This blog post is 4 years old and may be out of date.
New stable release (2020.5)
Upgrade your desktop app for latest security updates
The latest Mullvad VPN stable release (2020.5) for Windows, macOS, and Linux addresses findings from our latest external security audit and includes a number of other new items.
Looking for the audit?
We’ve written a separate blog post about the audit and its findings. You can also access the final report there.
What’s new in this version
Additions and changes
- Renamed the "Block when disconnected" setting to "Always require VPN" and added text explaining the difference between this setting and the built-in kill switch.
- Korean, Polish, and Thai have been added to the list of languages in the app.
- (macOS) The app now connects faster after the computer wakes from sleep mode.
- Installing a beta version automatically enables the Beta program option under Settings.
- CLI commands for server selection (country and city codes and server hostnames) are no longer case sensitive.
- Changed firewall rules to make local apps more responsive.
- Added a new Let's Encrypt root certificate.
- Upgraded to latest versions of OpenVPN and OpenSSL.
- Upgraded to the latest version of shadowsocks-rust.
Fixes
- (macOS, Linux) When the tunnel protocol is set to Automatic, the location list now also shows WireGuard servers instead of only OpenVPN servers.
- (macOS, Linux) The app now has enough time to create a WireGuard key on first login rather than falling back to an OpenVPN connection.
- (Windows) Fixed various bugs.
- (Windows) Upgraded a dependency to prevent system service from crashing.
Security
The following improvements address issues found in the recent independent security audit of the Mullvad VPN app. Please read our dedicated blog post about the audit for detailed information on these issues.
- Fixed possible deanonymization attack by tightening the firewall rules that were allowing traffic to the relay server over the physical network interface. This fix addresses audit finding MUL-02-002.
- (Windows) Fixed possible deanonymization attack by tightening the firewall rule allowing traffic on port 53 to the relay server IP on the physical interfaces if the VPN tunnel is established on port 53 to only allow UDP. This fix addresses audit finding MUL-02-004.
- Made changes to always deny access to the system service from the local area network. This fix addresses audit finding MUL-02-007.
Download the app
Download the Mullvad VPN app. We've got set-up guides if you need help with installation and usage.
Know of someone unable to access our website? Point them to Mullvad's onion address on Tor or Mullvad's GitHub page.