Skip to main content

A security audit of GotaTun is now available

News External audits 

In December we wrote about our new WireGuard implementation GotaTun, which is currently used in our Android app. An independent audit by Assured Security Consultants is now available.

The audit was performed between 19th January and 15th February. It encompassed all of GotaTun v0.2.0 with the exception of DAITA, the GotaTun CLI, and external dependencies. No major vulnerabilities were found. Two issues with a low severity rating were identified, along with several notes. Their findings were summarized as follows:

Based on our code review, GotaTun has no major vulnerabilities. However, the parts where it deviates from the WireGuard specification (as described in Observations 3.2 and 3.3) are cause for concern. Furthermore, the code contains some instances of ”TODO” comments which should be addressed.

The report included some recommendations, most of which were implemented before the audit was published including fixes for both low-severity issues and some of the informational notes. For the remaining notes we decided that they did not require immediate attention.

You can find the full audit here. You can also find our more in-depth summary and response to the audit here.

Main findings

3.2 LFSR used to generate peer identifiers (LOW)

In v0.2.0, 24 bits of the WireGuard session identifier associated with a peer were static for that peer, the remaining 8 bits being a predictable counter which increased with every new session (typically once every other minute). This deviated from the WireGuard specification which recommends generating a random 32-bit integer for every session.

The behavior was inherited from BoringTun. As was pointed out, it likely did not provide much information to a passive observer except potentially the number of handshakes that a peer has made or the number of peers active at any time. This could potentially be inferred from other information such as handshakes, IP addresses, and ports already. Nonetheless, we patched the code to conform to the WireGuard specification.

3.3 Padding of payload not according to WireGuard specification (LOW)

According to the WireGuard specification, packets should be padded before encryption so that their lengths are divisible by 16. The GotaTun source code did include a “TODO” comment about this, which is still present in BoringTun. We updated the code to always pad the payload before encrypting it for correctness, and because the extra padding may complicate traffic analysis slightly.

3.4 Endpoint address only updated on handshake initiation (NOTE)

If the IP address of a peer changed, GotaTun did not correctly begin sending packets to the new address in most cases. In other words, GotaTun did not handle roaming of peers correctly.

This did not affect the Mullvad VPN app per se, as our VPN servers never change IP addresses during an active WireGuard session. We still decided that the issue was important enough to fix in order to make GotaTun usable as a general purpose WireGuard implementation.

Closing words

We would like to thank Assured for this audit. We are grateful for their thorough comparison with the WireGuard specification and available reference implementations. All aforementioned fixes are generally available as of GotaTun v0.4.0, and our apps will automatically begin using it in coming releases.

GotaTun was released in our Android app last year, with promising results. With the audit complete, we have even more confidence in the reliability of GotaTun and plan to roll it out across all remaining platforms during 2026.