Mullvad VPN

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/throwantiaway1 on 2023-08-10 21:05:03+00:00.

Good afternoon, I have a question that can be summed up with asking what are the advantage privacy wise on using cash or Monero?

My ISP/network already knows I am connecting to your VPN and which server at that. Like any VPN you should be able to see what I am doing actively to shut down an abusive account. With no logs once I log off means looking back on what might have been done isn't possible, so what exactly does having no ID connected to my account do?

For instance I use a credit card that has my real name and it links to my Mullvad, what extras if any privacy wise happens? Like I said my ISP and you as the VPN already know I am using you so what is the point? Not having an account linked to my name doesn't suddenly mean the ISP/network or you suddenly don't know I am using your VPN or where it is located at.

Hope I am explaining this correctly, apologies if not.

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/wampuswrangler on 2023-08-10 19:45:10+00:00.

I'm very green to vpn's in general, this is my first time trying one. I just installed mullvad and am pretty sure I am connected but I just want to verify. I have the green padlock, mullvad app says I am connected to a server. Also I get different IP addresses when I search with mullvad connected or disconnected.

However in the windows task bar it won't let me connect to mullvad. I am using windows 11, the internet icon shows an ethernet symbol and says i am connected to wifi, however under mullvad it just says internet access. Every time I try to connect it fails and says "the remote connection was not made because the attempted vpn tunnels failed. the vpn server may be unreachable." Is this just an issue with windows or am I doing something wrong? Also under the server name option in windows vpn setting I typed in the 11 digit IP address from mullvad, not sure if that's correct.

Apologies if this isn't enough info, some of this stuff is like a foreign language to me. Any help is appreciated, thanks.

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/imakeawsmcookies on 2023-08-10 12:50:41+00:00.

this doesnt happn all the time but sometimes out of nowhere would just pop up like this as shownn and also other browsers too wont connect, eventualy would have to turn vpn off and on again to get around the issuee ......

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/SuperPigDots on 2023-08-10 07:59:37+00:00.

I have been using Mullvad for many months now. At first, connectivity was very rarely an issue. For the last few months, I have noticed an uptick in random connectivity issues across multiple updated and current devices of mine where U.S. servers will regularly refuse to connect. Sometimes Canda will then work, and South America or Europe always do if if Canada refuses as well. After an hour or a few hours, the U.S. servers will be working again. This has been happening several times per week lately for me, but the last week or so has seen a drop in this issue.

I use Mullvad for normal daily use cases via the Mullvad app. I contacted support and gave them all of my device specs. They advised me to download and setup Wireguard or else request a refund (instead of addressing my app issue). I found it very unhelpful.

Has anyone else noticed icreasing connection unreliability on U.S. servers as of late?

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/McWhiffersonMcgee on 2023-08-09 20:32:13+00:00.

Hello!

I believe that Mullvad didn't like that I haven't updated in a while and is blocking my internet. I tried updating but I can't turn off killswitch. I had to load the new software on to USB and install, but it did not fix my issue. I tried uninstalling the software and I am still unable to access the internet.

I've try disabling and re-enabling my ethernet adapter, I have my firewall turned off, I added mullvad to programs allowed to bypass firewall. Right now I have no mullvad installed and it's still not able to connect.

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/imakeawsmcookies on 2023-08-09 15:55:42+00:00.

soooo when we have lockdown mode on , the screen will have a small banner and the location map pin (the red dot) saying blocked connection,,,this is fine but could be improved upon like it can have a huuuge red banner saying lock down mode on... how can i say this hmm i mean like it should have a design method that screams when we use lockdown mode is on rn it is more silent you know :)

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/ThatrandomGuyxoxo on 2023-08-09 15:49:37+00:00.

Hey all. The last few days and especially today I have the problem that my internet is not working because hte private dns option on Android is not working. As soon as I add the private dns, Android tells me my DNS cannot be accessed. Is this a common bug? Reboot didn't work either.

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/MullvadNew on 2023-08-09 14:47:12+00:00.

Mullvad is mostly unaffected by the TunnelCrack VPN vulnerabilities. This is our response to the recently disclosed set of attack vectors on VPNs.

LocalNet Attack

TLDR: On Windows, Linux, macOS and Android we are not vulnerable to the LocalNet attack. We never leak traffic to public IPs outside the VPN tunnel. However, on iOS we are affected by this attack vector.

On Windows, Linux, macOS and Android where we have the local network sharing setting, it is disabled by default. This means all traffic outside the tunnel is blocked by default. When the local network sharing setting is enabled, our app does not just allow traffic to all networks advertised by the DHCP server or set up as local networks in the routing table. We specifically allow traffic only to known standardized local network ranges. These are IPs that can only ever exist on local networks, and are not valid public IPs. If you want to get into the nitty gritty details, here is the list of allowed local IP network ranges in our app’s source code.

Desktop

What this means is that if a rogue AP advertises some public IP ranges as local network ranges to the victim’s device, our app will block any traffic to those IPs. The traffic will neither go inside nor outside the tunnel, it will be stopped from leaving the device altogether.

Even if LocalNet is not a traffic leak with Mullvad on desktop, it can be classified as a denial of service attack. The attacker can prevent the victim from communicating with certain IP ranges. The TunnelCrack paper outlines this aspect in section 4.1.2. The paper claims that this poses a security risk since it might block security cameras and software security updates.

We at Mullvad have been aware of this for a long time but not considered it a practical or important attack vector in the scope of being fixed by a VPN app. If an attacker controls the router/AP, which they need to do to perform this attack, they can block any traffic from the victim’s device anyway. We do not believe that being able to do it selectively for certain IP ranges changes anything significant. Any device that is configured in such a way that it connects to unauthenticated (the only type that can be spoofed like this) WiFi access points is susceptible to denial of service attacks, period.

Android

When a VPN is connected on Android, the VPN app decides which IP networks go inside and outside the tunnel. These rules from the VPN app overrule the local routing table. This means that on Android all traffic to public IPs are sent inside the tunnel even if Local network sharing is enabled and a rogue AP falsely advertised public IP networks as part of the local network.

We do not agree with the conclusion in the TunnelCrack paper where they give the Mullvad VPN Android app a black check mark (“Secure by default LAN-Access-Setting”). We think our app should have a green check-mark. We find no way of triggering either a leak, or a block with our Android app.

iOS

On iOS we sadly do not offer any Local network sharing setting and local networks are always allowed in the current versions of our app. This is stated in our feature table in the readme of our app’s source code. However, we do confess that we could have made this caveat much more discoverable and visible to users. We can definitely improve on this.

This means that the device will always send any network traffic to the local network outside the tunnel. Including public IPs advertised by rogue APs and similar.

The only solution we know against these leaks on iOS is to enable a flag called includeAllNetworks in iOS VPN terminology. We have been aware of this flag for a long time, and we have wanted to enable it for just as long. The problem is that the underlying tunnel implementation that we and most other WireGuard apps on iOS use, wireguard-go, is simply not compatible with includeAllNetworks. We are currently replacing wireguard-go with something allowing us to enable this security feature. We actually have been working on this for quite some time. But it is a pretty large task and we are not there yet.

ServerIP Attack

TLDR: Mullvad’s app is not vulnerable to any part of the Server IP attack vector on any platform.

Tricking the VPN client into using the wrong server IP

This part of the attack is about tricking the VPN client into using an attacker controlled IP as the VPN server IP.

The Mullvad VPN app does not use DNS in any way to obtain VPN server IPs. Our app fetches the list of VPN server IPs from our own API. We also do not use DNS to find the IP to our API server. All API communication is encrypted with https (TLS 1.3) and uses certificate pinning. This means the app cannot be tricked to talk to, or trust information from the wrong servers. This is true for all platforms.

Sending traffic to the VPN server IP outside the tunnel

This part of the attack is about leaking traffic outside the VPN tunnel to the IP address of the VPN server. This attack is possible in many VPN clients due to them often routing and allowing all traffic to the VPN server IP outside the VPN tunnel.

Windows, Linux and macOS

Our client has never allowed all traffic to to the VPN server IP. Our firewall rules were designed from the start to only allow outgoing traffic outside the VPN tunnel to the VPN server IP, port and protocol combination our tunnel were going to use, not any other port or protocol.

During a security audit in 2020 (https[://]mullvad[.]net/blog/2020/6/25/results-available-audit-mullvad-app/), Cure53 found a vulnerability in our app (named MUL-02-002 WP2) that is very similar to the ServerIP attack described in TunnelCrack. However, it is a special case of the attack. This attack was possible even when the firewall only allowed traffic on a specific port and protocol. We responded by patching this so that our firewall rules would be even more strict. The app now only allows outgoing traffic to the VPN server IP+port+protocol from the root user on Linux and macOS and only from the mullvad-daemon.exe process on Windows. This effectively stops all forms of both the ServerIP attack and the attack found by Cure53 and has done so since app version 2020.5.

Android and iOS

Neither mobile platform is affected by the ServerIP attack vector. This is because they do not use the routing table to exclude the VPN traffic from the VPN tunnel itself. Instead they provide more fine grained mechanisms to allow the VPN apps to exclude the encrypted VPN traffic from being looped back into the VPN itself again.

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/sprmgtrb on 2023-08-09 10:50:02+00:00.

I have some cheapo router and all the tutorials that mention how you can use the VPN with it use "l2tp" but I see nothing on the mullvad website. All I see are huge tutorials of how to get your router to work with mullvad but it seems nothing like the simple l2tp setup.

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/MullvadNew on 2023-08-09 09:47:58+00:00.

We tasked the Netherlands based security firm Radically Open Security (RoS) with performing the third audit towards our VPN infrastructure.

We asked them to focus solely on VPN servers that run from RAM, one OpenVPN and one WireGuard server.

We invite you to read the final report (https[://]mullvad[.]net/media/Mullvad_VPN_Pentest_Report_2023_1.1.pdf) of our third security audit, concluded in mid-June 2023, with many fixes deployed late June 2023. Further re-tests and a verification pass was performed during July.

RoS discovered a number of new findings, and we would like to thank them for their thorough and detailed report. They stated , amongst other things that: that whilst they found some issues, that: “The Mullvad VPN relays which were the subject of this test showed a mature architecture…” and “During the test we found no logging of user activity data..”

We gave RoS full SSH access to two (2) VPN servers that were running from RAM, using our latest slimmed down Linux kernel (6.3.2) and customised Ubuntu 22.04 LTS based OS. These servers were deployed as though they were to be production customer-facing servers, however these servers have never been utilised as such.

We asked them to verify:

• Security and set up of servers internally
• Security and set up of servers externally
• Whether or not we log customer activity

RoS also asked whether they should investigate the source code of various binaries running on our systems, or whether they should take into consideration the hardware-level security. We declined both offers, stating that this is to be considered an “after the system is running and in-use by customers” audit.

Overview of findings

• Radically Open Security found no information leakage or logging of customer data
• RoS discovered 1 High, 6 Elevated, 4 Moderate, 10 Low and 4 info-severity issues during this penetration test.

Key takeaway: Our VPN infrastructure has been audited for the third time.

Miscellaneous issues of interest

MLL-024 Production multihop traffic on test system (High)

To quote RoS: “Impact - Production user traffic is visible to pentest users.”

Our comments:

RoS were given production-like servers, provisioned and deployed like all other customer facing servers. The difference between these and the rest of our fleet is that they have never been made available for customers to connect, they were not advertised in our server list, and not offered up to users. However, as these servers are connected to our WireGuard multihop functionality, any customer scanning for IPs can send traffic though them whilst connected to another VPN server using a SOCKS5 proxy, as there is nothing blocking it.

In what RoS discovered there was only the IP from the WireGuard internal interface. This interface is only available to SOCKS5 multihop traffic, so it would be the entry WireGuard server.

Without providing RoS with production servers the audit would not have been valid as a production server audit, and there would have been no way to prevent customer traffic from being visible on the servers.

MLL-019 - LPE to root using systemd timers and insecure directory permissions (Elevated)

To quote RoS: “Low-privileged system accounts can elevate their privileges to root by manipulating systemd timer script content.”

Our comments:

It became obvious after consulting with RoS that the primary issue here is the use of nested home directories, and the addition of administrator users being part of the mad group.

The usage of the nested /home/mad directory structure is a legacy remnant of pre-RAM VPN servers, which is going to be removed in the upcoming updates to our infrastructure. In the short-term we have removed all administrator users from being part of the mad group, but we have also moved all related scripts to /opt/local\_checks which RoS acknowledged as resolving the issue.

MLL-045 — Administrator access to production machines (Moderate)

To quote RoS: “VPN servers accept remote logins from administrators, who technically have the ability to tap into production users' VPN traffic”

Our comments:

We have been aware of this issue for some time, and conversing with RoS only confirmed our plans to implement such measures:

• Implement a method by which unauthorised logins can be auditable, and add a log of all the commands (without arguments) used on these servers. We are implementing such a system.
• Remove support for SSH entirely, this would mean that even administrators could not enable logging of customer traffic, since no access is enabled over SSH. We are investigating such a system, though this will take more time to perform correctly.

MLL-016 - Telegraf password shared across servers (low)

To quote RoS: “Shared Influx database credentials used by Telegraf across VPN servers allows manipulation of global server metrics, such as CPU and disk usage or network metrics.”

Our comments:

We deemed the best course of action here to implement client certificates for authentication using the PKI infrastructure available within Hashicorp Vault. This has now been implemented, and we will investigate the use of such certificates in other places across our infrastructure.

There are more changes to be deployed in the near future, and the listed fixes are examples of the most interesting issues that Radically Open Security found.

For the universal right to privacy,

Mullvad

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/IQuiteLikeWatermelon on 2023-08-09 01:25:54+00:00.

I’d like to be able to set up Mullvad VPN on a router. This router would be connected to a TP-LINK wifi extender. I’m in the U.K. so it would be great if anyone knew of one I could buy here - ideally below £100. Thanks!

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/Lysdestic on 2023-08-08 22:41:26+00:00.

Hello

I have a plex server running on a linux box. (OpenSUSE Tumbleweed)

I have Mullvad VPN and want to use it on my Plex server, however, I need the Plex server to maintain a non-VPN connection to the internet. I can see that Mullvad supports split tunneling, but as far as I can tell, you have to manually launch the app through the Mullvad client after connecting. My plex server launches at boot, so I would prefer the split tunnel to exist without manual intervention (in case of power loss, reboot, etc).

Please note, this is a native install of Plex not using Docker that I've maintained for years. Me and Docker don't get along on the best of days, so while it's not entirely off the table as a solution to this predicament, I'd prefer to not go Docker if I can avoid it.

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/SheWasIntoTheBlues on 2023-08-08 19:48:42+00:00.

In interest of data privacy I don't believe companies should know my remote location. Curious if a company could see a vpn under their vpn and track an IP and location. Would using another vpn be worth an alert? Couldn't one say this is part of my own home security?

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/imakeawsmcookies on 2023-08-08 14:24:04+00:00.

rn we gotta have to have the app on system to use the extension yea but what about having an option to login into the extension itself without having to use the app at all ??? thanks uuu

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/splendid_goat393 on 2023-08-08 11:48:21+00:00.

I'm based in the UK and using London servers and this has just started happening today

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/MullvadNew on 2023-08-08 07:59:11+00:00.

2 new USA servers from provider "HostRoyale" (Rented - 10 Gbps - RAM) hosted in Boston, MA have been added to the Wireguard list.

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/cutenhot on 2023-08-07 14:18:12+00:00.

Hey Reddit community!

Because blackfriday is coming up in a 3 months i want to use a temporary free vpn. I'm on the hunt for the best free VPN out there that doesn't risk my privacy.

I've done some research and looked into several Reddit communities like r/vpn, r/privacy, and r/techsupport, but unfortunately i didn't succeed. If you've had a positive experience with a free VPN recently, I'd love to hear about it!

What I'm looking for in a free VPN:

1. Reliable Performance: Speed and stability are crucial for smooth browsing and streaming experiences.
2. Strong Security: I want to ensure my online activities are safe and private with robust encryption and a solid no-logs policy.
3. Wide Server Network: A vast selection of servers in different locations to access geo-restricted content would be fantastic.
4. User-Friendly Interface: Simplicity and ease of use are important, as I'm not the most tech-savvy person out there.
5. No Hidden Catches: I'm hoping to find a free VPN with no hidden fees or intrusive ads.

If you've got a free VPN recommendation that fits the bill, please let me know! Please comment below your experiences with speed, security, and ease of use.

If there are other Reddit communities I should check, drop the names too! Thank you in advance for the help!

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/imakeawsmcookies on 2023-08-07 13:23:57+00:00.

i know i know this is way beyond considering rn, butt you know i just had this thinking which especially became a nightmare when the infamous Signal app slowly became Instagram and left it core standards in dust and let's not talk about their coin here! :D It left from a simple text talk to now just another piece of cake (replace cake with ahem ahem... ;))..... and it has Google all over written over it when someone uses a non stock OS will be met with strange issues without play servicess :((

What will happen to Mullvad??? Will you too turn into a privacy first to privacy second and gimmicks first company?? I mean no offence to Proton, but they just are into so many services in the name of privacy and security, that they might become another Google in the making!!!! Who knows how much data they have on each user as there is no mechanism to know about it!!

Mullvad team, what say you? Aye!!

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/thankyoufatmember on 2023-08-07 10:14:38+00:00.

I'm planning a work trip to China soon and I've been researching VPN options to ensure I have unrestricted internet access while I'm there. Gonna stay there for three months.

I've heard good things about Mullvad VPN's privacy and security features, but I'm wondering if anyone has recent experience using it in China.

Can anyone who has used Mullvad VPN in China share their insights? Did you encounter any issues with connectivity or getting around the Great Firewall? How was the overall performance and speed? and most important of all, which preferred setup in order to keep a reliable connection with optimal speed?

I am a network engineer by work so don't hold back on the tech! (:

PM is also okay if anyone have a setup they don't want to share in public.

Thank you so much!

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/DifferentTypaWay on 2023-08-06 21:35:30+00:00.

Hi

Ive torrented in the past with Mullvad without port forwarding and its been fine. However Ive run into an issue where randomly my client will sometimes refuse to connect to peers and torrents remain stuck on stalled. Attempts to reannounce do not work.

Any ideas what I can do to fix this?

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/question50 on 2023-08-06 13:44:40+00:00.

After waking PC up from sleep Mullvad icon shows that VPN was still connected and Killswitch was still enabled. Is that actually the case or does the connection drop temporarily? just wanted to be sure

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/chris0200 on 2023-08-06 13:13:09+00:00.

Looked everywhere and cannot find how to open a magnet link in Deluge from, Mullvad Browser.

Ideas please.

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/ccduke on 2023-08-06 00:54:40+00:00.

I use to be able to watch the dodger games fine using Montreal , now it's not letting me at all. Anyone using a different state that's able to access LA games? ( using a firecube)

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/askscompquestions on 2023-08-05 19:56:02+00:00.

My expectation: Split tunneling through mullvad-exclude browser will let the browser to open websites as if there is no vpn used. Blocked websites stay blocked. And vice versa.

Reality: It doesn't do that. Error codes are also different. And switching locations (the countries, but could be the actual server that matters) gave several different cases:

1. Can't open web.whatsapp.com. Can't open reddit.
2. Can't open web.whatsapp.com. Can open reddit.
3. Can open web.whatsapp.com. Can open reddit.

Obviously I tried many more websites that are usually affected by vpn. I just mentioned those 2 as examples. Btw mullvad.net is blocked in all cases. Except when I'm not split tunneling and explicitly on mullvad.

I obviously didn't expect switching countries to affect a split-tunneled browser. But here we are.

It's probably a weird interaction of mullvad and my current country's censorship methods and whatsapp etc.'s anti-vpn practices.

I can't just do everything on vpn. Because some big websites don't like it when I'm on mullvad. And I can't just turn it off. Because some sites are blocked. Currently I just pick a location where most of the websites work. Which may not last. And again it's unexpected.

Anyone got a plausible explanation/solution? I use Arch btw.

Similar problem, but someone couldn't open mullvad.net too and fixed it by turning off a site blocking filter on the router. I didn't find anything like that personally.

This is an automated archive.

The original was posted on /r/mullvadvpn by /u/Independent_Willow92 on 2023-08-05 12:28:27+00:00.

The library where I spend my day working has a public wifi that kicks me out after one hour. So every sixty minutes, I have to disable mullvad vpn, reconnect to the captive portal, and then re-enable the vpn connection. Is there a way to automate this? The reconnecting only takes a minute or two, but since it is many times a day, and a workflow interruption, it is becoming annoying fast. That is why this would be a killer feature for me. Any help or is this not possible?