What is a VPN?
A VPN, or virtual private network, is a technology that establishes a secure tunnel between two or more devices.
An Internet VPN, such as Mullvad (that's us!), offers a tunnel between you and the Internet, allowing you to browse the web securely and privately, even when using a public WiFi network at a cafe or hotel.
Surfing the web is no private matter
Online privacy is hard to come by these days. Nearly everything we do on the Internet is logged, making it quite easy for others to trace specific online activities right back to you.
How is that even possible?
Well, your internet service provider (ISP) has the ability to track which websites you visit. Those websites, in turn, can see who your ISP is. Some even keep records of your activity. And that's just the beginning.
Based on your country's laws, your ISP may even be required by the government to log the websites you visit.
How a VPN protects your privacy
If you use a trustworthy VPN service – one that doesn't log any user information – the traceable chain between you and your online activity is broken.
All of your traffic first travels from your computer, through an encrypted tunnel, to the VPN's servers and then onward to the website you are visiting. In this way, websites will only see the VPN service's identity instead of yours. And any information that your ISP saves cannot be tied specifically to you.
Using a VPN is a great first step toward protecting your privacy, but it's not the ultimate solution (we wish it was!). However, it's easy to improve your privacy ninja skills.
Why Mullvad VPN?
At Mullvad, we believe that privacy is a universal right. Our VPN service helps keep your online activity, identity, and location private.
A Mullvad account can be created without supplying any personal information – not even an email address. We keep no activity logs and encourage anonymous payments with cash or one of the cryptocurrencies we accept.
Use Mullvad to get past restrictive firewalls and proxies to surf the entire web. Want to multihop? Use our Bridge mode.
Mitigate blocking and throttling
Some internet providers will completely block or intentionally slow down (throttle) certain internet traffic. We try to mitigate this by wrapping the traffic in a layer of obfuscation (with the help of SSH tunneling, Shadowsocks, and Stunnel) that makes it harder for the provider to identify and block.
Bypass geographical restrictions
Since Mullvad operates VPN servers worldwide, you can bypass censored browsing restrictions based on location.
Secure all devices
Mullvad can be used on Windows, macOS, Linux, iOS, Android, and most other devices supporting OpenVPN or WireGuard®.
Protect your privacy
Change your online habits
It only takes a few simple solutions to start improving your online privacy.
Choose a VPN that doesn't collect your data
VPN providers themselves are in an easy position to log your activity. Make sure yours maintains a minimal data retention policy.
Know which laws apply
An important criterion to consider when choosing a VPN provider is where the company is based.
We live and breathe security
We set extremely high security standards for ourselves. From the operating system on our computers (Qubes) to the tools we use daily, we strive to ensure that our entire workflow is very difficult to exploit. We do this in part by using open-source software in our infrastructure.
We control our servers
For maximum security, we use physical, bare metal servers (no virtual servers) that are administrated and either owned or rented by us in carefully selected data centers. Our rented servers are not shared with others. We put a lot of effort into hardening servers and following best practices.
We have our own app
We have developed an open-source VPN app that works for macOS, Windows, iOS, Android, and Linux.
Our servers use OpenVPN and WireGuard
We only offer secure, open-source protocols. WireGuard is an extremely simple yet fast and modern VPN that utilizes state-of-the-art cryptography. OpenVPN is the most widely used solution for creating secure, point-to-point connections, and it has been extensively tested for security purposes.
The technical stuff
Looking for the nitty gritty? Here you go!
- port forwarding
- DNS leak protection
- Teredo (IPv6 over IPv4) leak protection
- IPv6 tunneling as well as IPv6 blocking and leak protection
- only the VPN protocols OpenVPN and Wireguard
- SSH tunneling, Shadowsocks, and Stunnel through our bridge servers.
We do not block authenticated SMTP nor P2P. We do block SMTP port 25/tcp because of spam.
Our data encryption is AES-256 and we run our own public key infrastructure (PKI).
Mullvad’s WireGuard servers
Our WireGuard servers utilize the following protocols and primitives:
- ChaCha20 for symmetric encryption, authenticated with Poly1305, using RFC7539's AEAD construction
- Curve25519 for ECDH
- BLAKE2s for hashing and keyed hashing, as described in RFC7693
- SipHash24 for hashtable keys
- HKDF for key derivation, as described in RFC5869
- Noise_IK handshake from Noise, building on the work of CurveCP, NaCL, KEA+, SIGMA, FHMQV, and HOMQV.
Mullvad’s OpenVPN servers
Our OpenVPN servers have the following characteristics:
- 4096 bit RSA certificates (with SHA512) are used for server authentication
- 4096 bit Diffie-Hellman parameters are used for key exchange
- DHE is utilized for perfect forward secrecy
- all available data channel ciphers on all ports are offered, including AES-256-GCM (default), AES-256-CBC, and BF-CBC
- re-keying is performed every 60 minutes.
Mullvad’s bridge servers
Our bridge servers use
- SSH tunneling on port 22
- the Shadowsocks proxy on ports 443, 1234, 1235, and 1236, with support for new ciphers.
Mullvad meets the privacytools.io criteria.
"WireGuard" is a registered trademark of Jason A. Donenfeld.