration is working or not. When using DAITA or quantum-resistant tunnels, the app will also need to establish a TCP connection to a host only reachable through the tunnel. Both of these two network connections are done by the tunnel process - on iOS the VPN connection is managed by a separate process from the one that users interact with. In the ICMP case, we use a regular socket() syscall to create an ICMP socket to our gateway at 10.64.0.1. For the TCP connection, we initially used a now deprecated NWTCPConnection. To not leak this traffic outside of the tunnel, we attempt to bind these sockets to the tunnel interface. These work as expected when includeAllNetworks is not in use, but when we set the flag, they just stopped working. No errors were reported from sendmsg, the best feedback we got was that the NWTCPConnection's state never updated away from waiting.  When experiencing misbehavior like this, it is almost always a sure bet to assume that we are misusing whatever interface we are trying to use. Apple is not guaranteeing that regular BSD sockets will just work, and since we're trying to reach 10.64.0.1 via the in tunnel TCP connection, maybe it has some weird behavior if it's a 10/8 address?

Could we do without ICMP and TCP traffic from the tunnel process?

Yes, we can change our code to not rely on ICMP and TCP, even if it just to run our experiments. So, when we choose to just not send ICMP traffic and assume that the tunnel is always working, the VPN connection just works. You can open up Safari and browse the internet, watch videos, browse social media, send pings to 10.64.0.1 via a terminal emulator. Hold that thought - when connected via our app, the device is capable of sending ICMP traffic to our gateway via other applications. But our own app is not able to do so.

Holding it harder

We have established that we cannot send ICMP traffic the usual way from the packet tunnel process, and we cannot use the NWTCPConnection from the Network Extension framework to send TCP traffic from the tunnel, a class specifically created to facilitate VPN processes to send traffic inside their own tunnels. We could feasibly come up with a different strategy of inferring whether a given WireGuard relay is working without ICMP, but we do need TCP for negotiating ephemeral peers for DAITA and quantum-resistance. In iOS 18, one can construct a NWConnection with NWParameters with requiredInterface set to the virtualInterface of the packet tunnel - this should create a working connection from within the tunnel process. It does as long as includeAllNetworks flag is set to false. Otherwise, we are observing the exact same behavior as before. This would only make the app work on iOS 18, so it is not an entirely viable solution to our woes, at the time of writing, we are trying to support iOS 15.

What even is a packet tunnel?

There are various different Network Extensions that an iOS app can provide - the one we are using is a Packet Tunnel provider. It provides a way for a developer to read all user traffic to then encrypt it and send it off, and conversely, to write back packets received from the tunnel. To start one, the main app has to create a VPN profile - the profile contains the configuration object where includeAllNetworks can be set. The configuration can be updated with a tunnel running, but the tunnel needs to be shut down and restarted for changes to take effect. Once the VPN process is started, it must signal to the system that it is up and then, to actually move traffic, it should start reading user traffic via packetFlow or, as most VPN applications using WireGuard in the wild do, directly from the utun file descriptor.

In practice, when an app on the device tries sending something on the network, an app implementing a Packet Tunnel provider will end up reading the traffic. When our VPN process is trying to send traffic inside the tunnel, it is essentially trying to write some data into one pipe (NWConnection) and expecting to see it come out of the packet tunnel. We configure our packet tunnel provider with includeAllNetworks = true we are not seeing that traffic coming through. We can see that other processes are able to send traffic to those same hosts. We have to conclude that something is preventing our VPN process from reading traffic that it itself is trying to send.

Holding it even harder

When the VPN process is trying to send traffic to a host within the tunnel, it feels redundant to put something into a pipe to then turn around and read it back out. Could we not just construct the packets ourselves and handle them the same way we would handle them if they were read out from the packet tunnel? Yes we can, we already do this for UDP traffic for multihop, and we can trivially do this for ICMP too. Supporting TCP is a lot more complicated than just adding a header to a payload, but, we already are using WireGuard and the canonical WireGuard implementation on iOS is wireguard-go, which, for testing, already pulls in a userspace networking stack. Since we need at most 2 TCP connections per tunnel connection, performance is not a concern, we can rely on gvisor's gonet package to give us a lovely Go interface for creating TCP connections in userspace. We can then mux between the real tunnel device and our virtual networking stack. After all of that, we can reach a TCP service hosted inside our tunnel from our own tunnel process. This works, and we have tested this for quite some while. We are already using this mechanism in our released app, the TCP and ICMP traffic is already sent via the userspace networking stack. Yet we still are not using the includeAllNetworks flag. Why not?

Locking in an app version

When regular applications use NWConnections, they should wait until their NWConnection's state is set to ready. When a VPN profile is active and it has been configured with includeAllNetworks = true, the connections will only become ready when the VPN process signals to the system that it is up. When a user clicks the connect button in our application to, we start our VPN tunnel, but we also configure it to be started on-demand so that if the device reboots or if the packet tunnel crashes for whatever reason, it should be started up again as soon as any traffic is trying to reach the internet. 

The behavior described above intersects horribly with app updates. We have not done a deep investigation to understand the details of an update process, but superficially we can observe the following. When includeAllNetworks = false, the process goes like this: 

• Update is initiated (by user or automatically, Xcode or App Store)
• Old packet tunnel process is sent a SIGTERM
• New app is downloaded
• New app is installed
• New pac...

Content cut off. Read original on https://old.reddit.com/r/mullvadvpn/comments/1jk8nfo/why_we_still_dont_use_includeallnetworks_blog/

The original post: /r/mullvadvpn by /u/StayJuicePriv on 2025-03-26 06:42:52.

Is there a way to use multi hop on a ooenwrt router with Mullvad?

The original post: /r/mullvadvpn by /u/BetterArcher5115 on 2025-03-25 23:50:11.

hey everyone Europe have any xray protocol vpn ? No Chinese (they sell user data , even sell to police ,really ) , and like mullvad VPN no log

The original post: /r/mullvadvpn by /u/Sudden_Relation2356 on 2025-03-25 17:59:12.

Been trying to get beyond account setup email and phone buet each time get locked out.

Spoke to people using nord and express, but ours will get locked...found put a little late. Now I don't even know if their nonexistent support will ever get back to me.

The original post: /r/mullvadvpn by /u/PoundKitchen on 2025-03-25 15:21:36.

Using base.dns.mullvad.net for my DoH I'm now seeing dnsleaktest.com is getting blocked/dropped. Getting...

This site can’t be reached

www.dnsleaktest.com’s DNS address could not be found. Diagnosing the problem.

DNS_PROBE_POSSIBLE

Legit? Why?

The original post: /r/mullvadvpn by /u/MullvadNew on 2025-03-25 12:52:48.

Link: https[://]mullvad[.]net/en/blog/help-test-mullvad-browser-alpha

https://preview.redd.it/0z3o2syg1uqe1.png?width=1200&format=png&auto=webp&s=19b126da06d809c31bf9bc776abc26256c4a2ea0

Before releasing a stable version of Mullvad Browser, we create alpha releases for testing purposes. These early versions contain the latest features and updates, allowing us to gather feedback and identify issues before wider release.

To become an early adopter and help us test, you can install Mullvad Browser Alpha from either:

• Our download page (https[://]mullvad[.]net/download/browser)
• For Debian/Ubuntu/Fedora, from our repository servers (https[://]mullvad[.]net/help/install-mullvad-browser#linux-install) (package name: mullvad-browser-alpha)

Important information

• Alpha versions may occasionally be broken
• These builds don't offer the same level of privacy and security guarantees as stable releases
• They can be installed alongside the stable version without conflicts

Feedback can be sent either by email to support@mullvadvpn[.]net or directly in our browser issue tracker.

The original post: /r/mullvadvpn by /u/Enowki on 2025-03-24 19:07:46.

So, i turned option always on and it still disconnect sometimes and cant let that happen, any fixes?

The original post: /r/mullvadvpn by /u/wait-Whoami on 2025-03-24 19:02:22.

Hey r/mullvadvpn, I’m a big fan of Mullvad VPN—love their no-logs policy and how they keep things simple and private. I was trying to learn more about the folks who started it, Daniel Berntsson and Fredrik Strömberg, since they founded Amagicom AB back in 2009. Daniel seems super low-key online, and Fredrik might be the same guy who’s into Swedish comics (which is cool!), but I couldn’t find much tying his comics work to Mullvad—like on his blog (fredrikstromberg.com), it’s all comics, no VPN stuff.

I saw a 2013 Freedom Hacker interview where a Fredrik Strömberg talks about co-founding Mullvad, but I’m wondering if anyone’s got a clearer link, like something from Fredrik himself or Mullvad that confirms it’s the same person. Not digging for secrets, just curious about the people behind a service I really admire! Anyone know more or seen something I missed? Thanks!

The original post: /r/mullvadvpn by /u/77slevin on 2025-03-24 17:25:24.

I'm on a Belgian server if it matters.

The original post: /r/mullvadvpn by /u/Shoddy-Thought1827 on 2025-03-24 10:50:20.

Right now on windows, linux and mac is possible to do operations with mullvad without using the GUI, which is neat and very useful. Is it possible to do so with the android shell console? i'm not finding anything about it but i really need it