Experimental post-quantum safe VPN tunnels

11 July 2022  FEATURES APP

Our latest beta (app version 2022.3-beta1) and some WireGuard servers now support VPN tunnels that protect against attackers with access to powerful quantum computers.

The encryption used by WireGuard has no known vulnerabilities. However, the current establishment of a shared secret to use for the encryption is known to be crackable with a strong enough quantum computer.

Although strong enough quantum computers have yet to be demonstrated, having post-quantum secure tunnels today protect against attackers that record encrypted traffic with the hope of decrypting it with a future quantum computer.

Our solution

A WireGuard tunnel is established, and is used to share a secret in such a way that a quantum computer can’t figure out the secret even if it had access to the network traffic. We then disconnect and start a new WireGuard tunnel specifying the new shared secret with WireGuard’s pre-shared key option. The Post-Quantum secure algorithm used here is Classic McEliece.

We had a similar experiment running in 2017.  Please see that blog post if you are interested in all the details. There is also a summary of differences at the end of this post.

How to try it

Please note that this feature is highly experimental! We might need to change the protocol in such a way that it will break. Use it with this in mind, or wait until we stabilize the feature.

For now, the feature is only available in the desktop versions of our app, 2022.3-beta1 and newer, and only through our command line interface. It is also only supported on a select few WireGuard servers, see below.

If you want to try it out, fire up your terminal/console and run the following command:

mullvad tunnel wireguard quantum-resistant-tunnel set on

Then connect to one of the below servers, as they are the only ones currently supporting this feature. If you connect to any other server, the app will simply fail and try again and again.

  • au1-wireguard
  • de12-wireguard
  • gb5-wireguard
  • jp13-wireguard
  • nl2-wireguard
  • se6-wireguard
  • se9-wireguard
  • se17-wireguard
  • us113-wireguard
  • us114-wireguard

If you want to stop using this experimental feature, run the same command as above, but replace on with off.

To verify if it works you can check that the GUI now says “QUANTUM SECURE CONNECTION” in green. And the CLI command mullvad status -v should print Quantum resistant tunnel: yes.

It is worth noting that this only adds to the security, and does not risk making it weaker. Even if the post-quantum secure algorithm has a flaw and the shared secret can be computed by an attacker, the resulting WireGuard tunnel is still as secure as it would have been without the extra shared key. The main drawback is that it takes an additional second or two to establish the shared secret, but other than that the performance is the same.

We would love your feedback on this feature. And if you are having any issues with it, we would like to know about it, so we can improve it.

Difference from the 2017 experiment

The main difference is that the feature is now implemented directly in our app and can easily be enabled by anyone running a new enough version of it. It currently works against our 10 test servers listed above, but it will eventually be available on all our WireGuard servers. The experiment in 2017 only allowed quantum resistant tunnels towards a single experimental server. It was also not integrated in our app. Instead you had to download and run some custom scripts from us, and they would only work on Linux.

Another difference is that we use a different algorithm. In 2017, we used New Hope. Now we switched to one of the finalists in the NIST post-quantum cryptography competition instead. We will continue to follow the ongoing standardization, and we might support other algorithms in the future.