Checking connection...

About our servers

CONNECTIVITY

Last updated: 5 June 2020


If you want to know about our VPN servers and how we manage them, then you’re in the right place.

List of VPN servers

Visit our Servers page for a completely list of our VPN servers. You can filter by

  • server type (OpenVPN, WireGuard, bridge)
  • hostname
  • country
  • city
  • provider
  • ownership.

WireGuard and bridge server details

Click on one of these server types in the list to reveal more details.

WireGuard servers:

  • SOCKS5 proxy address
  • public key
  • multihop port

Bridge servers:

  • SSH fingerprint (SHA256)
  • SSH fingerprint (MD5)

Rented vs owned

All of our VPN servers are encrypted and are either owned by us or dedicated servers that we rent.

  • Our rented servers are all dedicated, meaning they are not shared with anyone else. We do not use virtual servers.
  • With the servers that we own, we have physical control over these, which means they tend to be faster and more secure.

You can read more below on the details of how we manage our servers.

Is a server offline?

If the circle next to the server is red, it’s currently offline.

Why do you list the ownership status and provider of your servers?

Simply because we believe that transparency is one important component of a trustworthy VPN provider. And so that you as a customer can make a more informed decision about which server(s) you want to use.

We always carefully choose server providers, opting for those who share our values concerning privacy.

Server management

In order to ensure secure deployment procedures, we always perform hardening and sanity checks on all servers before provisioning our own software and allowing customers to connect to them.

Protected by encryption

We encrypt all of our servers to secure their data. This means that no one can simply unplug a server, boot it up, and mount the disk in order to copy keys without first knowing the encryption passwords. Only relevant Mullvad staff have access to these.

In addition, the passwords, certificates, and private keys for the VPN tunnels are all unique for each server. In the unlikely event that any of these were to be extracted, only that particular individual server would be affected.

Isolated remote management

On the servers we own, remote management resides behind bastion hosts which are special-purpose computers on a network specifically designed and configured to withstand attacks. Anyone wanting to use the remote management software (IPMI, iLO, iDRAC) on these servers must first connect to the bastion host.

In addition, each server has its own specific network port for remote management that resides on a LAN separate from the rest of the network. If the remote management were to become unavailable, some hosting providers have KVMs that they can enable upon our request.

For rented servers, the management software (IPMI, iLO, iDRAC, KVM) is located on a dedicated port that is only accessible via the hosting provider and not on the public Internet. We recheck our configurations regularly to ensure that no public addresses are attached to our IPMI interfaces.

Limited access for hosting providers

With our own servers, we perform initial operating system installations and reinstall faulty servers ourselves by using bastion-protected remote management. The same goes for the servers we rent, but sometimes we don’t have a bastion host for a particular server. In those cases, the hosting provider performs the initial installations, most often through remote management software, and then we remove their access from the server.

If we need our hosting providers to help us troubleshoot, they would have to either enable and use their OOB (out of band) management or physically plug themselves into the server.

Hosting providers never have direct access to the operating system or the software running on the server itself. If we need their help in rebooting and reinstalling faulty servers, the provider uses remote management.

Improved performance through collaboration

We work closely with 31173 Services who hosts a number of our owned servers. With these servers we actively invest time on network performance and connectivity. For example, we’ve established fiber wavelengths between Amsterdam and Frankfurt, London, Paris, Malmö, and Zurich in order to improve performance and reduce latency. Doing so also ensures that users' traffic can travel as far as possible within 31173’s network without using other network providers.

A better future for server management

The management software provided by computer manufacturers are closed source and riddled with bugs and security vulnerabilities. We want that to change, so that’s why we are actively involved in creating a future with open-source firmware and System Transparency.