Mullvad is a small Swedish company that has gained a very strong reputation for maintaining users’ privacy. We found this reputation by-and-large well deserved (in fact, in certain areas it is superb, despite using somewhat weak encryption), and we were also impressed by the software and number of features on offer.
However, we did find that it was let down somewhat by a very restricted number of servers being available, and those servers producing some very mediocre connection speeds.
Mullvad costs a reasonable €5 EUR (or $5.60 USD) per month, with the one-size-fits-all package providing access to Mullvad’s full range of features. There is a 10% discount available for buying months using Bitcoin.
A free trial is offered, but this only lasts for three hours. Which is not very generous by the standards set by most other providers, but should at least provide users with the opportunity to get the client up and running, and to get an idea of the features on offer.
Talking of features, Mullvad provides the following:
- Support for PPTP and OpenVPN protocols (PPTP is only recommended for legacy devices that do not support OpenVPN)
- Servers in Netherlands, Germany, Sweden, and the USA
- Support for IPv6 addresses (this is unusual for a VPN provider)
- Up to 3 devices can be connected simultaneously
- Port forwarding (performed on the Account page of the website)
- Accepts payment in Bitcoin, or even cash sent in the post (also Bank wire and PayPal)!
- Allows P2P
Overall this is a fairly comprehensive package, with support for IPv6 and port forwarding being particularly notable features. However, the limited number of servers available may clearly be a problem for many.
A particularly notable omission is the lack of a server in the UK, as being able to access services such as BBC iPlayer and 4oD are popular uses for a VPN. That said, Mullvad is all about providing privacy and security to its users, so avoiding locating servers in the UK (one of the ‘Five-Eyes’ spying nations) may be a logical consequence of this (as it is, Mullvad has received a fair amount of flak for offering a US based server).
- Can pay via snail mail!
- Fully featured desktop software
- Supports 5 simultaneous devices
- 10% bitcoin discount
- One price fits all system
- Supports Debian Linux
- 128-bit blowfish encryption isn’t good enough
- Disappointing performance
- Servers in only 22 countries
“When Swedish law requires us to divulge information about our customers we make sure not to have that information stored, so that we have nothing to give out.”
Privacy is very much Mullvad’s strong suit. It claims to keep no logs at all, so even if legally required to, it would be unable to hand over its customers’ details–as they simply do not exist.
An important factor when considering the credibility of any provider’s ‘no logs’ claim is the country in which it is based. Although the EU wide mandatory Data Retention Directive was declared invalid on human rights grounds by the European Court of Justice in April 2014, local Swedish implementation of it has not been rescinded (nor has it in any EU country). However, the law does not apply to VPN providers in Sweden, so Mullvad is not required to keep logs.
More alarming is the 2009 FRA law, which caused Privacy International to rank Sweden’s privacy protection ‘second worst in EU’. This law allows Sweden’s version of the NSA – the National Defence Radio Authority (Försvarets radioanstalt, FRA) – to intercept all internet traffic that crosses Sweden’s borders in order to combat ‘foreign threats’. It is widely understood that FRA surveillance goes far beyond this, and that any information collected is shared with its NSA and GCHQ spying partners.
VPN traffic is encrypted, however (although not as strongly as we would like – see below), so none of this should affect Mullvad users, and users who are concerned can always opt to use Mullvad servers located outside Sweden.
Mullvad also uses shared IPs (where many users are assigned the same IP address), which makes it very difficult to identify an individual with any specific internet behaviour, even if Mullvad was forced to monitor an individual’s IP address (most countries can legally require this, although we do not specifically know of the situation in Sweden).
As Mullvad keeps no records and uses shared IPs, the only records customers may leave behind anywhere are bank and card payment records, which will be held by the bank and card companies. While it is increasingly common for VPN providers to offer the option of paying by Bitcoin in order to address this issue, Mullvad’s willingness to accept such payments is nevertheless highly commendable.
It should be remembered that paying by Bitcoin is not inherently anonymous (in fact, the way in which all transactions are recorded to the blockchain in some ways makes it quite the opposite), but measures can be taken to provide a high degree of anonymity. What is unusual (and unique as far as we know) is Mullvad’s willingness to accept cash sent by post. More anything else, we think this demonstrates the true dedication to privacy, which is Mullvad’s hallmark.
Is Mullvad Safe?
One security feature that we really like is that other than payment details (assuming Bitcoin or cash payment is not used), absolutely no personal identification is asked.
When users download the client they are assigned an Account number, and any payments or other admin procedures are performed entirely using that account number. Because no password is required to access the Accounts page, this may mean that an account could in theory be compromised (despite the unique login number being 12 digits long).
However, as the only information contained in each account is the duration left on that account’s subscription, plus any port forwards, there are no meaningful security implications even were this to happen. All in all, Mullvad uses a very elegant, secure, and anonymous method to manage user accounts.
Unfortunately, the OpenVPN encryption used by Mullvad is not so impressive:
- 128-bit Blowfish-CBC encryption
- SHA-1 hash authentication
- RSA-2048 handshake
There was a time when we might have been happy with this, but in a post-Snowden world where we know the NSA is determined to undermine all encryption, it’s rather disappointing (all the more so given the Swedish FRA monitoring issues discussed above).
Mullvad provides a custom client for Windows, Mac OSX and Linux. We tested the Windows client, but as all versions are based on the same open source code, they should be substantially the same. Because the code is open source, it should also be possible to recompile it for use with any OS.
When the client is downloaded the user can login with a previously generated account number, or start a 3-hour trial. Features of the client are:
- Block the internet on connection failure – this is an internet kill switch, invaluable for ensuring that downloads do not continue when away from the computer
- DNS leak protection – a VPN provider should resolve DNS requests when connected, but sometimes computers revert to their default settings, which can reveal a user’s true IP address (see here for more details). DNS leak protection prevents this
- IPv6 tunnelling – provides IPv6 connectivity
- Port forwarding – great for evading firewalls
These features make the Mullvad client a very fully featured one. Overall the client is easy to set up and use, and has a ton useful of features.
Instructions are provided for setting up iOS and Android devices using PPTP and OpenVPN (usingOpenVPN Connect and OpenVPN for Android respectively), and it should be possible to setup any PPTP or OpenVPN compatible device using the settings and configuration files provided for these (an account number is generated on the website). Instructions are also available for setting up OpenVPN up on DD-WRT routers.
Using the OpenVPN apps is a bit fiddly, and the instructions given are rather basic, but, once setup they get the job done just fine.
Other than a moderately informative FAQ, the only support available is via direct email. However, when we enquired about the details of encryption Mullvad uses, we received an informative answer only 40 minutes later, which left us reasonably impressed.
We tested speed performance using the HTML5-based Testmy.net tests, using its Amsterdam, NL, server (the closest to our 20MB/s UK connection). We checked for DNS leaks using DNSLeak Test.com, and found none (with or without ‘DNS leak protection’ enabled), which is excellent.
We find it slightly strange, given its otherwise stellar attention to protecting users’ privacy, that Mullvad does not use stronger encryption. Aside from this however, it remains one of the most privacy-conscious VPN providers on the market, and it also sports one of the most fully-featured desktop clients available.
On the downside, however, the limited number of VPN servers on offer will likely limits Mullvad’s appeal to many, as will the so-so performance results. On the other hand, if you’d like an alternative that’s famed for its speed and reliability, check out our ExpressVPN review.
Care to share your thoughts on Mullvad? Feel free to relate them in the comments section below.