Mullvad is well-known as the only Virtual Private Network (VPN) provider to accept payment in cash sent by post. As we shall see in this Mullvad review, this Swedish VPN provider more than lives up to the reputation this suggests.
Mullvad is one of the most privacy oriented VPN services on the market. It is also one of the most technically sophisticated, and offers a range of advanced anti-censorship technologies.
For all that, its software is simple to use. This means that more casual VPN users will also be happy with the service, although somewhat slow support is an issue.
Mullvad’s Pricing and Plans
Mullvad’s pricing could not be simpler. It costs €5 per month (approx. $5.75 USD at the time of writing), and that’s it. Unlike most VPN services, there are no discounts for buying longer subscriptions. The only kink is that payment in Bitcoin gets a 10% discount “due to lower fees and less administration.”
A rather short, three-hour free trial allows you to check that the service works as it should. In addition to this, Mullvad offers a 30-day money-back guarantee (except for payments sent in cash, due to anti-money laundering regulations).
Mullvad accepts payment via credit/debit card (via PayPal), Swish, bank wire, and Bitcoin. It is also unique among VPN providers as it accepts cash sent by post. In addition to this, Mullvad accepts vouchers that can be purchased from certain stores, which can be paid for in cash. This means that Mullvad has no direct contact with the purchaser.
These almost unique payment options alone give Mullvad a good claim to be the most privacy-oriented VPN service out there.
Mullvad’s VPN Features
Mullvad offers the following features to all users of its service:
Most servers are in Europe, but Mullvad also has servers in North America, Australia, and the UK. Compared to other, more commercial services, this is a somewhat limited, and may restrict Mullvad’s usefulness for users in places such as Asia.
On the plus side, all Mullvad’s servers are bare-metal servers (not Virtual Private Server instances) under the close control of Mullvad. You can connect up to five devices to Mullvad at once, which is generous.
It is also worth highlighting the fact that Mullvad is the only VPN service I know of to properly route IPv6 connections through the VPN tunnel. Most other good VPN services simply disable IPv6 in order to prevent IP leaks. This is not a major problem at present, but kudos to Mullvad for looking to the future here.
Port Selection and Port Forwarding
It is rare for VPNs to be blocked, but it happens in places such as China and Iran (although this is usually only partially effective). Mullvad allows you to counter such measures by running the VPN over almost any port (a few ports are blocked to address spam and security issues).
The most common use for this is to run OpenVPN traffic over Transmission Control Protocol (TCP) port 443. This is the port used by HTTPS, the encrypted protocol that secures websites. Without HTTPS, no form of online commerce, such as shopping or banking, would be possible. It is therefore very rare for this port to be blocked.
As an added bonus, VPN traffic on TCP port 443 is routed inside the Transport Layer Security (TLS) encryption used by HTTPS. This makes it much harder to spot using deep packet inspection (DPI). TCP port 443 is therefore the favored port for evading VPN blocks.
SSL and SSH Tunneling
If switching to TCP port 443 is not enough to evade censorship or otherwise hide the fact that you are using a VPN, Mullvad offers SSH and SSL (stunnel) tunnelling. This wraps your VPN data inside an additional layer of SSH or TLS/SSL encryption.
As DPI techniques are unable to penetrate this “outer” layer of encryption, they are unable to detect the OpenVPN encryption “inside.” For more details about this technique, please see my guide on How to Bypass VPN Blocks.
Mullvad also supports Shadowsocks. This “is an open-source proxy application, widely used in mainland China to circumvent internet censorship.” It is an open source anti-Great Firewall tool/protocol/server created by a Chinese developer. Basically, it’s a special Socket Secure (SOCKS5) proxy.
It is also worth noting that by connecting to one of its bridging servers, Mullvad users can multi-hop their VPN connections. This is primarily useful in complicating traffic analysis attacks.
Please see What Is a Proxy Server? for a full discussion on what a SOCKS5 proxy is. They are particularly useful to P2P torrenters, as you can either configure just your BitTorrent client to be protected (rather than using a full VPN connection), or you can use both SOCKS5 and VPN together for “double protection” while torrenting.
Mullvad also uses SOCKS5 to pull off some neat tricks, such as enabling stunnel connections and for split tunnelling (setup guide available).
Privacy is an area in which Mullvad truly shines. It basically keeps no logs at all, and its no logging data policy is the most clear and comprehensive such document I have ever encountered. Crucially, there is no logging of:
Domain Name System (DNS) requests
connections, including when one is made, when it disconnects, for how long, or any kind of timestamp
account activity except total simultaneous connections and the payment information detailed in the policy
The website also includes no tracking or analytics scripts whatsoever.
Mullvad is based in Sweden. This is not ideal from a privacy standpoint, as Sweden suffers from some government surveillance issues. Critically, however, VPN providers in Sweden are not required by law to keep any logs.
As I have already mentioned, Mullvad accepts anonymous payment via Bitcoins or cash sent by post. As we shall see in a moment, Mullvad is also the only company I know of that doesn’t require an email address at all!
This is great, and speaks a great deal for Mullvad’s commitment to privacy. Always remember, though, that as with any VPN service, Mullvad will still know your real IP address.
One final point I think worth mentioning is that Mullvad is very open about who owns and runs the service. The physical address of its parent company (Amagicom AB) is prominently displayed on the website, as are the real names of its owners and team members.
This level of transparency is very refreshing in an industry where VPN company owners and operators like to keep to the shadows. It also helps to inspire a great deal of trust in Mullvad.
The real test of a VPN provider’s technical security is in the details of the OpenVPN encryption it uses. By default Mullvad uses the following settings:
Control hash auth
Logs & Legal
Control channel: an AES-256-GCM cipher with RSA-4096 handshake encryption and HMAC SHA-1 hash authentication. Perfect forward secrecy is provided by a DHE-4096 Diffie Hellman key exchange, which is re-keyed every 60 minutes.
Data channel: an AES-256-GCM cipher. HMAC hash authentication is not required because GCM ensures both confidentiality and integrity. GCM attaches a so called authentication tag instead of a HMAC hash.
Hash authentication on the control channel can be upgraded to SHA-384 by manually editing the configuration files. Even at default levels, however, this is an extremely secure setup
All custom software is fully open source and is digitally signed, which is great.
I would describe the Mullvad website’s aesthetics as functional. The layout is clean and information is presented in a clear, easy-to-access manner. The information itself is informative, well-written, and covers most questions I had about the service.
The various guides, in particular, are very useful. This includes both setup guides and more general guides to things such as setting up split-tunneling, configuring pfSense, and how to get the best performance from your BitTorrent client.
Mullvad also publishes interesting blog articles on a monthly basis.
Other than the great setup guides, support is limited to an email address. When I contacted Mullvad I had to wait three days for a reply. It must be said, though, that when it eventually came, the reply was excellent. Many VPN services are extremely vague or are completely unable to answer when pressed on details of the encryption they use. Mullvad, by contrast, provided a very detailed and knowledgeable response to my questions.
The Mullvad signup process is very unusual, in that you do not need to supply either an email address or a password.
All you need do is prove that you are human with a CAPTCHA, and you will be issued with an account number.
This number is the only way in which Mullvad identifies your account. It is used to sign in to the client, to manage account payments, and so forth.
The Windows Client
Once you have generated an account number, you can download Mullvad’s software.
As soon as you start to use the software, your three-hour free trial timer starts to tick. As you can see, I don’t have an IPv6 connection.
Note the firewall-based DNS leak protection and kill switch (“Block the internet on connection failure”). You can also tunnel IPv6 connections through the VPN. If this option is not enabled, IPv6 is simply disabled.
If you know what you are doing, you can manually tinker with advanced connection settings to your heart’s content.
While the client is fairly stripped-down, it works flawlessly and has all the features you really need.
Mullvad Performance (Speed, DNS, WebRTC, and IPv6 Tests)
All tests were performed on my Virgin Media UK fiber connection, using the OpenVPN User Datagram Protocol (UDP).
The graphs show the highest, lowest, and average speeds for each server and location. See our full speed test explanation for more details.
Transatlantic speeds are a little uninspiring, but on my connection should still be fast enough to stream content without any buffering issues. Speeds within Europe are excellent. Mullvad runs many servers in its home country of Sweden. As we can see, these actually performed better than servers that are geographically closer to me.
I detected no IP leaks
Please note that Private Use RFC IPs are local IPs only. They cannot be used to identify an individual, and so do not constitute an IP leak. Unfortunately, my Internet Service Provider (Virgin Media UK) does not support IPv6 connections, so I am unable to test for IPv6 leaks at this time. This is a situation that should change in the near future.
Mullvad was blocked by Netflix on every US server that I tried, but worked fine for BBC iPlayer on a UK server.
Mullvad has dedicated clients for Windows, Mac OS and Linux, which are all essentially identical. The Linux client is worth noting in particular, as fully-featured graphical user interface (GUI) Linux clients are still quite rare.
The Mullvad Linux Mint client
Full setup instructions for the Linux client are available for Ubuntu/Debian, Fedora 23/24, Fedora 25/26, Mint/Debian, and Elementary Freya.
Detailed manual setup guides (mainly OpenVPN) are provided for Windows, Mac OS, Linux, iOS, Android, Qubes OS, and a selection of routers (including DD-WRT and Tomato).
Mullvad is a big fan of the experimental WireGuard VPN protocol.
“WireGuard performs significantly faster than OpenVPN, often 5-20x faster on small consumer routers, and it handles roaming better.“
This is not something that I have come across before, but hard-core techies might be interested. Mullvad supplies WireGuard setup instructions for Linux and routers (which requires installing new firmware on your router).
Mullvad VPN Review: Conclusion
Fantastic no logs at all policy
Five simultaneous connections
An array of anti-censorship technologies on offer (SSH and SSL tunneling, Shadowsocks, port selection)
Support response was very slow (but great when it eventually arrived!)
All in all, I am a very big fan of Mullvad. Few, if any, other VPN services can match its dedication to privacy. Mullvad backs this up with cast-iron technical security and a wealth of sophisticated anti-censorship technologies.
If you are a more casual user, however, don’t let any of this put you off. Mullvad’s software is very easy to use and works flawlessly. A three-hour trial might not be much, but it is enough to ensure the service works for you. If you still have problems, then the 30-day money-back guarantee should have you covered.
This is just as well, as support seems rather slow. Given the speed test results and server locations, it is also probably worth suggesting that Mullvad is best suited to European users.
If you can live with these limitations, I consider Mullvad to be one of the very best VPN services out there.